Case Studies
Case Study 1: Sale of Gaming Data
The Case
Business S supplies an online video game and holds a broad range of personal data from users playing that game, much of which is protected under data privacy regimes such as the California Consumer Privacy Act (CCPA) or the General Data Protection Regulation (GDPR). S ‘sells’ the data of 20,000 users to data analytics business B, which, let us assume, is in conformity with the relevant data privacy regimes (because those users have given consent or failed to click the ‘Do not sell my data’ button). Shortly after the data was transferred to B, 5,000 users from the EU withdraw their consent to the processing of the data. As a reaction, B demands a return of 25% of the price paid to S, arguing that B was unaware of users having a right to withdraw their consent, and that B did not receive what it paid for under the contract. The agreement between S and B is silent on this matter.
Comment
The purpose of the Principles for a Data Economy – Data Rights and Transactions – (‘The Principles’) is to facilitate the further development of the law by the courts and the legislators worldwide and the review of existing law and soft law instruments by, in particular, legislative bodies, standardization agencies, or bodies developing codes of conduct. They are also designed to be applied to the extent that the parties to a transaction have incorporated them into their contract or have designated them to complement the law which governs their contract.
The Principles do not seek to restate or revise existing rules in specific areas of the law such as copyright or other intellectual property law or data privacy/data protection and trade secret law. Rather, the Principles take the rules of these areas of the law as more or less given. Therefore, the Principles do not deal with questions such as whether the users’ data in Case 1 may be processed without the users’ consent and whether that consent may be withdrawn at any time, or whether the users have a right to object to the sale by clicking a button stating ‘Do not sell my data’ or the like, or whether they should have no rights at all of that kind. Rather, user rights under data privacy/data protection law are left to the applicable rules, considering also the territorial scope of those rules. The Principles do, however, address the effect of data privacy/data protection regimes, and of rights exercised under such regimes, on the rights of parties to a data transaction such as the transaction between S and B.
If S and B have incorporated the Principles into their contract or have designated them to complement the law which governs their contract (or they have become applicable by judicial or legislative action), the Principles apply to the extent that they are not inconsistent with mandatory rules of applicable law. Importantly, since all contracts are inevitably incomplete, the Principles set out default terms for data transactions, addressing eight different types of transactions. These default terms are included in the contract when the parties have not agreed with respect to those issues. Even if the parties have not incorporated the Principles into their contract, the solutions suggested therein could be considered reasonable and fair by a court which must deal with an incomplete agreement and has to find appropriate ‘gap fillers’.
The contract addressed in Case Study 1 is a ‘contract for the transfer of data’ under the Principles. Among the default terms included in this contract for the transfer of data under the Principles is that S must provide to B information about all legal requirements with respect to control or use of the data, other than those applying to the control and use of data generally, of which the supplier has notice. So whether S would have had to inform B about the application of the GDPR would depend on the facts of the case. If B was based in the EU this would definitely not be the case as the GDPR would apply to data generally, but if both parties were based in the US and it is not self-evident that the GDPR applies with regard to some user data, S would be required to inform B about this fact. (In any case, where users withdraw their consent vis-à-vis S, this fact must immediately be communicated to B, which is a duty S owes both to users and to B.)
As to the further question as to the effects of the European users withdrawing consent on the transaction between S and B, the Principles state, as a default term, that S must enable B rightfully to exercise control over the data at the time it is supplied. However, if, after the data has been supplied, the recipient’s control of the data becomes wrongful (e.g. under an applicable regime of data privacy/data protection law) this does, according to the Principles, not of itself give rise to a claim by the recipient against the supplier.
Case Study 2
The Case
Business T produces tires that are supplied to car manufacturer C and mounted on cars that are ultimately to be sold to end users such as E. Data concerning the tires are generated in the course of mounting of the tires by C (eg the robot mounting the tires tests the properties of the rubber) and in the course of E driving the car (eg the car sensors collect data on how well tires adapt to weather conditions and road surfaces and how quickly the tires’ treads wear off). All of this data is sent to and stored on cloud servers controlled by D under a contract with C.
Access to that data would enable T to improve tire performance. Accordingly, T seeks access to the data concerning its tires. C and D decline to grant such access because D is considering developing smart services utilizing the data and does not want anyone else to develop the same services, and C considers producing tires itself at some point in the future and wants to have a competitive edge over T.
Comment
Rights with regard to data (‘data rights’) which one party may have against another party and which are connected, in one way or another, with the nature of data and its generation may follow from different sources. They may, in particular, include the right to be provided access to data or port data, or require the controller to desist from control or processing of data, or have data corrected, or – rather exceptionally – receive an economic share in profits derived from the use of data. Data rights formulated by the Principles arise from considerations of fairness; accordingly, the way they are incorporated in existing legal frameworks under applicable law and the extent to which they may be waived or varied by agreement should be determined by the role such considerations of fairness play in the applicable legal system.
The most important data rights addressed by the Principles are rights in ‘co-generated data’, ie they find their justification in the share which a party had in the generation of the data that is at stake: A party can have a share in the generation of data by being the object of the information coded in the data, or by being the owner of that object, or by otherwise providing a contribution to data generation. The concept of ‘co-generated data’ was developed, and the term coined, by the Reporters. It has meanwhile gained widespread recognition and has been adopted, inter alia, by the German Data Ethics Commission (a body advising the German Government) and more recently by the European Commission in its European strategy for data, COM(2020) 66 final.
In the scenario in Case 2, the data concerning the tires is considered to have been co-generated by T (together with C and E and possibly other parties), albeit to a lesser extent than by C or E. The share that a party relying on a data right had in the generation of the data is, however, rarely the only justification for granting such a right. Rather, the Principles identify five factors to be considered when deciding about whether to grant a data right. Apart from the share the party had in the generation of the data, these factors are: the weight of grounds put forward by the party relying on the data right; the weight of any legitimate interests the controller or a third party may have in denying the data right; any imbalance of bargaining power; and any public interest (including the interest to ensure fair and effective competition).
Quality monitoring or improvement by a supplier in a value chain is one of the standard grounds for claiming access to or porting of co-generated data, when monitoring and improvement is in line with duties of that supplier within the value chain and the controller of the data can be expected to have foreseen and accepted this role. There is thus a strong legitimate ground for T to request access to the data relating to the tires, but legitimate interests of the controller or third parties (such as E) are equally a factor to be taken into account, as are the relative bargaining powers and public interests. This could mean in the individual case that a data right vis-à-vis D is afforded only with appropriate restrictions such as anonymization or, depending on the circumstances, access via a trusted third party.
The extent to which these considerations will result in the affording of such a data right, though, will also depend on the extent and nature of the applicable legal system’s incorporation of notions of fairness in determining contractual obligations.
Case Study 3
The Case
Farm corporation F buys a ‘smart’ tractor which has been manufactured by manufacturer M and which provides various precision farming services, including weather forecasts, soil analyses and targeted recommendations concerning the use of particular fertilizers and insecticides. M also uses the soil and weather data collected by the tractor to create a database that could be sold to potential buyers of farmland, providing extensive details about the land in order to enable them to make a more-informed choice on the price they would be willing to pay for farmland. When F learns about this database, F immediately requests M to stop using F’s data for this purpose.
Comment
Among the data rights dealt with by the Principles is the right to require a controller of co-generated data, such as M, to desist from particular data uses. Without any doubt, F has had a huge share in the generation of the data collected by M, so F might have a right to require that M refrain from using the data relating to F’s farmland in such a way.
Grounds that may give rise to a party’s right to require that the controller desist from using co-generated data in a particular way include the fact that the use is likely to cause significant harm to that party. However, that alone is normally not sufficient, and further elements are required. For instance, the party must have contributed to the generation of the data for another purpose that is inconsistent with the contested use, and that party could not reasonably have been expected to contribute to the generation of the data if it had foreseen the harm to it that would result. Also, the controller must have notice of these facts.
The situation in the Case Study could cause significant harm to F because potential buyers might have better information about the soil quality than F itself, so using F’s data for this purpose could harm F’s interests in the event of future negotiations about F’s land. F has contributed to the generation of the data for an entirely different purpose (ie in order to benefit from precision farming services), disclosing the data to buyers of land is entirely inconsistent with that purpose, and it is highly likely that F would not have agreed to produce the data if F had known about how T would make use of the data.
However, desistance from data use is to be afforded only with appropriate restrictions, or not at all, to the extent that affording the right would be incompatible with the rights of others, or with public interests. Again, the right is to be afforded with specifications and against remuneration as is fair and reasonable in the circumstances.