The proposal for the EU Data Act (“Data Act“) has been on the table since 23 February 2022 and is part of the European Commission’s European data strategy. With its strategy, the European Commission aims to boost digitization and give both stakeholders and businesses new opportunities regarding data.
The Data Act makes it easier for companies and consumers to access and use data. It also provides rules on data portability: the right to transfer data (or have it transferred). This comes into play, for example, when a consumer wants to transfer data from one service to another.
Instead, the Dutch Databases Act (Databankenwet) grants the creator of a database an exclusive right to collected and structured data. This idea of protecting data runs counter to the idea of free and accessible data exchange. How the Data Act affects database law, we will discuss in this blog. The Data Act aims to regulate all types of data, i.e. both personal and non-personal data, without prejudice to the General Data Protection Regulation (GDPR).
Earlier, we wrote about what the Data Act will mean for Internet of Things products and services and for cloud services here and about unfair terms regarding inter-company data access and use here.
Revision Database directive
The Dutch Databases Act stems from the Database Directive and grants an exclusive right to the maker who has substantially invested in obtaining, controlling and/or presenting the contents of a database. In 2017, the European Commission conducted a public consultation to examine how the Database Directive is applied in practice and its impact on database users and creators. The report found that database law is still seen as ‘vague’ and ‘too broad’, and that the exceptions to database law are actually ‘too narrow’, putting legal certainty at risk.
The European Commission announced in 2020 in its Data Strategy and Intellectual Property Action Plan that the Data Act would include a revision of the Database Directive. The European Commission believed that while the Database Directive adds value, it should be revised to facilitate the use of data. The exclusivity of data – as a non-competitive good – is considered a barrier to innovation, the European Commission said.
Database law and the public interest or exceptional situations
Meanwhile, the proposal for the Data Act has been published and the provisions relating to database law are limited to one section, namely Article 35 Data Act, and two recitals (63 and 84).
Recital 63 deals with the database right to datasets requested by government or EU bodies in the public interest or other exceptional situations. One of the objectives of the Data Act is to provide for the use by public authorities and EU institutions, agencies or bodies of data held by companies. This only applies in certain situations where there is an exceptional need to use the data. Recital 63 shows that if sui generis database rights apply to datasets requested by public authorities, EU institutions, agencies or bodies in the public interest or other exceptional situations, those bodies should not be prevented from obtaining or sharing the data in accordance with the Data Act. If there is a public health emergency, major environmental or natural disasters, including those exacerbated by climate change, and man-made major disasters, such as major cyber incidents, the public interest arising from the use of the data will outweigh the interest of data holders to freely dispose of their data. Then data holders will be obliged to make the data available and will not be able to invoke their database right.
Database right and data obtained from IoT products
Recital 84 and Article 35 deal with the database right on a database when it contains data generated by Internet of Things (IoT) products. Data generated by IoT products can include data generated by a mobile tracker for a transport company on the condition of chemicals, but also data on, for example, diseases and insect presence in agriculture, generated by a drone flying around over a field. Recital 84 and Article 35 provide that databases containing data obtained from IoT products are (in certain cases) not covered by the protection of the database right:
“The sui generis right referred to in Article 7 of Directive 96/9/EC shall not apply to databases containing data obtained from or generated by the use of a product or a related service, so as not to impede the exercise of the right of users to access and use such data under Article 4 of this Regulation or the right to share such data with third parties under Article 5 of this Regulation. ”
It is unclear whether Article 35 Data Act excludes all databases containing any machine-generated data from protection under database law or whether it refers to databases consisting only of machine-generated data. In addition, Article 35 Data Act could also be read to limit protection only to the extent that database law interferes with users’ rights under Article 4 or Article 5 of the Data Act.
More context on this is shown in recital 84:
“To eliminate the risk that holders of data in databases obtained or generated by means of physical components, such as sensors, of a connected product and a related service claim the sui generis right under Article 7 of Directive 96/9/EC when such databases do not qualify for the sui generis right and thereby hinder the effective exercise of users’ rights to access and use data and to share data with third parties under this Regulation, this Regulation should clarify that the sui generis right does not apply to such databases since the requirements for protection would not be met.”
From recital 84, it seems that the issue is not so much that the database contains machine-generated data, but rather that it is databases that are themselves obtained or generated by a machine, or in other words consist only of machine-generated data. On this, the last sentence mentions that sui generis law does not apply, as the requirements for protection would not be met. Viewed in this context, Article 35 only seems to confirm that a database consisting (only) of machine-generated data will not meet the test under the Database Directive. However, Article 35 Data Act still leaves room for discussion.
Data strategy and database right
The Data Governance Act and the Open Data Act also exclude database right. There it is stipulated that the database right may not be exercised by public bodies to prevent the re-use of data and limit re-use beyond the limits set by these regulations. In the Netherlands, the Midden-Nederland District Court already ruled in line with these provisions in 2021, when it ruled that the Chamber of Commerce (Kamer van Koophandel) did not have a database right on the Trade Register because there was no economic motive and the Chamber of Commerce is performing a statutory task. Indeed, the Chamber of Commerce (1) did not bear the financial risk of the investments in the Trade Register, as it is clear from the law that the central government covers its costs and (2) did not need an incentive to make the investments, as it already has that incentive because of the statutory task assigned to it.
In conclusion
A database owner’s database right will be limited with the advent of the Data Act to the extent that a public or EU institution requests data in the public interest or other exceptional situations. Also, the Data Governance Act and the Open Data Act confirm that public bodies cannot invoke the database right.
Whether in practical terms a new limitation will also apply to the protection of machine-generated data is not entirely clear, as Article 35 Data Act leaves much room for discussion. In the context of recital 84, it seems that the main purpose of Article 35 Data Act is to confirm that machine-generated data will not pass the test for protection. Whether that is actually what Article 35 Data Act is intended to do, and whether such data could indeed never be protected, remains to be seen. For now, the so-called ‘revision’ of database law in the Data Act does not yet contribute to a much clearer picture of when database law now applies.
All in all, it does not make the position of (private) database holders any clearer. The question is whether, even if there are clear arguments behind it, this does not erode the original intention of the Database Directive to promote investment in databases and thus necessary investments.
