Author: Maryna Manteghi,
PhD researcher, University of Turku, Finland.
Photo credit: rjcastillo,
via Wikimedia
commons
Introduction
The new EU Data Act Regulation,
which constitutes one of the essential elements of the European strategy for
data, entered into force on 11 January 2024 and will become
applicable in September 2025. The Regulation aims to remove barriers to
data access for consumers and businesses to ensure an optimal and fair data
allocation in society. The Data Act focuses
on facilitating access to and use of large amounts of digital data,
especially collected/generated by sensors and machines in the Internet of
Things (IoT) environment. To unlock the data held and controlled by a few
actors, the Regulation reviews inter alia the relevance of the Database
Directive in the data-driven society without expressly amending the Directive.
In particular, Article 43 of the
Data Act provides that the sui generis protection granted to the maker of a
database, who has made a substantial investment in either the obtaining,
verification or presentation of the contents of the database (Article 7 (1) of
the Database Directive) “shall not apply when data is obtained from or
generated by a connected product or related service”. The Data Act defines a
“connected product” as “an item that obtains, generates or collects data
concerning its use or environment and that is able to communicate product data
via an electronic communications service, physical connection or on-device
access, and whose primary function is not the storing, processing or
transmission of data” (Article 2 (5) of the Data Act) and a “related service”
as a “digital service, other than an electronic communications service,
including software, which is connected with the product at the time of the
purchase, rent or lease in such a way that its absence would prevent the
connected product from performing one or more of its functions” (Article 2 (6)
of the Data Act).
Article 43 of the Data Act (see
also Recital 112) excludes databases containing machine-generated data from
protection under the sui generis regime to safeguard the rights of users to
access, use and share such data (Articles 4 and 5 of the Data Act). Even though
the provision could harness excessive IP protection over particular types of
databases, some aspects could require further clarification to ensure fair
access and use of data in the digital age (see Manteghi).
The Potential Limitations of
Article 43 of the Data Act in the Context of Scientific Research
When looking at Article 43 of the
Data Act from the perspective of research, some concerns may be raised. The
exclusion of databases made of machine-generated data from the sui generis protection
in Article 43 of the Data Act would not automatically guarantee researchers the
right to access and use such databases. Database holders could block or
restrict access to their databases through contractual agreements or the
application of technological protection measures (TPMs) (e.g., password, robots.txt
file etc). Even though Recital 5 in the preamble indicates that the Regulation aims
to prevent “the exploitation of contractual imbalances that hinder fair access
to and use of data”, the provision refers only to third parties’ rights and
data sharing agreements leaving the relevance of these limitations to the sui
generis database right unclear. Another concern relates to the use of mixed
databases consisting of data falling within the scope of the Data Act and
so-called derived or inferred data excluded from the scope of the Regulation (see
Recital 15 of the Data Act preamble).
For instance, researchers doing
research on databases containing data collected by e.g., health monitoring
devices would be required to obtain authorisation to access and use databases
containing information derived from collected data (e.g., statistical data)
through licensing or other lawful means. Put simply, the latter type of
databases could be covered by the sui generis protection, thereby researchers
would need to obtain authorization from database holders if the research
requires (permanent or temporary) copying of the whole or of a substantial part
of the contents of that database (see Article 7 (1) of the Database Directive).
However, researchers may find it challenging to determine which data is covered
by the Regulation and which is not. The exclusion of derived or inferred data
from the scope of Article 43 is not well-grounded as such data could satisfy
the requirements needed to qualify as machine-generated data within the meaning
of Recital 15 of the Data Act preamble. In particular, the provision requires
that such data should “represent the digitalization of user actions and events”
and be “valuable to the user and support innovation and the development of
digital and other services protecting the environment, health and the circular
economy”.
Another issue is that the
Regulation aims to facilitate the accessibility of machine-generated data by
users, trade and business persons and, where there is an exceptional need to
access such data, by public sector bodies without a particular focus on scientific
research (Article 1 of the Data Act). In this sense, researchers could benefit
from the provisions allowing users to share machine-generated data with third
parties (Article 5 of the Data Act) as “third party” also covers research
organizations or not-for-profit organizations (Recital 33 of the Data Act). Moreover,
researchers may rely on Article 14 of the Data Act which obliges data holders,
in cases of exceptional need, to make machine-generated data available to
public sector bodies as research organisations could also be organised as
public sector bodies (see Recital 63 of the Data Act preamble).
Research organizations are
allowed to share such data with “individuals or organizations in view of
carrying out scientific research” (Article 21 (1) (a)) providing that such
actors “act either on a not-for-profit basis or in the context of a
public-interest mission recognized by the State” (Article 21 (2) and Recital 76
of the Data Act preamble). In this sense, for instance, independent individual
researchers or private research institutions, conducting research in the
framework of public-private partnerships, could not secure even indirect access
to databases made of machine-generated data as it is in practice, difficult to
distinguish between commercial and non-commercial activities within these
collaborations (see Manteghi
pp. 38, 43).
Concluding Remarks
To sum up, Article 43 of the Data
Act could be refined so that it would be clear that the provision cannot be
overridden by a contract or TPMs at the expense of users’ rights to ensure
better access and utilisation of machine-generated data. Moreover, to ensure
efficient and broad access to and use of machine-generated raw data collections
for research purposes it is necessary to explicitly address the needs of
researchers by including them among beneficiaries of the provision. Further, the
inclusion of so-called derived or inferred data in the scope of the Data Act
would enhance data availability and its integrity for research purposes. The
suggested remedies, if adopted, could ensure a research-friendly regime and
thus strengthen the research power of the EU at a global level.
