Our digital economy has become more and more data driven. Databases today are increasingly generated and verified with the means of machines, sensors and other new technologies, for example Artificial Intelligence or the Internet of Things ("IoT"). In order to secure the competitiveness of digital sectors and markets there are legislative initiatives on a European level to guarantee the free-flow of data, such as the Data Act Proposal of the European Commission of 23 February 2022. This is a difficult task because of the existing legal framework in relation to the protection of certain types of data contained in databases, specifically under the so-called "sui generis right" of the maker of the database.
A delicate balance is necessary between the makers of databases who made a substantial investment in generating and obtaining data, and the free access and use of data by third parties in the digital economy. For example, in order to carry out its services a car maintenance company needs to be able to access the database that contains data generated by sensors in a car. In this article, we will guide you through the current and proposed future legal framework to provide an answer as to what types of data contained in modern databases fall under the protection of the sui-generis right and which types of data should be excluded from protection, favoring the free-flow of data in the digital economy.
The existing legal framework: The Database Directive
The sui generis right introduced in the Database Directive in 1996 gives the maker of a database who made a substantial investment in the obtaining, verification or presentation of the data contained in its database, a right to protect it against extraction or re-use of that data by third parties. As mentioned above, this legal framework is increasingly difficult to reconcile with modern databases consisting of big data, IoT data and machine-generated data.
More specifically, it is not clear whether these data are protectable under the sui generis database right. In its settled case-law the Court of Justice of the European Union ("CJEU")1 decided that only when the maker of database has made a substantial investment in the obtaining, not in the creation of data, he will qualify to enjoy the protection of the sui generis right.
The question arose whether a database containing machine-generated data could be protected under the sui generis right, as it could be argued that the data included in such databases is "created" instead of "obtained". The general consensus seems to be that machine-generated data falls outside the scope of protection under the sui-generis right because the data included is created, and not obtained.
The proposed future legal framework: the Data Act Proposal
The Data Act Proposal of 23 February 2022, which aims to stimulate the free-flow of data, seems to confirm the exclusion of IoT data from protection under the sui-generis right. Article 35 of the Data Act Proposal expressly states that, in order not to hinder the exercise of the right of users to access and use such data or of the right to share such data with third parties, the sui generis right does not apply to "databases containing data obtained from or generated by the use of a product or a related service".
Recital 84 of the Data Act Proposal further clarifies that the requirements of protection under the sui generis right are not fulfilled for "data in databases obtained or generated by means of physical components, such as sensors, of a connected product and a related service". This is in line with the above mentioned case-law of the CJEU. In that regard, the Data Act Proposal should be seen as a confirmation and clarification of the existing legal framework rather than as a new legal framework.
It is however still unclear whether Article 35 of the Data Act Proposal excludes machine-generated data in general, or only IoT data, which in our opinion is a more limited category. In its Opinion of 26 January 2023 the Committee of Legal Affairs of the European Parliament seems to broaden the category of excluded data to machine-generated data. In its proposed amendment of Recital 84, the Committee of Legal Affairs brings clarity by expressly adding the words "namely machine-generated data". According to the Committee of Legal Affairs, databases containing data which is machine-generated are excluded from protection under the sui generis right.
Conclusions
The Data Act Proposal of the European Commission seems to exclude databases containing IoT data from protection under the sui generis right. According to the Committee of Legal Affairs Article 35 of the Data Act Proposal not only excludes IoT data, but machine-generated data in general from protection under the sui generis right. As there already was a general consensus that these types of data do not fulfill the requirements for protection under the existing legal framework, the provisions in the Data Act Proposal should be seen as a clarification of the existing legal framework rather than as a new legal framework.
In our opinion, the wording of Article 35 still lacks clarity. A solution could be to add the words "machine-generated data" in Article 35 directly, and not just in the recitals, as suggested by the Committee of Legal Affairs. We are very curious to see what changes the European Parliament will adopt in the final version before the Data Act enters into force.
The GEVERS AI team will be happy to assist with any questions you may have, including questions concerning the protection of modern databases containing big data under the sui generis right.
Footnote
1. See for example CJEU 9 November 2004, C-203/02, British Horseracing Board; CJEU 9 November 2004, C-338/02, Fixtures Marketing.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
