The proposed EU Data Act and the sui generis database right

This analysis was first published on Lexis®PSL on 17 May 2022. 

What does the proposal for the EU Data Act mean for the planned revision of Directive 96/9/EC (the EU Database Directive)? 

The planned revision of the EU Database Directive was foreshadowed in each of the European Commission’s 2020 Communications on ‘A European Strategy for Data’ and ‘An intellectual property action plan to support the EU’s recovery and resilience’. The stated intention was to review the EU Database Directive “to facilitate the sharing of and trading in machine generated data and data generated in the context of rolling out the IoT”.

That objective is also reflected in the EU Data Act proposal where it is described more modestly as a 'clarification' of the application of the EU Database Directive. The clarification is contained in a single Article (namely Article 35) of the EU Data Act proposal. 

How does the proposal for the EU Data Act deal with the sui generis database right applying to databases containing data obtained from or generated by the use of a connected device?

Article 35 of the EU Data Act proposal states that sui generis database right protection does not apply to databases containing data from or generated by the use of devices connected to the Internet of Things (IoT).

This provision, in conjunction with other measures in the EU Data Act proposal, is intended to augment and facilitate a user’s rights to access and use data generated by their connected devices. Typically, the manufacturers or designers of IoT devices/services have exclusive control over the data generated by them, which can result in vendor lock-in and, potentially, negative impacts on the market for those devices/services. Article 35 is one of a series of measures intended to ‘unlock’ this data so that its value can be shared and realised. 

How did the impact assessment report describe the proposal for the EU Data Act in terms of the planned review of the EU Database Directive?

The Commission’s impact assessment report describes 'a targeted review' of the EU Database Directive. This is, perhaps, unsurprising given that it was only as recently as April 2018 that it published its evaluation report of the EU Database Directive. 

The ‘target’ of the review for the purposes of the EU Data Act is 'to prevent the accidental and problematic expansion of sui generis [database right] protection to databases containing machine-generated data'. The primary driver for this approach is the uncertainty surrounding the applicability of the sui generis database right protection to databases containing data generated automatically by sensors, machines and related technologies; that uncertainty primarily stems from whether these data are ‘created’ and therefore potentially excluded from protection or ‘obtained’ and potentially within the scope of protection.

Notably, the Commission considers that the problems addressed by the EU Data Act are not market-based (eg because of dominant players in the market structure) but arise from systemic contractual imbalances which could be compounded if data holders, who enjoy de facto exclusivity over user data, could also rely on sui generis database rights. The targeted approach is therefore coherent with the broader goals of the EU Data Act, and the Commission hopes also that it will prevent an increase in transaction costs for actors in the data economy (eg by having to enter into and negotiate licences to use machine-generated data) and have a positive effect on competition by facilitating new entrants and products/services to the market.

What does this mean for the future of the EU Database right?

In its presently drafted form, Article 35 of the Data Act proposal seems likely to have a significant impact on sui generis database right protection. In particular:

• it excludes from the scope of protection any database containing machine-generated data, or in the words of Article 35 'data obtained from or generated by the use of a product or a related service'. So, for example, a database which includes a mixture of machine-generated data and other ‘obtained’ data will not be protected. 
• Article 2(2) of the EU Data Act proposal includes an expansive definition of 'product' and it therefore seems likely that Article 35 will apply to a broad range of databases.
• sui generis protection would no longer be available to someone who has made a substantial investment of human, financial or technical resources in verifying and/or presenting data in a database, simply on the basis that it ‘contains’ machine-generated data.

In short, the EU Data Act proposal is a significant incursion on the database right. If the present proposal is adopted and implemented, businesses that collate data into databases will need to revisit their operations and decide whether they wish to avoid including machine-generated data in them, which seems perverse in an increasingly connected world.  

In light of the proposal for the EU Data Act how should businesses protect their databases?

The sui generis database right has had a chequered history and its efficacy and utility has been the subject of discussion since its introduction over 25 years ago. If the EU Data Act proposal is adopted in its present form, it will make the sui generis database right less viable for many business who might otherwise seek to rely on it.

It will remain open to these businesses to continue to rely on other legal means to protect their databases to some extent such as copyright law, the law of confidential information, trade secrets and, most likely, the law of contract. These legal means accompany the technical means that businesses deploy to secure their databases, such as system level security, server firewalls, encryption and authentication measures.