Filling the gap – Data Compliance as a new legal concept
By Dr. Markus Häuser and Dr. Michael Dorner
The digital transformation drives a fundamental structural transition that currently brings enormous disruptions to Europe’s economies and companies. Whereas in the year 2000 only a quarter of the data available was digitized, today more than 98% of all existing data is stored digitally. Such new data, connectivity, automation and digital customer interfaces are about to replace existing value chains and are confronting the ‘old business’ with huge challenges. At the same time, a connected, more efficient production and new business models are bringing tremendous opportunities that already have been recognized on a political level: With its Digital Single Market Strategy the European Commission introduced a plan to open up digital opportunities for people and businesses. According to current estimates, this could contribute 415 billion euros per year to Europe’s economy.
Lack of awareness for general legal prerequisites of the data business
In terms of strategy, it seems that politics is ahead of the vast majority of the individual players of the digital single market. Most companies are well aware of the common notion that data is the new ‘oil’, or new ‘gold’ of the digital age, and either have high hopes that they will benefit from the digital transformation, or they are afraid that they will miss the boat. Nevertheless, many companies do not transfer the general prerequisites applicable to the former “oil or gold business” to their digital business, at least not yet. In essence, this would require a process to determine how new (data) sources can be tapped and how (data) mining and exploitation rights can be secured.
Digital challenges in the form of inherent legal and economic risks
Unlike mining rights for oil, neither access to data, nor its collection and processing are subject to legal permission or entitlement by a public authority. Instead, there is an inherent risk that respective activities violate applicable law, such as privacy laws, trade secrets laws or the recently introduced penal law offence of receiving stolen data (“Datenhehlerei”) – always depending on the individual case, and in particular on the source of the raw data and the circumstances surrounding its collection. In a worst-case scenario, a company could be forced to delete all of the data it collected or purchased previously at a high price, and the company’s management could be subject to monetary fines or imprisonment.
In addition to such risks concerning data access, companies must accept that the common legal tool-set generally fails to provide adequate protection mechanisms for their new key assets. Unlike the companies’ traditional raw materials, inventions and commodities data (itself) are not protected by exclusive property rights. In particular, existing intellectual property rights cannot be considered to be a reliable source of protection. Patent law and copyright law (including the protection of software) do not provide for protection of information or ideas, but only for protection of the respective ideas’ application or expression. In the absence of specific protection measures, companies are at risk of losing the data’s marketability and the investments already made in collecting and processing data.
Data Compliance as a turnkey solution for identifying and addressing legal risks
Management often has a blurred awareness of the aforementioned legal risks that their data business is exposed to. The reasons for this are obvious: Potentially valuable data is typically spread across the whole enterprise, and profound knowledge of various areas of law is required to identify the associated legal risks. In a nutshell, the complex and interdisciplinary field of law applicable to collecting, processing and exploiting data can be best described as data compliance, and we would like to introduce the term “Data Compliance” as a new legal category comprising all aspects of a data-related legal compliance that form an integral part of a company’s data strategy.
Data Compliance is often neglected, even in companies that implement a dedicated data strategy. However, experience shows that a professional Data Compliance concept effectively mitigates existing legal risks. Even if Data Compliance concepts necessarily must be tailor-made, depending on the company’s business and internal structures, it is possible to identify several key elements of a cohesive data strategy and Data Compliance approach.
Data strategy and Data Compliance: two sides of one coin
In order to adequately safeguard their digital key assets, companies must implement comprehensive organizational and legal measures. A best practice approach always includes two main elements. First, each company has to develop its individual corporate-wide data strategy that consists of a business-oriented governance framework. The governance framework is shaped by a set of data-centric principles, guidelines and processes. From a commercial and technological perspective, it serves to identify the type of data that can be considered (potential) strategic assets. Depending on the type of the data identified via such inherent mechanisms, the governance framework’s architects then develop customized roadmaps of company-internal, data-related rules and activities. These address the issues of data responsibility, data accountability and monitoring data-related processes.
Data compliance will indeed determine the company’s entire data strategy, as it serves to identify the legal boundaries and risks associated with the planned course of data-related action. The process of identifying legal risks and corresponding safeguards cannot be limited to a separate due diligence, but must form an integral part of each data strategy. Data compliance plays a decisive role throughout the whole data-lifecycle. The typical data-lifecycle can be described by an input-process-output model. It starts with the collection of data from external sources and/or its generation by internal processes (input), passes into the processing of data (process) and ends with the storage, use and/or transfer of data (output).
Need for various Data Compliance activities
The data-related activities of each phase are subject to specific legal constraints and risks that must be addressed by carefully selected mitigation measures. The input and the processing phase must be closely linked to an upstream data clearing process. In particular, the generation, collection and/or use of data will only be compliant if the company ensures that the aforementioned activities do not violate applicable statutory laws or contractual constraints. For example, companies must clarify whether the collection of personal data is in line with applicable data privacy laws, whether the extraction of data from a database violates the rights of the producer of the database, or whether the automatic collection of data for predictive maintenance violates the customer’s trade secret protection.
In order to avoid that data cannot be collected or generated due to a violation of the aforementioned legal requirements and associated fines and damage claims, companies have to assess whether necessary contractual safeguards have been taken, such as obtaining the consent of the data subject or the customer. Companies should consider whether the planned output phase activities comply with statutory law or contractual provisions. Moreover, if the data will be traded companies have to provide for contractual safeguards to protect their data. Otherwise statutory property rights will not help to protect against any potential excessive use or misuse of data by third parties.
Finally, in each phase of the data-lifecycle companies need to protect their key assets against unintended disclosure or betrayal by employees and against external espionage and cyber-attacks. Since intellectual property rights will often not protect the compromised data, trade secrets protection will be the company’s last resort. In the future, such source of protection will generally be strengthened through the EU directive on the protection of undisclosed know-how and confidential business information (COM  813 [final]), aimed at standardizing the protection of trade secrets throughout the EU for the first time. However, in order to rely on such source of protection, companies are again forced to take precautionary measures. According to the directive, it will only be possible to rely successfully on legal protection of confidential information if it can be demonstrated and proven that the information in question has been “subject to reasonable steps under the circumstances […] to keep it secret”. Similarly, German penal law provisions against cyber-attacks require that special measures have been implemented to protect against unauthorized access. This means that – in addition to the general information and IT-security compliance requirements – companies must take specific organizational, technical and legal measures in order to ensure protection their (secret) data.
Core responsibilities of every company’s management
Actions for data strategy and Data Compliance are worth the effort. Data is the key driver of the digital transformation and deserves the companies’ utmost attention, especially from a legal perspective. To date, everyday business processes of German companies do not adequately reflect the importance and characteristics of data as their key assets. Only very few of them have an effective data strategy in place, and even fewer seem to care about Data Compliance. However, it would be shortsighted to assume that the legal implications of the greatest transformation in business that has occurred over the last several decades, even considered to be the fourth industrial revolution, can be ignored. Data strategy and data compliance are part of the core responsibilities of each company’s management.