Logo

The Data Daily

Data sovereignty

Data sovereignty

Who actually owns the data collected for predictive maintenance, for example? The manufacturers of the individual machine components? The machine manufacturer? The cloud provider? Or the machine operator?

Seidel: The question of data sovereignty, i.e., the authority to dispose of data, and data ownership in networked production has not been clearly regulated by legislators. Instead, different scenarios are possible. This makes it necessary to clarify the legal situation according to the individual case. It is therefore all the more important for companies to deal in detail with this non-trivial challenge.

Could you be more specific?

Seidel: A practical example can demonstrate the complexity of ownership and usage rights of data. In this example, production data from factory machines is collected in the cloud of an external provider. Based on an in-depth analysis of the data, the cloud service provider offers optimization of production as a digital service. Such a smart service provides the operator of the machine early warning of necessary maintenance work or occurring inefficiencies, for example. In the case outlined, the operator of the machine, i.e., the producing company, is the owner of the data and the cloud service provider is only responsible for its processing. Of course, the information gathered and the results of the analysis are also of great interest to the manufacturer of the machines. However, the manufacturer of the machine does not automatically have access to the data even if it could improve the performance of his machines in the future by using the data and the results would benefit all customers equally. The example shows how difficult it is to make the use of the “raw material data” legally accessible to individual participants with legitimate interests, contrary to material means of production that are usually purchased and then consumed by use.

How can ownership be regulated clearly?

Seidel: To eliminate legal ambiguities in terms of ownership and rights of use, there are two options: either you create a clear legal framework, or the conditions are individually regulated by means of contracts.

And what makes sense? Legal regulations or individual contracts?

Seidel: Which method is preferable is a controversial topic. Industry representatives tend to be negative about legal regulation and prefer individual contracts. These often create advantages for economically strong contractual partners, such as large enterprises, so that they tend to get data more easily and inexpensively with contractual agreements.

Seidel: Users as data providers could—unlike large companies—benefit more from a uniform legal framework. Until now, the user of a digital service often only has the option of generally agreeing to the use of his data, or he cannot use the corresponding service at all. This raises the question of whether, for example, free use of a service in return for data transfer is appropriate or whether other services should be provided. Those who transfer their data should receive material consideration. The definition of value compensation, i.e., which value is really appropriate, requires fundamental clarification.

What solutions do you see for the problem?

Seidel: The introduction of an ancillary copyright law, which uniformly regulates the issue of data sovereignty, would provide clarity for all participants in such cases. Uniform standards would also be created through the use of standard contracts that could be used by companies and users. This would be an advantage, especially for small and medium-sized enterprises, since time and costs are saved with ready-made model contracts. Such model contracts would provide clarity and make the use of data even more attractive.

What special features arise when personal data are used?

Seidel: The legal situation is different for personal data. The processing of this information is governed by the General Data Protection Regulation (GDPR). Personal data refer to all information that relates to an identified or identifiable individual. In the case of personal data, the data subject decides on their use, for example, if conclusions about the work of an employee can be drawn from machine data. In such cases, the latter must give his explicit consent to the use of these data in order for an evaluation to be permitted.

What does that mean?

Seidel: For smart services based on the integration of personal data, the question arises as to how these services can be offered without violating the fundamental right to informational self-determination or the GDPR. These cases must be clarified individually in each case, ideally by involving a data protection officer in the company. For example, one possible solution is the anonymization of the data, so that it is no longer possible to identify individuals. Another protection mechanism is the clear specification of when and to what extent data are to be deleted.

Images Powered by Shutterstock