Article 43 of the EU Data Act from a Research Perspective

 

    

Author: Maryna Manteghi, PhD researcher, University of Turku, Finland.

 

Photo credit: rjcastillo, via Wikimedia commons

 

Introduction

 

The new EU Data Act Regulation, which constitutes one of the essential elements of the European strategy for data, entered into force on 11 January 2024 and will become applicable in September 2025. The Regulation aims to remove barriers to data access for consumers and businesses to ensure an optimal and fair data allocation in society. The Data Act focuses on facilitating access to and use of large amounts of digital data, especially collected/generated by sensors and machines in the Internet of Things (IoT) environment. To unlock the data held and controlled by a few actors, the Regulation reviews inter alia the relevance of the Database Directive in the data-driven society without expressly amending the Directive.

 

In particular, Article 43 of the Data Act provides that the sui generis protection granted to the maker of a database, who has made a substantial investment in either the obtaining, verification or presentation of the contents of the database (Article 7 (1) of the Database Directive) “shall not apply when data is obtained from or generated by a connected product or related service”. The Data Act defines a “connected product” as “an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data” (Article 2 (5) of the Data Act) and a “related service” as a “digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the connected product from performing one or more of its functions” (Article 2 (6) of the Data Act).

 

Article 43 of the Data Act (see also Recital 112) excludes databases containing machine-generated data from protection under the sui generis regime to safeguard the rights of users to access, use and share such data (Articles 4 and 5 of the Data Act). Even though the provision could harness excessive IP protection over particular types of databases, some aspects could require further clarification to ensure fair access and use of data in the digital age (see Manteghi).

 

The Potential Limitations of Article 43 of the Data Act in the Context of Scientific Research

 

When looking at Article 43 of the Data Act from the perspective of research, some concerns may be raised. The exclusion of databases made of machine-generated data from the sui generis protection in Article 43 of the Data Act would not automatically guarantee researchers the right to access and use such databases. Database holders could block or restrict access to their databases through contractual agreements or the application of technological protection measures (TPMs) (e.g., password, robots.txt file etc). Even though Recital 5 in the preamble indicates that the Regulation aims to prevent “the exploitation of contractual imbalances that hinder fair access to and use of data”, the provision refers only to third parties’ rights and data sharing agreements leaving the relevance of these limitations to the sui generis database right unclear. Another concern relates to the use of mixed databases consisting of data falling within the scope of the Data Act and so-called derived or inferred data excluded from the scope of the Regulation (see Recital 15 of the Data Act preamble).

 

For instance, researchers doing research on databases containing data collected by e.g., health monitoring devices would be required to obtain authorisation to access and use databases containing information derived from collected data (e.g., statistical data) through licensing or other lawful means. Put simply, the latter type of databases could be covered by the sui generis protection, thereby researchers would need to obtain authorization from database holders if the research requires (permanent or temporary) copying of the whole or of a substantial part of the contents of that database (see Article 7 (1) of the Database Directive). However, researchers may find it challenging to determine which data is covered by the Regulation and which is not. The exclusion of derived or inferred data from the scope of Article 43 is not well-grounded as such data could satisfy the requirements needed to qualify as machine-generated data within the meaning of Recital 15 of the Data Act preamble. In particular, the provision requires that such data should “represent the digitalization of user actions and events” and be “valuable to the user and support innovation and the development of digital and other services protecting the environment, health and the circular economy”.

 

Another issue is that the Regulation aims to facilitate the accessibility of machine-generated data by users, trade and business persons and, where there is an exceptional need to access such data, by public sector bodies without a particular focus on scientific research (Article 1 of the Data Act). In this sense, researchers could benefit from the provisions allowing users to share machine-generated data with third parties (Article 5 of the Data Act) as “third party” also covers research organizations or not-for-profit organizations (Recital 33 of the Data Act). Moreover, researchers may rely on Article 14 of the Data Act which obliges data holders, in cases of exceptional need, to make machine-generated data available to public sector bodies as research organisations could also be organised as public sector bodies (see Recital 63 of the Data Act preamble).

 

Research organizations are allowed to share such data with “individuals or organizations in view of carrying out scientific research” (Article 21 (1) (a)) providing that such actors “act either on a not-for-profit basis or in the context of a public-interest mission recognized by the State” (Article 21 (2) and Recital 76 of the Data Act preamble). In this sense, for instance, independent individual researchers or private research institutions, conducting research in the framework of public-private partnerships, could not secure even indirect access to databases made of machine-generated data as it is in practice, difficult to distinguish between commercial and non-commercial activities within these collaborations (see Manteghi pp. 38, 43).

 

Concluding Remarks

 

To sum up, Article 43 of the Data Act could be refined so that it would be clear that the provision cannot be overridden by a contract or TPMs at the expense of users’ rights to ensure better access and utilisation of machine-generated data. Moreover, to ensure efficient and broad access to and use of machine-generated raw data collections for research purposes it is necessary to explicitly address the needs of researchers by including them among beneficiaries of the provision. Further, the inclusion of so-called derived or inferred data in the scope of the Data Act would enhance data availability and its integrity for research purposes. The suggested remedies, if adopted, could ensure a research-friendly regime and thus strengthen the research power of the EU at a global level.