Thought leadership from our experts

“It’s the data, stupid!”

Thomas Heymann, Covington & Burling, Germany

For a long time data and information have been identified as the "basic commodity" of the "information age". But only in recent years have we started to understand their real commercial value (Google certainly helped there). Protection of personal data has a long tradition in Germany (as in continental Europe at large). Case law and legal theory however focused exclusively on the right of privacy of the "data subject" and aims at preventing such data becoming a commercial good.

With the spread of the internet, mobile computing and cloud storage another issue becomes crucial: protecting data and information as a valuable commercial good.

A prominent example for this discussion is data of drivers and passengers collected and stored by car manufacturers (or OEMs providing GPS-related services). Leading car manufacturers agreed on some "Privacy Principles" in November 2014 committing to transparency and to disclosure of their privacy practices, including in owner's manuals and on company websites. The adopted "Automotive Privacy Principles" will in particular protect the confidentiality of "where and how" a person drives. The secondary use of such data will require the consent of the affected data subject. What looks like a straightforward "confession" to the preexisting statutory rights of the data subjects however, also reflects a very different line of conflict: the car manufacturers thereby claim authority (and ownership) regarding tracing and tracking of the passengers and other valuable information (for example, location related data sent by cell and not only by GPS) and challenge the use of such data by internet search or other third party providers of the numerous online services related to each car today.

In addition, the car manufacturers reserve the right to use any such data in the context of "Big Data" applications. Some argue that such applications are not subject to privacy laws, as they only relate to anonymous data. But that is not entirely correct in all cases. According to Art. 3 subs. 6 of the German Privacy Act, data are only deemed "anonymous" if the underlying data subject can only be identified with a "disproportional" effort. The challenge will be to determine which level of effort for "identifying" data subjects is required to assume such anonymity. For some of the key applications (Tracking, Scoring or Personalizing) anonymity can be a very relative concept, as the data aim at predicting probable causes of actions of the data subject. And the more such sets of data (which each by itself does not allow to identify the data subject) can be combined, the easier it becomes to break the anonymity. The German legislator has made it clear in an amendment to the German statute on telecommunication that the barrier should be quite high in this respect.

In this context a new legal theory seems to emerge, under which data (and in particular cases information) can be the subject of property rights. It is argued that this is necessary to ensure exclusive rights of those who have collected or compiled such data. Such a property right is more fundamental than the sui generis protection provided by the European Database Directive. Unless specifically agreed in contracts, under the applicable German rules, it is not entirely certain which rights the customer has in regard to the data stored by an outsourcing at the end of such contract. However, in my personal opinion, German courts have been able to find satisfactory principles in such conflicts, and we should be very careful in creating "absolute protection rights" with rather vague connotations. The "Right in Data" or "Right in Information" also will have a tendency to diminish the scope of the privacy rights of data subject, even if its primary field of application is the relations between data processors.

Similar issues arise when data is stored in "clouds". In this context it has to be noted that cloud related services become omnipresent at the moment. Everyone knows this for private use in public clouds (content data etc.). But we have also seen a shift to virtual storage and "cloud based" technologies in our large outsourcing contracts which some years ago we would not have imagined. Questions of ownership, right to use data there for "big data" analysis need to be addressed in contracts, as the statutory rules are once again not entirely clear.

Protection of data – personal, anonymous or relating to trade secrets of companies is therefore a major issue for corporate governance. Compliance is not simply a task for "data protection officers" anymore but should be the responsibility of the chief technology officer of any major company. Adding the concerns regarding wholesale industrial espionage (which apparently has become a favorite activity for some secret services even in allied nations) management and protection of data and information is an evolving, interesting area of law.