Data 360° – data pooling between companies

Data pools are becoming increasingly important in the digital economy, giving rise to specific legal problems. This article outlines the legal requirements and restrictions to be observed when setting up and operationalising data pools and looks at ways of structuring them.

Background

Data pools, through which different companies combine and share data, are becoming increasingly important. There are manifold reasons for establishing a common data pool. For example, in the pharmaceutical industry, combining patient, clinical study and health data can provide far-reaching insights for fighting diseases or minimising health risks. Similarly, companies in the financial sector, for example, can achieve significant efficiency gains by bringing together disparate financial data, both personal and non-personal in nature.

Of course, merging data from different sources and across company boundaries raises a number of legal issues, not least in the areas of data protection, contract and antitrust law.

Contractual aspects

First, the companies concerned must lay down the terms and conditions under which the data will be collected, shared and used in a contract.

This is particularly important especially because there is no exclusive right to the individual pieces of data as such. It is true that depending on the individual case, information contained in data may constitute business secrets within the meaning of section 2, no. 1 German Act on the Protection of Business Secrets (insofar as this is secret information of economic value which is protected by appropriate measures to maintain confidentiality). Data collections may also be protected as databases within the meaning of section 87a German Copyright Act (whereby it is in particular unclear to what extent the generation of data is also to be regarded as an investment performance worthy of protection within the meaning of the provision and acts of infringement are limited to essential parts of the database). However, there is to date no clear allocation in rem that would give the holder ownership or a comparable right to the respective data.

Consequently, there is generally no clear answer to the question as to whom the data should be allocated – the owner, the machine generating the data, the manufacturer of such a machine or the user.

Against this background, it is usually not any allocation in rem of the data that determines who can dispose thereof in practice, but rather the de facto control over such data. When it comes to opening data assets so that they can be accessed and used by third parties – as is also the case with data pooling – the focus is therefore on solutions governed by the principle of private autonomy and thus questions pertaining to contract drafting.

With regard to data use and exploitation, data pooling contracts should contain the following provisions, among others:

• Classification of the contract type (relevant in particular for the applicable liability regime);
• As precise a definition as possible of the subject matter of the contract, including the data to be provided; in view of the data protection implications, the data pool should be limited as far as possible to the generation of non-personal data (machine data and/or anonymised data) (see below for details);
• Technical provisions for granting access, in particular laying down a common data format and transmission standard as well as the interfaces to be used (API);
• Any requirements for the quality of the data (this will generally be determined by the accuracy of the information contained in the data) or provision of the data “as is” and without any warranties;
• Safeguarding with regard to conflicting rights of third parties to the generated data; because of the uncertain legal situation concerning the allocation of the data (and possible defensive claims), the participants in the data pool should each ensure that they in turn obtain the consent of third parties involved in the generation of the data – e.g. owners/users of the devices generating the data for the comprehensive (commercial) use and application of the data;
• Structuring of the data pool participants’ rights of use and exploitation in respect of the generated data and the results produced on the basis of the data provided; copyright licences can generally be used as a guide in this regard (in particular, specification of the individual rights of use and exploitation and any restrictions on use, licence territory, licence term, sub-licensing and transferability). When granting exclusive rights of use or making other exclusivity arrangements, the restrictions imposed by antitrust law must be observed in particular (see below for details);
• Agreement of confidentiality obligations; such a clause serves, on the one hand, to protect the information contained in the data provided, irrespective of whether this information falls within the scope of application of the German Act on the Protection of Business Secrets in the individual case (for the requirements for protection, see above). On the other hand, confidentiality obligations can provide clarity on permitted and prohibited acts under the German Act on the Protection of Business Secrets. This is because a breach of contractual restrictions on use can at the same time constitute a breach, in particular, of the prohibition of action in section 4(2), no. 2 German Act on the Protection of Business Secrets and trigger claims for injunctive relief and, if applicable, damages. Therefore, the data use agreements drawn up within the framework of the data pool should clearly define the respective restrictions on use and confidentiality obligations, so that the participants can easily identify any unauthorised use of the data in breach of the German Act on the Protection of Business Secrets.

Legal requirements and restrictions to be observed when establishing and structuring data pools

Both the establishment of a data pool and its subsequent management are subject to legal restrictions.

Data protection aspects

The question of whether personal data should (also) be shared is a key factor to be taken into account when designing a data pool. The General Data Protection Regulation (GDPR) permits the exchange of personal data only for clearly identified legitimate purposes and only if there is a legal basis for the data transfer. “Sensitive” data such as health information or biometric or genetic data may generally only be processed and shared for research projects or similar purposes if the data subjects have given explicit consent for this in accordance with the requirements of the GDPR.

Therefore, when designing a pooling project, it should be carefully examined whether the purpose pursued by the data pool cannot also be achieved if the exchange of personal data is dispensed with altogether or if the data to be shared are anonymised in advance. It should be noted that data are only considered anonymised in the legal sense if it is technically impossible to restore the link to specific persons or this can only be achieved with disproportionate effort.

If the processing of personal data is unavoidable, compliance with the following requirements in particular must be documented (Article 5(2) GDPR):

• Examination and correct classification of the roles of the participants. If several parties involved in the data pool act as “joint controllers” (Article 4, no. 7, Article 26 GDPR) or if a service provider or platform operator is involved as a “processor” (Article 28 GDPR), data protection agreements covering the content prescribed by law must be concluded;
• Specification and description of the categories of data subjects and personal data which are the subject of the data pool, as well as the purposes and legal bases of the data processing and the data recipients;
• Description and implementation of technical and organisational measures to ensure a level of data security appropriate to the risk (Article 32 GDPR);
• Carrying out of a formal data protection impact assessment if this is necessary, for example, due to the sensitivity of the data (Article 35 GDPR);
• Implementation of an erasure plan that ensures the erasure of personal data that are no longer needed for the specified processing purposes (Article 5(1)(e), Article 17 GDPR);
• Information to be provided to the data subjects (Articles 13, 14 GDPR).

Antitrust aspects

It has to be checked on a case-by-case basis whether the data pool itself and its structure are permissible under antitrust law. There is no specific case law or official decision-making practice in this area yet, but the following general comments can be made based on various scenarios.

Requirements and restrictions to be observed when accessing and participating in data pools

When a data pool is set up, it must first of all be determined which companies are to be granted access to the pool and under which conditions. From an antitrust law perspective, the question of who has access to a data pool is of particular relevance. Access restrictions may constitute a barrier to market entry depending on how important the data pool is for participation in the market. Generally speaking, access rules that meet the following requirements are unobjectionable:

• Access to the data pool is open to all interested companies on the basis of objectively justified and uniform criteria.
• Access to data is granted under FRAND (fair, reasonable and non-discriminatory) conditions.
• The participating companies are involved in determining the relevant data pool specifications/standards, for example in connection with the data taxonomy or the data format used.

If these conditions are not met, however, this does not necessarily mean that the pool has an anticompetitive structure. Even a restricted group of participants may be justified under certain circumstances.

However, this always requires careful consideration of the circumstances of the individual case, with the importance of the data pool and its effects on the market position of participating companies being some of the key aspects. For example, in the case of a pool with market power, an obligation to admit competitors seeking access may arise from the abuse of dominance prohibition under antitrust law. Conversely, a data pool of smaller companies can also be permissible as a closed shop precisely as a counterweight to the market power of larger competitors.

Requirements and restrictions to be observed for the data made available

The ban on cartels enshrined in Article 101 TFEU/section 1 German Act against Restraints of Competition gives rise to additional mandatory restrictions to be observed when structuring data pools. Here, too, a case-by-case assessment is necessary, as the permissibility of an exchange of data depends on an overall consideration of various factors (such as the nature of the data and the relevance thereof for competitors, the respective market conditions, the market concentration, the level of detail of the data and how up to date they are, as well as the frequency of the exchange). Special requirements may also have to be observed, for example, if the exchange of data may have the effect of aligning prices, for example in interaction with price algorithms, or enables price discrimination.

Irrespective of the need to consider these issues on a case-by-case basis, the following general statements can be made:

• Competitively sensitive, strategically relevant data (such as prices, specific customer offers, individual marketing strategies) must not be shared with competitors, as such an exchange can, as a hardcore antitrust law violation, result in substantial fines.
• In contrast, it is essentially unproblematic to share data originating from a technical context or required to ensure interoperability between applications and/or devices, e.g. in the IoT area or to enable Industry 4.0 applications in technical terms.
• For antitrust law reasons, too, it is generally the case that only data that are absolutely necessary for the respective purposes should be shared (minimisation principle). 

In addition, it has to be ensured that antitrust restrictions are observed when structuring how access is to be granted to the pooled data. State-of-the-art safeguards should be put in place for this purpose. Among other things, the following should be ensured:

• Clear guidelines should be laid down as to what kind of data may be shared via the pool and the extent to which such data has been processed.
• The specific way in which access to the pool is granted should be set up in a way that compliance with the antitrust safeguards is already ensured by technical means (compliance by design).
• Uniform pseudonymisation and/or anonymisation procedures should be developed to ensure that the exchange of information is permissible under antitrust law (and data protection law).

In addition, it should always be borne in mind that extended data access via the pool may also have individual consequences for the participating companies. According to section 18(3), no. 3 and section 18(3a), no. 4 German Act against Restraints of Competition, access to data is to be used as an assessment factor for determining market power, so that participation in a data pool and the access to data obtained via this pool may affect the assessment of the market position of a company under competition law.

Requirements and restrictions during the implementation of the cooperation

It is not only the access to and structure of the data pool as such that are subject to antitrust law restrictions, but also the cooperation of the participating companies in the context of the pool. The following points in particular should therefore be taken into account:

• Participants must not be told what prices they are to charge for services enabled by the shared data (for example, marketing advertising space using shared targeting data).
• Nor may the pool participants coordinate their activities relating to other strategic aspects, for example by dividing up among themselves the customers who can be approached using the data in question.
• Apart from agreeing on compliance with legal requirements, the pool participants may not agree on who is to use the shared data and how.
• If the participants commit themselves exclusively to the pool, the permissibility of such an arrangement under antitrust law must be examined in each case on the basis of the specific circumstances. The same applies to measures that at least indirectly have a lock-in effect for the participants.
• The participants’ ability to share their data individually with each other and/or with other companies in addition to the pool should not be restricted.
• If the agreements on the data pool contain so-called grant back and/or forward feed clauses, these should be checked to ensure that they are permissible under antitrust law.

Outlook

The draft “Data Governance Act” presented by the EU Commission could introduce new regulations relevant to data pools. The draft contains provisions relating to “data intermediaries”. These data intermediaries will be monitored by the state and must make the data pools they have built up accessible to all interested users on a non-discriminatory basis. At the same time, they are to protect the right of “data donors” to determine what information is made available by ensuring that the data are only made accessible for purposes for which the data subjects have given consent in accordance with the requirements of the GDPR.

In a similar way to the “Data Governance Act”, the “Data Act”, which is also still moving through the EU legislative process, is intended to ensure fairness of data access and use in B2B situations by way of new provisions. It will be necessary to keep an eye on these and other legislative developments in the European Union. However, there is no question that the (economic) importance of data pools will continue to grow in the future.