back

Protection of non-personal data, public data, health data and databases: a look back at the study conducted by AIPPI

Article Intellectual property, media & art IT and Data Competition and Distribution Law | 03/11/20 | 10 min. | Charles Bouffier Antoine Boullet

In view of the explosion in the amount of data created, collected, exchanged or used, AIPPI[1] – the first international association dedicated to the development and improvement of laws for the protection of intellectual property – has carried out a vast study on the protection of non-personal data, public data, health data and databases.

1. Purpose of the study: data protection, state of play and perspectives
 

AIPPI has invited national groups[2] to present the relevant provisions applicable in their countries as well as to explore the need for harmonization of the protection at the international level.

The protection by legislation and policy issues relating to personal data was specifically excluded from the scope of the study.

In addition to the general protection of "mere" data (as opposed to personal data[3]), the issues of database protection, public data[4] and health data protection were particularly studied.

The national reports[5] are now available as well as a summary[6]. The authors of this article took part in the study carried out by the French group.

2. Synthesis of the global study
 
In summary, for most of the national groups:
 
- an international harmonization of the data protection regime on the one hand and the database protection regime on the other hand seems desirable ;
- a protection of “mere” data by means of trade secrets or unfair competition is preferable to a protection by a new specific intellectual property right ;
- on the other hand, with regard to public data and health data in particular, the groups largely agree on the need to establish specific protections;
- finally, databases (which were the subject of a previous specific AIPPI study[7]) should continue to be protected by a sui generis intellectual property right, with the majority of the European reports nevertheless underlining that the sui generis database right should be clarified, in particular with regard to the scope of protection.
 
3. Synthesis of the French group report
 

3.1. The very comprehensive report of the French group[8] first of all reminds us that the data itself is not subject to a property right but may be subject to an intellectual property right in specific cases (e.g. by copyright if it contains intellectual works and/or by the sui generis right of the database producer if it constitutes a qualitatively substantial part of a database). However, other regimes allow for data protection, provided that certain conditions are met, such as:

- Trade secret,
- Unfair competition,
- Criminal law (through theft, breach of trust, extortion, blackmail, various breaches of automated data processing systems, breach of trade secrets)
- Or the common law on contracts.


For the French group, this "arsenal" of protection regimes appears sufficient, even if there is always the risk that an economic operator may reserve control of certain essential data affecting competition (in particular via the trade secret regime or contractual provisions). Consequently, the envisaged improvement would be to provide for exemptions from access to data and their processing for purposes of public interest (e.g. public health, scientific or historical research, security).

3.2. Regarding databases, the French group points out that their structure may be protected by copyright (subject to originality) and that their content is protected by the sui generis database right, provided that the conditions are met. The other protection regimes mentioned above (trade secrets, unfair competition, criminal law, contract law) may also apply, completed by specific regulations as the case may be, such as, for instance, regulations on online gambling and gaming.

For the French group however, the sui generis database right is subject to inherent limitations that make it inadequate for the protection of “mere” data.

Article 7 of Directive 96/9/EC on the legal protection of databases[9] provides that the maker (or "producer" under French law) of a database has the right “to prevent extraction and/or re-utilization of the whole or of a substantial part, evaluated qualitatively and/or quantitatively, of the contents of that database”, where “there has been qualitatively and/or quantitatively a substantial investment in either the obtaining, verification or presentation of the contents”.

However, in 2004, the European Court of Justice (EUCJ) ruled that « the expression ‘investment in … the obtaining … of the contents’ of a database as defined in Article 7(1) of the directive must be understood to refer to the resources used to seek out existing independent materials and collect them in the database. It does not cover the resources used for the creation of materials which make up the contents of a database »[10].

In so doing, the CJEU has narrowed the scope of this protection by limiting it to pre-existing data "obtained" only, to the exclusion of data "created". Such an approach has a huge impact on the data economy by excluding from protection the so-called "spin-off" databases, i.e. those which are the sole result of a main activity, such as data generated by sensors, data produced by machines, by Internet of Things devices, mega-data or data resulting from artificial intelligence[11]. The sui generis right thus only applies to databases that contain data from existing materials[12].

The French group therefore suggests that the sui generis right should also take into account the substantial investment devoted to the production of data (and not only to the collection and verification of data under the existing regime).

3.3. Finally, the French group draws up a detailed inventory of two specific regimes: on the one hand, the regime for public documents and the public data they contain, and on the other hand, the regime for health data in its various definitions under French law.

The French group reiterates the specific conditions of accessibility of these types of data, stating that a clarification of the derogations to the access and processing of health data would be recommended.

To conclude, given the very wide range of protection regimes applicable to non-personal data and databases, experts should be consulted on a case-by-case basis, when a question of protection arises.

August Debouzy's Media Technologies Intellectual Property department is at your disposal for this purpose.


 

[1] International Association for the Protection of Intellectual Property

[2] 31 national groups participated. These countries are the following: Argentina, Australia, Azerbaijan, Belgium, Brazil, Bulgaria, Canada, Chile, China, Croatia, Ecuador, Finland, France, Germany, Hungary, India, Indonesia, Italy, Japan, Malaysia, Mexico, Paraguay, Philippines, Poland, Spain, Switzerland, Netherlands, United Kingdom, USA, Taiwan, Turkey.

[3] Personal data is defined as « any information relating to an identified or identifiable natural person » cf. Article 4 (1) of the GDPR: https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX%3A32016R0679

[4] The term "public data" generally refers to information produced or collected by public authorities (State, local authorities, administrative authorities, etc.) as part of their public service activities.

[5] to access national reports enter the key words “IP rights in data” in the AIPPI research engine on https://aippi.soutron.net/Portal/Default/en-GB/Search/SimpleSearch

[6] Link to the very instructive synthesis prepared by the rapporteurs: https://aippi.soutron.net/Portal/DownloadImageFile.ashx?objectId=8481

[7] See the national reports, including the French group's report and AIPPI's recommendations, available at the following link: https://www.aippi.fr/fr/travaux-scientifiques/questions-etudiees/theme-6-congres-de-geneve-2004

[10] See judgments of the CJEU of Nov. 9, 2004 in the cases : C-46/02, Fixtures Marketing Ltd v. Oy Veikkaus (http://curia.europa.eu/juris/liste.jsf?language=fr&num=C-46/02) ; C-338/02, Fixtures Marketing Ltd v. Svenska Spel Ab (http://curia.europa.eu/juris/liste.jsf?language=fr&num=C-338/02) ; C-203/02, British Horseracing Board Ltd v. William Hill (http://curia.europa.eu/juris/liste.jsf?num=C-203/02) ; C-444/02, Fixtures Marketing Ltd v. OPAP (http://curia.europa.eu/juris/liste.jsf?language=fr&num=C-444/02).

[11] For an application of this solution by the French courts, see Civ. 1, 5 March 2009, pourvois 07-19.734 and 07-19.735; CA Paris, 20 December 2013, RG n°12/20260.

[12] See Evaluation of Directive 96/9/EC on the legal protection of databases, SWD (2018) 147 final, p. 15 and 24 ; see also Study in support of the evaluation of Directive 96/9/EC on the legal protection of databases.


Suggested articles