The European Commission published the draft Data Act on February 23, 2022. The Data Act draft regulates the provision of data by the data owner to the user, to third parties and to public bodies and includes legal frameworks for data access and data use. The background to the regulation is that there is currently no legal regulation on data sovereignty and all parties involved rely on voluntary exchange.

With the Data Act draft, the European Commission now wants to clarify who may commercially exploit data and under what conditions this takes place. In addition, special provisions are made for micro, small and medium-sized enterprises as well as so-called “gatekeepers”.

Basic content of the draft Data Act

The draft regulates the exchange of user-generated data between companies and between consumers and companies. Large parts of the data collected by companies and by consumers in connection with networked devices and digital services must in future be made technically and legally accessible to users, who can then pass the data on to third parties.

The regulations in the draft include, for example, product requirements for easy and secure data access (“access by design and by default”), pre-contractual information obligations and the need for a usage agreement between data owner and user, data access claims and provision obligations, as well as regulations on data transfer by the data owner to third parties at the instigation of the user. However, it also regulates requirements for corresponding consideration (e.g., fairness, appropriateness) and criteria for abusive contractual clauses in order to protect smaller companies.

In addition, there are to be regulations for the transfer of data to public bodies and EU institutions, bodies and other bodies in emergency situations.

The draft also stipulates that the European Commission should provide non-binding model contractual conditions for data access and use. The member states are then to issue corresponding regulations on sanctions in the event of violations.

Addressees of the draft Data Act

The Data Act draft applies to

  • All manufacturers of products and providers of related services placed on the market in the EU and users of such products or services;
  • data controllers who provide data to recipients in the EU;
  • Data recipients in the EU to whom data is provided;
  • public bodies and EU institutions, bodies and agencies;

Similar to the GDPR, the regulations are also intended to apply to companies based outside the EU if they provide relevant services to customers in the EU.

Outlook

The European Parliament and the Council have adopted their positions on the draft and, like the member states, are calling for various amendments. Further negotiations will focus in particular on the scope of application of the Data Act, ensuring the protection of trade secrets, remuneration issues and regulations on provider switching and protection against unfair contract terms. On March 29, 2023, the first trilogue took place. However, as the positions of the Council and Parliament are not too far apart, an agreement is generally expected before the summer break or shortly thereafter.

Open Source Compliance

Companies face an increasing push to use of open source software, both in their own software development and in the procurement of software from third parties.

The use of open source software or “free and open source software” has become standard in software development. Open source software is freely available on the internet, saves time and allows typical standard functions to be integrated without any development effort.

The term Free and Open Source Software suggests when the software is “free” in every respect. However, the use of the software requires acceptance of and compliance with the underlying licence conditions. Frequently, however, these are observed little or not at all, which can lead to considerable economic risks (including injunctive relief, claims for damages).

Therefore, it is essential, especially for software development companies, to fully comply with the obligations associated with the use of open source software. In order not to be surprised by the negative consequences of non-compliance, it is advisable to introduce internal processes for monitoring compliance within the framework of an open source compliance management.

What is Open Source Software?

Open source software is freely available, but can only be used under restrictions that are intended to enable further free use. For example, the Open Source Initiative (https://opensource.org/) published requirements to classification as open source software. Among other things, the source code must be available or be made available. Changes to the software must be permitted. The licence conditions used must not restrict distribution, no licence fee may be charged for the open source software and it must be permitted to market changes under the same conditions.

The various open source developers have gone different ways. Some use licences that allow use in conjunction with commercial products. Some oblige the user to combine the open source software only in conjunction with compatible licences or stipulate that their own licence conditions must apply to further developments or derivative works. This is also called “copyleft” or viral effect.

What impact does this have on commercial use?

For companies that only use open source software internally for their own purposes, there are hardly any restrictions preventing use. Occasionally, however, certain types of use are exempted.

However, if the open source software is made available to third parties or if it is incorporated into commercial software, it must be checked whether use and distribution in the intended way is covered by the underlying licence.

On the one hand, there are many licences that make this possible and even allow the use of commercial licence terms for the larger work. In contrast to commercial third-party products, the possibilities for use are usually more flexible here.

On the other hand, depending on the licence, the use of open source software can lead to restrictions. For example, if an open source software licenced under GNU General Public License (GNU GPL), is integrated the larger work cannot be distributed commercially or without disclosing the source code.

However, the type of use also plays a role here. Some licences (e.g. Affero General Public License) restrict commercial use to such an extent that use in connection with commercial SaaS services is restricted.

Other commitments

In addition to the fundamental question of the permissibility of use, some licences also provide for further obligations, e.g. passing on the licence conditions, disclosure of use, making available the source code of the open source software, naming the author.

Often, the developers know the concept of open source software, but not the associated restrictions and obligations. The consequences are usually a violation of the licence conditions and a resulting ban on using the open source software.

How do I reduce my risks?

First of all, an inventory should be made. Open source audits are a good way to do this, in which the source code of the own software and all open source components used are scanned. This allows you to find both obviously used open source software and so-called snipits that have been copied into the own code. The open source software should also be scanned completely in order to find third-party components it may contain.

There are various tools on the market that support the scan. Some of these can also be integrated into the development process. In this way, problematic developments can be discovered and eliminated at an early stage. In addition, the tools facilitate the creation of a Bill of Materials (BoM), a list of all matches with pieces of code, the version of the open source software, the respective download source and the applicable licence conditions.

It makes sense to whitelist unproblematic licences and blacklist problematic ones. All licences not listed would then have to be checked as necessary.

Awareness should be raised to the responsible employees and appropriate contractual regulations should be concluded with external developers.

In addition, the documentation measures should be summarised in a compliance programme.

Conclusion

The use of open source software brings both advantages and challenges. However, when the right components are selected and used in accordance with the conditions, it is often more interesting than commercial third-party products or in-house developments.

TCI celebrates its 10th anniversary and continues its success story

TCI is represented as a group of boutique law firms which and were founded in July 2011 with offices in Berlin, Mainz and Munich.

TCI’s industry focus is on “Technology”, “Communication”, “Information”, on which the short name and brand “TCI” is based. The legal focus is on technology-related contract law and litigation including arbitration, IT law, telecommunications law, public procurement and antitrust law, franchise and distribution law, employment law, copyright law and intellectual property law.
With several years of professional experience, each of the founding partners of TCI had previously gained in other specialized commercial law firms and renowned large law firms, they wanted to realize their vision of a boutique law firm in which renowned legal personalities known in the market work together on the basis of a democratic internal structure with a flat hierarchy. This recipe for success has fully proven itself.

Truiken Heydn , TCI founding partner commented: ” We would like to thank our clients and the many colleagues who recommend us again and again for the trust they have placed in us. We are pleased that the approach of a boutique law firm has proven its worth over the 10 years and we will continue to pursue it consistently. This allows us to focus on core areas and provide the best possible service to our clients. Areas of law that we do not handle ourselves are covered by cooperations with other law firms. This allows us to support clients beyond our focus and opens up many other advantages of working with other law firms. One example of this is our collaborations in the M&A environment.”

Meanwhile, the expert team of the law firm alliance has grown to 14 partners and 3 associates. TCI and its lawyers have won numerous national and international awards (e.g. Best Lawyers, FOCUS, Who’s Who Legal) throughout the firm’s history. In addition, they have made a name for themselves as specialist authors, lecturers and speakers.

TCI Rechtsanwälte and MUTTER & KRUCHEN advise CompuGroup Medical on the acquisition of Meta IT GmbH

The transaction: CompuGroup Medical (CGM) acquires the entire shares in Meta IT GmbH, based in St. Ingbert.

Meta IT is a highly specialized healthcare software vendor with two core products: MetaKIS offers hospitals a powerful application for the billing of Diagnosis Related Groups (DRG), revenue assurance, performance management and benchmarking. MetaIPSS actively and comprehensively supports all relevant processes in a hospital’s hygiene management. The browser-based solutions can be integrated into all relevant hospital information systems (HIS) and interact seamlessly with the CGM solution suites for acute care hospitals.

The two companies have been working well and successfully together for some time. Now, the joint commitment is to be further intensified and extended to new areas, e.g. in the increasingly important topic of quality management. Other CGM customer groups, such as rehabilitation facilities, will also benefit from this. MetaIPSS in particular also offers a lot of potential for an expansion or internationalization of the target market.

The TCI team led by Stephan Schmidt supported the transaction and was responsible for the legal due diligence and negotiation of the SPA in the areas of IT/IP, data protection and labor law.

The MUTTER & KRUCHEN team led by Dr. Carsten Kruchen supported the transaction and was responsible for the legal due diligence and negotiation of the SPA in the area of corporate law.

Advisory teams:
TCI Rechtsanwälte (IT, IP, data protection, employment law): Stephan Schmidt, Sabine Brumme, Stephan Breckheimer, Joscha Falkenhagen
MUTTER & KRUCHEN (corporate law): Dr. Carsten Kruchen, Jessica Werner

CompuGroup Medical is one of the world’s leading e-health companies, generating annual revenues of EUR 837 million in 2020. The company’s software products to support all medical and organizational activities in medical practices, pharmacies, laboratories and hospitals, its information services for all stakeholders in the healthcare system and its web-based personal health records serve a safer and more efficient healthcare system. The foundation of CompuGroup Medical’s services is its unique customer base of more than 1.6 million users, including physicians, dentists, pharmacies and other healthcare professionals in outpatient and inpatient settings. With its own locations in 18 countries and products in 56 countries worldwide, CompuGroup Medical is the e-health company with one of the largest reach among healthcare providers. Around 8,000 highly qualified employees stand for sustainable solutions in the face of constantly growing demands in the healthcare sector.

TCI Rechtsanwälte advises national and international clients primarily in the areas of IT/IP law and data protection law. In addition to contract law advice, TCI Rechtsanwälte also supports clients in corporate acquisitions and sales and IP compliance.

MUTTER & KRUCHEN assists clients in corporate acquisitions and sales as well as in more comprehensive reorganizations of corporate and group structures. In addition, MUTTER & KRUCHEN provides independent and partner-led advice on corporate and capital markets law to listed and medium-sized companies, family-owned companies and their shareholders, experienced founders and investors as well as foundations.

TCI RECHTSANWÄLTE PROUD GOLD PLUS SPONSOR OF 2021 WORLD TECHNOLOGY LAW CONFERENCE

TCI Rechtanwaelte is once again proud Gold Plus Sponsor of the International Technology Law Association’s (ITechLaw) World Technology Law Conference. The conference will take place from 8 to 10 June 2021 as an online event. Registrations are still possible at the following link: https://www.itechlaw.org/conferences/2021-world-technology-law-conference.