The European Commission published the draft Data Act on February 23, 2022. The Data Act draft regulates the provision of data by the data owner to the user, to third parties and to public bodies and includes legal frameworks for data access and data use. The background to the regulation is that there is currently no legal regulation on data sovereignty and all parties involved rely on voluntary exchange.
With the Data Act draft, the European Commission now wants to clarify who may commercially exploit data and under what conditions this takes place. In addition, special provisions are made for micro, small and medium-sized enterprises as well as so-called “gatekeepers”.
Basic content of the draft Data Act
The draft regulates the exchange of user-generated data between companies and between consumers and companies. Large parts of the data collected by companies and by consumers in connection with networked devices and digital services must in future be made technically and legally accessible to users, who can then pass the data on to third parties.
The regulations in the draft include, for example, product requirements for easy and secure data access (“access by design and by default”), pre-contractual information obligations and the need for a usage agreement between data owner and user, data access claims and provision obligations, as well as regulations on data transfer by the data owner to third parties at the instigation of the user. However, it also regulates requirements for corresponding consideration (e.g., fairness, appropriateness) and criteria for abusive contractual clauses in order to protect smaller companies.
In addition, there are to be regulations for the transfer of data to public bodies and EU institutions, bodies and other bodies in emergency situations.
The draft also stipulates that the European Commission should provide non-binding model contractual conditions for data access and use. The member states are then to issue corresponding regulations on sanctions in the event of violations.
Addressees of the draft Data Act
The Data Act draft applies to
- All manufacturers of products and providers of related services placed on the market in the EU and users of such products or services;
- data controllers who provide data to recipients in the EU;
- Data recipients in the EU to whom data is provided;
- public bodies and EU institutions, bodies and agencies;
Similar to the GDPR, the regulations are also intended to apply to companies based outside the EU if they provide relevant services to customers in the EU.
Outlook
The European Parliament and the Council have adopted their positions on the draft and, like the member states, are calling for various amendments. Further negotiations will focus in particular on the scope of application of the Data Act, ensuring the protection of trade secrets, remuneration issues and regulations on provider switching and protection against unfair contract terms. On March 29, 2023, the first trilogue took place. However, as the positions of the Council and Parliament are not too far apart, an agreement is generally expected before the summer break or shortly thereafter.
Companies face an increasing push to use of open source software, both in their own software development and in the procurement of software from third parties.
The use of open source software or “free and open source software” has become standard in software development. Open source software is freely available on the internet, saves time and allows typical standard functions to be integrated without any development effort.
The term Free and Open Source Software suggests when the software is “free” in every respect. However, the use of the software requires acceptance of and compliance with the underlying licence conditions. Frequently, however, these are observed little or not at all, which can lead to considerable economic risks (including injunctive relief, claims for damages).
Therefore, it is essential, especially for software development companies, to fully comply with the obligations associated with the use of open source software. In order not to be surprised by the negative consequences of non-compliance, it is advisable to introduce internal processes for monitoring compliance within the framework of an open source compliance management.
What is Open Source Software?
Open source software is freely available, but can only be used under restrictions that are intended to enable further free use. For example, the Open Source Initiative (https://opensource.org/) published requirements to classification as open source software. Among other things, the source code must be available or be made available. Changes to the software must be permitted. The licence conditions used must not restrict distribution, no licence fee may be charged for the open source software and it must be permitted to market changes under the same conditions.
The various open source developers have gone different ways. Some use licences that allow use in conjunction with commercial products. Some oblige the user to combine the open source software only in conjunction with compatible licences or stipulate that their own licence conditions must apply to further developments or derivative works. This is also called “copyleft” or viral effect.
What impact does this have on commercial use?
For companies that only use open source software internally for their own purposes, there are hardly any restrictions preventing use. Occasionally, however, certain types of use are exempted.
However, if the open source software is made available to third parties or if it is incorporated into commercial software, it must be checked whether use and distribution in the intended way is covered by the underlying licence.
On the one hand, there are many licences that make this possible and even allow the use of commercial licence terms for the larger work. In contrast to commercial third-party products, the possibilities for use are usually more flexible here.
On the other hand, depending on the licence, the use of open source software can lead to restrictions. For example, if an open source software licenced under GNU General Public License (GNU GPL), is integrated the larger work cannot be distributed commercially or without disclosing the source code.
However, the type of use also plays a role here. Some licences (e.g. Affero General Public License) restrict commercial use to such an extent that use in connection with commercial SaaS services is restricted.
Other commitments
In addition to the fundamental question of the permissibility of use, some licences also provide for further obligations, e.g. passing on the licence conditions, disclosure of use, making available the source code of the open source software, naming the author.
Often, the developers know the concept of open source software, but not the associated restrictions and obligations. The consequences are usually a violation of the licence conditions and a resulting ban on using the open source software.
How do I reduce my risks?
First of all, an inventory should be made. Open source audits are a good way to do this, in which the source code of the own software and all open source components used are scanned. This allows you to find both obviously used open source software and so-called snipits that have been copied into the own code. The open source software should also be scanned completely in order to find third-party components it may contain.
There are various tools on the market that support the scan. Some of these can also be integrated into the development process. In this way, problematic developments can be discovered and eliminated at an early stage. In addition, the tools facilitate the creation of a Bill of Materials (BoM), a list of all matches with pieces of code, the version of the open source software, the respective download source and the applicable licence conditions.
It makes sense to whitelist unproblematic licences and blacklist problematic ones. All licences not listed would then have to be checked as necessary.
Awareness should be raised to the responsible employees and appropriate contractual regulations should be concluded with external developers.
In addition, the documentation measures should be summarised in a compliance programme.
Conclusion
The use of open source software brings both advantages and challenges. However, when the right components are selected and used in accordance with the conditions, it is often more interesting than commercial third-party products or in-house developments.
TCI partner Stephan Schmidt (Mainz), together with the Düsseldorf law firm MUTTER & KRUCHEN (M&A, corporate law), advised the shareholder of it relations GmbH on the sale to ALVARA | Digital Solutions.
ALVARA | Digital Solutions (a brand of ALVARA Holding GmbH) continues to grow. It relations GmbH is new to the corporate group of specialists for track & trace software solutions for the cash cycle and logistics. ALVARA | Digital Solutions adds an IT specialist that has been carrying out innovative IT projects for 25 years and, among other things, stands for the successful development of innovative and intuitively operated cash register systems. The intelligent branch checkout systems used by large bakery chain stores, restaurants, bars and retailers can be individually adapted and, in addition to central data maintenance and POS synchronisation, are also GDPD/GOBD-compliant and fiscally secure. The Coffeeboard system enables current discounts, promotions or image advertising to be effectively staged as an image or video via separate monitors in the checkout area so advertising can be centrally planned and managed.
Shortly before its 10th anniversary, the Mainz team of the law firm TCI has been strengthened with the experienced in-house lawyer and former general counsel Sabine Brumme as a full-time partner as of May. As a founding member of the firm, she was previously of counsel at TCI and will join the firm in full in the future. Previously, Sabine Brumme was General Counsel at the innovative AI provider arago GmbH and Deputy General Counsel at an international consulting firm.
Brumme started her legal career in 1997 at a savings bank association and was already active in IT and Internet law at that time. This continued at Bayerische Landesbank. She then spent more than 15 years at the consulting firm BearingPoint in various positions and held the position of Deputy General Counsel with legal responsibility for the software division there together with her team. In 2019, she moved to arago a provider of AI-powered cloud applications.
In addition to legal operations, her focus was on IT law, which she has been involved in since the beginning of her professional career. Brumme is experienced especially in complex, international negotiations of software, outsourcing and cloud contracts. In addition, she has been intensively involved with LegalTech in recent years.
Brumme has been associated with TCI for a long time: She is a founding partner of TCI and also previously worked with parts of the Mainz and Munich teams as of counsel at teclegal from 2009.
She has been a guest lecturer for the Institute of Information Law at the h_da University of Applied Sciences in Darmstadt and has supervised Bachelor and Master students there as well as at the Frankfurt University of Applied Sciences in the course of their final theses. She continues to be associated with the h_da through her work on the advisory board of the Institute for Information Law. She also sits on the advisory board of the “Intellectual Property Magazin”.
Brumme will support the team in the areas of IT law, data protection, international contract law and competition law. She will also expand the LegalTech, Legal Operations and Legal Outsourcing practice areas. She will build on existing international mandates.
Stephan Schmidt, TCI founding partner comments on the change: “We are very pleased that our long-time companion Sabine Brumme has decided to support us in the future as a partner with all her strength in the exciting subject area of IT law and to contribute to the fact that we can continue to advise our clients at the highest level, especially in the area of licensing and outsourcing.”
TCI is represented as a group of law firms with 14 partners and 3 associates at the offices in Berlin, Mainz and Munich since 2011. TCI’s industry focus is on “Technology”, “Communication”, “Information”, on which the short name and brand “TCI” is based. The legal focus is on technology-related contract law and litigation including arbitration, IT law, telecommunications law, public procurement and antitrust law, franchise and distribution law, employment law, copyright law and intellectual property law.
