Legal parameters of digital transformation

Data protection includes technical and organisational measures against the improper processing and distribution of data. The measures that need to be enacted depend on the type of data collected:

• personal data;
• pseudonymised data (a personal connection can be restored);
• anonymised data (a personal connection cannot be restored);
• non-personal data (data for products and machines);
• publicly available data.

For personal data the general data protection regulation (GDPR) applies within the European Union:

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Because of the lex loci solutionis this is also covers companies which are not located in the EU but which offer products or services in the European Union. This regulation also applies to ‘Industry 4.0’ applications with which personal data is deliberately processed (e.g. when evaluating customer behaviour with big data applications).

Note: When processing pseudonymised or anonymised data you must ensure that the personal contact cannot be restored by the processor, otherwise the general data protection regulation applies.

The general data protection regulation forms the data protection perimeter for personal data in the European Union, together with the directive for data protection in the police and justice sectors:

DIRECTIVE (EU) 2016/680 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

Non-personal data (data for products and machines) is also subject to an EU regulation when it comes to its distribution:

REGULATION (EU) 2018/1807 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 November 2018 on a framework for the free flow of non-personal data in the European Union

This regulation aims at safeguarding the free flow of data that is non-personal within the European Union. By now this kind of data is also viewed as an economic asset, but that does not mean that property rights and intellectual property rights are generally applicable to this data. Rather the rights to use the data, in other words its processing, are left to contracts drafted by the market players.

Publicly available data, in other words data that public bodies, within the sovereign fulfilment of their duties, survey, collect, evaluate, process or are informed of, as well as data in the ownership of public authorities and companies, can also be of interest for companies or natural people.

Two EU directives are relevant for its continued use:

DIRECTIVE 2013/37/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 26 June 2013 amending Directive 2003/98/EC on the re-use of public sector information

DIRECTIVE (EU) 2019/1024 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 20 June 2019 on open data and the re-use of public sector information

The first directive is already legally binding. The second directive must be implemented into national law by the EU member states by 17 June 2021 at the latest.

Both directives ensure that the continued use of publicly available data is possible and supported, thereby generating incentives for the development of new products and services.

IT security is a key topic in a digitalised economy. Data repositories and networked systems must offer a certain level of security when it comes to the integrity, trustworthiness and availability of the systems. The directive for ensuring a high common level of security of network and information systems (NIS directive) has created a consistent legal framework for this within the European Union:

DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union

The NIS directive contains a comprehensive packet of measures to strengthen the level of security of network and information systems (cybersecurity) and thereby to secure services that are essential for the EU’s economy and society. The EU countries must

• appoint one or several responsible national authorities and computer security incident response teams (CSIRTs) and designate a central point of contact should there be several responsible authorities;
• register the operators of essential services in critical sectors, within which a cyberattack could impair important services;
• implement a national strategy for the cybersecurity of network and information systems.

The critical sectors are:

• Energy (electricity, crude oil, natural gas);
• Transport (air traffic, rail traffic, shipping, road traffic);
• Banking;
• Financial market infrastructures;
• Healthcare (including hospitals and private clinics);
• Delivery and provision of drinking water;
• Digital infrastructure (online marketplaces, online search engines, cloud computing services).

Amongst other things, the national strategies for cyber security should take into account:

• the assessment of the measures of operators of essential services regarding cybersecurity;
• the adherence to suitable measures for cybersecurity;
• the reporting obligations for current security incidents.

A summary of this directive’s regulations can be found here.

In order to ensure the proper functioning of the EU internal market and to reach a high level of skill in defending against cyberattacks and in trusting cybersecurity, the EU has created an additional EU agency for cybersecurity through the so-called ENISA regulation:

REGULATION (EU) 2019/881 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)

Progressing digitalisation and networking between companies constantly increases the risk of losing company secrets. Some examples of this are:

• 3D printing (it is possible to transfer CAD files, objects can be copied);
• open innovation (the content of communication between partners can end up in the wrong hands);
• cooperation between companies (the content of communication between partners can end up in the wrong hands).

The EU directive 2016/943 therefore requires “reasonable steps […] to keep information secret”, in order to protect confidential business information and company secrets from unauthorised access:

DIRECTIVE (EU) 2016/943 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure

Reasonable steps to keep information secret extend to a legal level, e.g. agreements between companies or between companies and employees, as well as to the area of creating appropriate access restrictions.

With the goal of further harmonising copyright law and the related protective laws in the EU, the following EU directive was brought into effect with particular consideration of the digital and international use of protected content. It must be implemented into national law by no later than 7 June 2021:

DIRECTIVE (EU) 2019/790 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC

This directive particularly addresses questions about copyright when it comes to accessing information that is protected by copyright via online search engines and social media.

As a general rule, it is of course important to bear in mind the effective rules in related property rights alongside copyright: design law, trademark law, patent law and utility model law.

Digital transformation is not explicitly mentioned in the EU legislation described below. When it comes to the use, for example, of public funds for your digital transformation however, it is important to bear it in mind.

The ‘Treaty on the Functioning of the European Union’ specifies in article 107 that aid granted by a member state which distorts or threatens to distort competition by favouring certain companies or the production of certain goods shall, in so far as it affects trade between member states, be incompatible with the internal market. Aid schemes in the member states are therefore continually reviewed by the EU Commission in accordance with article 108 of the treaty and require the Commission’s approval if they could go on to result in a distortion of competition.

In the case of subsidies where the sum is considered marginal, it is not mandatory to gain approval – under certain conditions. The details are specified in the so-called de minimis regulation:

COMMISSION REGULATION (EU) No 1407/2013 of 18 December 2013 on the application of Articles 107 and 108 of the Treaty on the Functioning of the European Union to de minimis aid

Article 109 of the treaty on the functioning of the European Union also enables the council of the EU to specify groups of subsidies that are exempt from these authorisation requirements. Under certain conditions this also includes, for example, subsidies for small and medium sized enterprises (SME). The details are specified in the following regulation:

COMMISSION REGULATION (EU) No 651/2014 of 17 June 2014 declaring certain categories of aid compatible with the internal market in application of Articles 107 and 108 of the Treaty

Current liability law is applicable as long as actions can be traced back to people, and product defects can be ascribed to identifiable areas of human misconduct in production and delivery chains. The implementation of the following EU directive has led to a harmonising of law throughout the member states in this legal area:

DIRECTIVE 1999/34/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 10 May 1999 amending Council Directive 85/374/EEC on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products

The situation becomes problematic, however, when it comes to totally autonomous control. In this instance people no longer have any decision-making authority or possibility of intervention. This is, for example, the case with self-learning industrial robots and independent repeat orders through autonomous systems. In these instances it is, however, usually possible to apportion blame to the system operator or system manufacturer. Through digital transformation many processes in industry are aimed at reducing possible causes of damage. Amongst other things, automation also has the goal of eliminating human misconduct as a potential cause of error and source of danger. There is therefore no observable movement at the moment towards adapting current liability law.