The legal parameters of your process of digital transformation go far beyond the EU’s familiar General Data Protection Regulation (GPDR). Find out here which legal topics could be relevant for you.
Your business operations will always take place on the basis of legal parameters. These parameters are determined by national and EU laws. We show you here which areas are regulated by EU laws. Please research your national requirements yourself. You will need these for your process of digital transformation if you want, for example, to analyse your company’s external environment with the help of the so-called PESTLE analysis in our online learning tool.
There are two types of EU laws: directives and regulations.
Directives are the EU’s framework laws. They must be implemented into national law by the national parliaments of the member states within a fixed time period. Regulations, on the other hand, are EU laws that are immediately and directly applicable in all member states.
We give you an overview here of the EU regulations and directives in five legal areas that could be relevant for your business model.
Data protection includes technical and organisational measures against the improper processing and distribution of data. The measures that need to be enacted depend on the type of data collected:
- personal data;
- pseudonymised data (a personal connection can be restored);
- anonymised data (a personal connection cannot be restored);
- non-personal data (data for products and machines);
- publicly available data.
For personal data the general data protection regulation (GDPR) applies within the European Union:
Because of the lex loci solutionis this is also covers companies which are not located in the EU but which offer products or services in the European Union. This regulation also applies to ‘Industry 4.0’ applications with which personal data is deliberately processed (e.g. when evaluating customer behaviour with big data applications).
Note: When processing pseudonymised or anonymised data you must ensure that the personal contact cannot be restored by the processor, otherwise the general data protection regulation applies.
The general data protection regulation forms the data protection perimeter for personal data in the European Union, together with the directive for data protection in the police and justice sectors:
Non-personal data (data for products and machines) is also subject to an EU regulation when it comes to its distribution:
This regulation aims at safeguarding the free flow of data that is non-personal within the European Union. By now this kind of data is also viewed as an economic asset, but that does not mean that property rights and intellectual property rights are generally applicable to this data. Rather the rights to use the data, in other words its processing, are left to contracts drafted by the market players.
Publicly available data, in other words data that public bodies, within the sovereign fulfilment of their duties, survey, collect, evaluate, process or are informed of, as well as data in the ownership of public authorities and companies, can also be of interest for companies or natural people.
Two EU directives are relevant for its continued use:
The first directive is already legally binding. The second directive must be implemented into national law by the EU member states by 17 June 2021 at the latest.
Both directives ensure that the continued use of publicly available data is possible and supported, thereby generating incentives for the development of new products and services.
IT security is a key topic in a digitalised economy. Data repositories and networked systems must offer a certain level of security when it comes to the integrity, trustworthiness and availability of the systems. The directive for ensuring a high common level of security of network and information systems (NIS directive) has created a consistent legal framework for this within the European Union:
The NIS directive contains a comprehensive packet of measures to strengthen the level of security of network and information systems (cybersecurity) and thereby to secure services that are essential for the EU’s economy and society. The EU countries must
- appoint one or several responsible national authorities and computer security incident response teams (CSIRTs) and designate a central point of contact should there be several responsible authorities;
- register the operators of essential services in critical sectors, within which a cyberattack could impair important services;
- implement a national strategy for the cybersecurity of network and information systems.
The critical sectors are:
- Energy (electricity, crude oil, natural gas);
- Transport (air traffic, rail traffic, shipping, road traffic);
- Banking;
- Financial market infrastructures;
- Healthcare (including hospitals and private clinics);
- Delivery and provision of drinking water;
- Digital infrastructure (online marketplaces, online search engines, cloud computing services).
Amongst other things, the national strategies for cyber security should take into account:
- the assessment of the measures of operators of essential services regarding cybersecurity;
- the adherence to suitable measures for cybersecurity;
- the reporting obligations for current security incidents.
A summary of this directive’s regulations can be found here.
In order to ensure the proper functioning of the EU internal market and to reach a high level of skill in defending against cyberattacks and in trusting cybersecurity, the EU has created an additional EU agency for cybersecurity through the so-called ENISA regulation:
Progressing digitalisation and networking between companies constantly increases the risk of losing company secrets. Some examples of this are:
- 3D printing (it is possible to transfer CAD files, objects can be copied);
- open innovation (the content of communication between partners can end up in the wrong hands);
- cooperation between companies (the content of communication between partners can end up in the wrong hands).
The EU directive 2016/943 therefore requires “reasonable steps […] to keep information secret”, in order to protect confidential business information and company secrets from unauthorised access:
Reasonable steps to keep information secret extend to a legal level, e.g. agreements between companies or between companies and employees, as well as to the area of creating appropriate access restrictions.
With the goal of further harmonising copyright law and the related protective laws in the EU, the following EU directive was brought into effect with particular consideration of the digital and international use of protected content. It must be implemented into national law by no later than 7 June 2021:
This directive particularly addresses questions about copyright when it comes to accessing information that is protected by copyright via online search engines and social media.
As a general rule, it is of course important to bear in mind the effective rules in related property rights alongside copyright: design law, trademark law, patent law and utility model law.
Digital transformation is not explicitly mentioned in the EU legislation described below. When it comes to the use, for example, of public funds for your digital transformation however, it is important to bear it in mind.
The ‘Treaty on the Functioning of the European Union’ specifies in article 107 that aid granted by a member state which distorts or threatens to distort competition by favouring certain companies or the production of certain goods shall, in so far as it affects trade between member states, be incompatible with the internal market. Aid schemes in the member states are therefore continually reviewed by the EU Commission in accordance with article 108 of the treaty and require the Commission’s approval if they could go on to result in a distortion of competition.
In the case of subsidies where the sum is considered marginal, it is not mandatory to gain approval – under certain conditions. The details are specified in the so-called de minimis regulation:
Article 109 of the treaty on the functioning of the European Union also enables the council of the EU to specify groups of subsidies that are exempt from these authorisation requirements. Under certain conditions this also includes, for example, subsidies for small and medium sized enterprises (SME). The details are specified in the following regulation:
Current liability law is applicable as long as actions can be traced back to people, and product defects can be ascribed to identifiable areas of human misconduct in production and delivery chains. The implementation of the following EU directive has led to a harmonising of law throughout the member states in this legal area:
The situation becomes problematic, however, when it comes to totally autonomous control. In this instance people no longer have any decision-making authority or possibility of intervention. This is, for example, the case with self-learning industrial robots and independent repeat orders through autonomous systems. In these instances it is, however, usually possible to apportion blame to the system operator or system manufacturer. Through digital transformation many processes in industry are aimed at reducing possible causes of damage. Amongst other things, automation also has the goal of eliminating human misconduct as a potential cause of error and source of danger. There is therefore no observable movement at the moment towards adapting current liability law.
Driving Forces that Change the World
Blockchain, big data and much more – a short and understandable explanation.
Quick Check: What is my Company’s Current Position?
Check in a few minutes to what extent your company is prepared for the digital transformation and receive further information.
Digital Transformation: Step-by-Step Instructions
Materials for working, learning and planning regarding the development and implementation of your individual strategy.
Quick Check: What is my Company’s Current Position?
Check in a few minutes to what extent your company is prepared for the digital transformation and receive further information.
Driving Forces that Change the World
Blockchain, big data and much more – a short and understandable explanation.
Digital Transformation: Step-by-Step Instructions
Materials for working, learning and planning regarding the development and implementation of your individual strategy.