Report on Legal Issues

This Deliverable identifies and examines various legal issues that are relevant to the production of, access to, linking of and re-use of big data in the transport sector.
Chapter 2 sets the scene and introduces the concept of big data, its particular characteristics, its possible use in the transport sector, the existing policy framework, and the identified legal issues.
In Chapter 3, the authors examine the various identified legal issues and discuss the challenges and opportunities that may arise in this respect, coming up with notably the following findings:

• Privacy and data protection: Some concepts, principles and obligations under data protection law appear to be problematic for the uptake of big data. In particular, the broad definition of "personal data" and "processing", the qualification of the various actors involved as (joint-)controllers or processors, the core data protection principles, the need to identify a ground for processing, the requirement to conduct data protection impact assessments, the implementation of privacy by design and by default measures, the rights of data subjects, and the requirement to put in place adequate data transfer mechanisms seem difficult to reconcile with the concept of big data.
• (Cyber-)Security: The requirement to put in place security measures is imposed in various legislations at EU and national level, including key instruments like the GDPR and the NIS Directive. However, such legislative framework remains rather general and vague as to which specific measures are deemed appropriate. In order to comply with this requirement, organisations involved in big data analytics generally need to rely on security experts and take into account the evolving guiding documents published by authorities such as ENISA. Relying on certification mechanisms, seals, marks, and codes of conduct will enable companies complying with their legal obligations and demonstrate their compliance.
• Breach-related obligations: The various actors of the (big) data value chain need to implement measures, procedures and policies to abide by the strict notification requirements and be prepared to provide the necessary information to the authorities, within the imposed deadlines. Such requirements will also need to be adequately reflected in the various contracts between the stakeholders involved in the chain in order to adequately address any incident that may occur.
• Anonymisation / pseudonymisation: Anonymisation and pseudonymisation techniques generally provide fertile ground for opportunities with respect to big data applications, including in the transport sector. Nevertheless, a balance will need to be struck between, on the one hand, the aspired level of anonymisation (and its legal consequences) and, on the other hand, the desired level of predictability and utility of the big data analytics.
• Supply of digital content and services (personal data as counter-performance): Personal data as a form of payment for the supply of digital content is an emerging reality. In this respect, the proposed EU legal framework on the supply of digital content and services will ensure an adequate level of protection for the consumer. Nevertheless, the obligations concerning data may make some current digital services inoperable. Some companies may also start to charge for digital content services that are currently free. On a wider scale the ecosystem of innovative services in the field of transport could be jeopardised.
• Free flow of data: The free flow of data presents a scenario in which no legal barriers hinder the cross-border flow of data. Such cross-border data flows may be restricted by data localisation requirements, which come in many shapes and forms. The new EU Free Flow Regulation should ensure the free flow of data across EU Member States, ensure data availability for regulatory control by EU authorities, and encourage the creation of codes of conduct for cloud services. The elimination of data localisation requirements is expected to create more innovation, which will positively impact big data analytics in the transport sector.
• Intellectual property in big data environment: All intellectual property rights examined may have, to some extent, an impact on the use of big data, including in the transport sector. Depending on the manner in which and the extent with which a right holder may exercise its exclusive rights attached to the intellectual property right concerned, intellectual property rights may pose a barrier to data access, interoperability, and exploitation.
• Open data: The EU institutions have taken both legislative and non-legislative measures to encourage the uptake of open data, most notably through the PSI Directive which attempts to remove barriers to the re-use of public sector information throughout the EU. Open data is a key component of most big data applications. A proposal for a revision of the PSI Directive intends to extend the scope of application to public undertakings, including actors in the transport sector such as ports and airports, public passenger transport services by rail and by road, and air carriers and EU ship owners fulfilling public service obligations.
• Sharing obligations: While private companies often generate huge amounts of data, they are not always prepared to voluntarily share this data outside the company. This is due to the large number of legal, commercial and technical challenges associated with private sector data sharing. In certain circumstances, private companies are therefore legally required to share their data. This Deliverable succinctly examines the body of legislation specific to the transport sector that could impact a company's control of, the access to, or the rights in data. The analysis has shown that data sharing obligations are increasingly adopted in the context of Intelligent Transport Systems.
• Data ownership: In a big data context, different third-party entities may try to claim ownership in (parts of) a dataset, which may hinder the production of, access to, linking and re-use of big data, including in the transport sector. This Deliverable demonstrates however that the current legal framework relating to data ownership is not satisfactory. No specific ownership right subsists in data and the existing data-related rights do not respond sufficiently or adequately to the needs of the actors in the data value cycle. Up until today, the only imaginable solution is capturing the possible relationships between the various actors in contractual arrangements, i.e. data sharing agreements.
• Data sharing agreements: It is unclear whether the common practice to use data sharing agreements to govern the access to and/or exchange of data between stakeholders in a big data analytics lifecycle enables covering all possible situations with the necessary and satisfactory legal certainty. Data sharing agreements entail numerous limitations in the absence of a comprehensive legal framework regulating numerous rights (e.g. ownership, access or exploitation rights) attached to data, the way in which such rights can be exercised, and by whom.
• Liability: The EU institutions have looked into and continue to examine issues related to extra-contractual liability, statutory liability, and safety requirements in the context of disruptive technologies, including in the transport sector. Based on their continued efforts, it will be possible to determine whether any regulatory intervention is required. The contractual liability legal framework, which differs across the EU, may however limit the uptake of new technologies, including big data in the transport sector. The present Deliverable further looks into the relevance for big data in the transport sector of the exemption of liability for intermediaries (the so-called safe harbour regime), and the proposed liability regime for suppliers of digital content and services under the Draft Directive on the Supply of Digital Content.
• Competition: Assessing the market conduct of companies with access to large volumes of data raises complex issues under competition law. The difficulty of the exercise is compounded by the fact that the analysis also needs to take into account data privacy and consumer protection issues that are intimately linked to the questions under competition law. The present Deliverable considers three main areas in which competition law may have an impact on the use of big data. In view of the important role of big data in the transport sector, the Deliverable discusses the competition law issues that could arise with respect to organisations belonging to the broadly-defined "transport sector".

Finally, the last Chapter serves as a conclusion and introduces possible ways of moving forward to encourage the production of, access to, linking of and re-use of big data in the transport sector, with a particular focus on the EU. The several improvements suggested by this Deliverable vary between the different legal issues and range from avoiding restrictive interpretations by the relevant authorities or courts, over soft law measures (such as guidelines and codes of conduct), to regulatory intervention at EU level.