Data Contracts
The second Part of the Principles is devoted to contracts with regard to data and establishes sets of default terms that seem appropriate for different types of data transactions.
- Principles 5 and 6 include general provisions for data contracts.
- Principles 7 to 11 govern different types of contracts for the supply and sharing of data.
- Principles 12 to 15 are devoted to contract types for services with regard to data.
Chapter A – General Provisions
Principle 5 provides a general hierarchy for the rules governing data contracts. It emphasises the primary role of the agreement between contractual parties, limited only by mandatory rules of law. It often occurs that contractual issues were not addressed by the parties, or parties may have thought that an issue was implicitly covered in their agreement. For such issues that arise frequently in contractual relations, contract law often provides terms that are 'automatically' included in the contract unless derogated from by agreement of the parties. The Principles aim to provide such default terms for common contract types in Principles 7 to 15.
Chapter B – Contracts for supply or sharing of data
In general, regarding contracts for the supply and sharing of data, the Principles opt for a ‘sales approach’ (as opposed to a ‘license approach’), meaning that the data supplied may be used by the recipient for any lawful purpose that does not infringe the rights of third parties. This Chapter provides a variety of default terms on different contractual issues (e.g. the manner in which the supplier is to perform its undertaking; the characteristics of the data supplied; the control of, and other data activities with regard to, the supplied data). Depending on the way data is supplied, five different types of contracts can be differentiated:
In a data transfer contract, the supplier undertakes to put the data recipient in control of particular data (e.g. by transferring the data to a medium within the recipient's control).
Where parties do not aim to provide full control of the data to the recipient (e.g. due to data privacy concerns), they could choose a contract for simple access to data. This contract type allows the recipient to access particular data on a medium within the supplier's control (e.g. for data processing or porting of data).
A contract for exploitation of a data source is one under which the supplier undertakes to provide to the recipient access to the data source (device or facility by which data is collected or generated) – on this basis, the recipient can view, process or port data from the data source.
On the basis of contracts for authorization to access, the supplier authorizes the access to data by the recipient, but takes on a much more passive role and usually does not undertake any obligations regarding the data (e.g. users of a free messaging service are not required to produce a minimum quantity of user-generated data due to their lack of influence on the transaction).
In a data pooling arrangement, two or more parties ('data partners') supply data by transferring it to a jointly controlled medium, granting each other access, or granting access to data sources.
Chapter C – Contracts for services with regard to data
Contracts for the processing of data
A very common type of service contract are contracts for the processing of data. Processing can be understood quite broadly, and may include, inter alia:
- collection or recording of data (e.g. data scraping),
- storage or retrieval of data (e.g. cloud space provision),
- analysis of data (e.g. data analytics services),
- organisation, structuring, presentation, alteration or combination of data (e.g. platform services),
- or erasure of data.
Principle 12 includes a variety of default terms that govern the obligations and rights of the processor as well as the controller (e.g. processor must not pass data on to third parties).
Data trust and data escrow Contracts
On the basis of a data trust contract, a controller of data ('entruster') entrusts a third party ('data trustee') to make certain decisions about use or onward supply of data that may benefit the controller or a wider group of stakeholders ('beneficiaries'). Such contracts do not need to conform to any particular structure or characteristics associated with a common law trust. A common example for data trust constellations are data management systems like PIMS (personal information management systems), where the data trustee is empowered to make decisions on behalf of the entruster in respect to e.g. data protection issues.
Another type of intermediary contract is the data escrow contract: One or more parties planning to use data ('contracting parties') may wish to restrict their powers by means of a data escrowee to avoid conflict with certain legal requirements (e.g. data protection/privacy law). Hence, the purpose of a data escrow contract is to limit the powers of some or all parties contracting with the escrowee, whereas under a data trust contract the trustee must defer to the powers of the entrusters.
Data Marketplace Contracts
Lastly, the Principles establish default terms for data marketplaces, which play an important intermediary role in connecting suppliers and recipients of data. Marketplaces may provide additional services, such as infrastructure for the transfer of data and payments, assisting with legal requirements or ranking services.
The default terms listed in Principle 15 are mainly applicable to the contracts between the supplier and the marketplace (see Figure to the left 'Contract A') and between the recipient and the marketplace ('Contract B'). They include obligations and rights of the parties involved in a data marketplace contract (e.g. obligation of the data marketplace provider to refrain from any use for its own purposes of data, received from its client, that is the subject of the anticipated transaction).