Digitization and law

Digitization and Industry 4.0 are all the rage. Their technical expressions, such as global networking, the Internet of Things and cyber-physical systems or autonomous machines, are diverse and in dynamic development. Current and, above all, future areas of application are too numerous to mention. Today, the coupling of production and services and integration of customers and business partners in business and value chains are already leading to new product and service worlds. The associated issues that are arising from a legal point of view are briefly explained below.

The use of large amounts of data as an essential building block Cis common to all technical solutions and applications in Industry 4.0. Generated by various sensors, a flood of data is collected, linked, evaluated and economically used. This creates a kind of artificial intelligence of machines, multiplied by networking and interaction.

One of the topics to be discussed that at first glance seems inconspicuous, but is of enormous relevance in practice, with respect to increasing networking is the issue of how legally effective declarations may be exchanged and thus contracts concluded between two “intelligent” machines, for example relating to goods or spare parts orders between operating systems of two smart factories. While traditional law is based on the exchange of declarations of intent between individuals, legal practitioners are confident that this can be solved by “attribution rules” that are either existing or to be defined, meaning the creation of spheres of responsibility. The same applies to eliminating “incorrect” machine declarations by means of contestation in civil law. Even more exciting and of high practical importance are liability issues relating to intelligent machines where an attribution is necessary and the issue of causality must be reliably solved. This may be clear, at least theoretically, where an autonomously driving car and its occupant are involved in an accident. What about, however, the product liability of the manufacturer of a vehicle programmed to protect its occupants as much as possible that exposes other road users to a comparatively greater risk specifically because of this initial decision? Or what about the case of product defects that are – at least in part also – attributable to incorrect customer specifications in networked production?

When looking at the topic of digitization, legal practitioners must therefore ask themselves the fundamental question whether existing laws are still able to find the right answers. Lawyers organised in the BITKOM industry association, for example, are largely affirming this, arguing that it depends on correct interpretation and application of existing laws and, where necessary, further development of jurisdiction. They do not see a necessity for new laws, which, by the time they are passed, would then lag behind the state of the art again, anyway.

There are exceptions, however. Employment lawyers and social policy-makers, for example, see the rigid statutory provisions in force in Germany, particularly on working hours, put to a real test by the “time and space delimitation” of work, which is almost provoked by mobile, flexible and networked working. They suggest adjustments of individual statutory provisions, including in order to achieve the intended protection of employees. On the other hand, it will not be possible to reverse the trend of buying work services bit by bit on crowd-working platforms, thus also away from classical employment to the assignment of independent sole proprietors, by issuing new laws. In view of the dynamic technical development processes, additional challenges of “Work 4.0” in labour law relate to individuals who are entitled or obligated to lifelong training, the right to issue instructions that is delegated to computers, and the comprehensive co-determination rights of employee representatives. This applies particularly to cases where technical equipment is installed that is suitable for behavioural control. In fact, this is always and in many cases unavoidably the case with work equipment with sensors, linked and used to organise operations. Additionally, employee data protection must always be observed.

We are thus moving to highly important topics of Industry 4.0 and digitization: data protection, data use and data security. As mentioned previously, data and their use are at the heart of all applications. Where personal data are concerned, i.e., data which may at least theoretically be associated with a specific natural person, the provisions of data protection laws and their core principles of “prohibition subject to permission”, “data economy and data avoidance”, “necessity and purpose of data use”, “anonymisation and pseudonymisation” must be observed. These principles are also reflected in strict legal requirements for technical and organisational measures for the use and security of data, such as in the context of order data processing. While this applies to the vast majority of Industry 4.0 applications, it is still unclear how these data protection principles will be combined with the functionality of Big Data, i.e., the automatic mass generation and analysis of data that is not always specific and narrowly pre-defined. Referred to as “privacy and data protection by design”, technical measures and settings that are already used during data collection and processing to ensure that such data no longer have any identifiable personal reference, may be a viable solution to this problem.

Many actors, however, rightly wonder whether the current data protection regulations are at all meaningful for the numerous technical possibilities of useful digitization and whether they are still practicable and thus sustainable. The fundamental importance of a certain level of protection is not called into question, however. NSA revelations, data leaks and increasing cyberattacks have highlighted the importance of IT security for Industry 4.0 and the hope for economic growth that is associated with it. In 2015, German lawmakers therefore issued the IT Security Act, a special legal framework for “critical infrastructure” facilities such as power supply and companies in the transportation and public services sectors. The law was enacted even before the European Union considered similar legislation. In the future, businesses must be familiar with data protection and IT security requirements, protection against data outflows, encryption, sabotage resistance and requirements to design duties.

IT lawyers are dealing with data protection day in day out; and that is not even considering the huge changes by the EU General Data Protection Regulation. Additionally, we need to consider issues relating to data transfer to the USA via the EU/US Privacy Shield, EU standard contract clauses etc., or transmissions to other countries with lower levels of data protection. What is really new and challenging in legal terms is the topic of data as an asset. In connection with digitization, data are not only goods to be protected from a legal point of view and thus subject to the aforementioned protective legislation. Rather, they are the lynchpin in the economic cycle of Industry 4.0. They are traded, they form valuable contents of databases, big data analyses and e-commerce applications, thus representing the backbone of entire value chains. There is a downright data economy – good in terms of its opportunities, bad in terms of its risks.

The following key questions therefore need to be legally considered: Who owns data, who has the right to use data in what way and to what extent, can or should data be disposed of like other assets? In the end, this is a question of the legal quality of, for example, machine-generated data. Without additional links in law, possession and ownership or rights of disposal are not governed by German law for machine data as is the case for goods or rights. If vehicles generate data about their routes, vehicle system status and driving behaviour during use, should vehicle manufacturers be able to use such data (for free) and exploit them economically, for example to optimise their services? Do these date per se “belong” to vehicle owners or drivers, or do they only have defensive rights under data protection law, when user profiles about them can be created from these data? Is it possible to solve the conflict between data as essential economic and usable assets versus data protection in a valuable, practicable and satisfactory way so as to create a suitable framework for our future? All of this will play a key role in the success of digitization and Industry 4.0.