In the data-market context, different actors and entities are interacting and complying with multiple regulatory frameworks. In particular, the entities involved in the data-market value chain can be divided into three macro-groups, where multiple actors interact at different levels. In such a transaction context, main discussion concerns who has ownership over such data and how such a right can be turned into legal protection. Unfortunately, within the EU area, civil law, which includes property law, contractual law and liability law represent is massively regulated at the national level.
Contrary, other aspects such as competition law, data protection and privacy law and consumer protection are areas where the EU legislator has the competence to legislate. Therefore, data markets legal challenges are affected by the tension between EU and national legislation and between economic efficiency of those entities relying on data as an economic asset and individual legitimate interest to retain personal information.
Q1. In an MPC context, what happen if the data provider shares incorrect data, and I make a wrong decision: who is to blame?
The answer to this question depends on a cascade of two subsequent questions:
Q1.1. Is there any particular EU harmonization on liability in the context of the sharing of data to MPC protocols?
There exists no specific liability regime concerning the concrete scenario of data sharing using MPC protocol. Therefore, reference ought to be made to the general liability regimes in the EU, as well as domestic tort laws.
Q.1.2. Is there any general EU harmonization on liability, which may be applicable in this context?
Firstly, it ought to be stated that the liability regime within the EU is mostly non-harmonized, with the exclusion of i.a.: product liability law under Directive 85/374/EC; certain aspects of liability for infringing data protection law (Art. 82 of the General Data Protection Regulation (GDPR); liability for breaching competition law (Directive 2014/104/EU); liability insurance concerning damage caused by the use of motor vehicles (Directive 2009/103/EC); and conflict of tort laws, in the veil of the Rome II Regulation. Sectoral Legislations (i.e. EU consumer protection framework) Given that this question does not relate to concerns of data protection or competition law, the only potentially applicable regime concerns the product liability directive. The question then arises whether data could be regarded as a product under Directive 85/374/EC. If this is the case, our answer will be embedded in the harmonized liability regime innate to this Directive. Unfortunately, specialized literature chiefly rejects such an interpretation. Hence, based upon both the materially limited notion of ‘product’ under the Directive, as well as on internal Safe-DEED research, it seems that Directive 85/374/EC shall not be applicable in establishing the liability regime in this case scenario. To conclude it is possible to affirm there exists no harmonized liability regime concerning damage stemming from the provision of incorrect plain text to an MPC protocol.
Q1.3. Are there any domestic liability rules that could be applied to the MPC case scenario?
The existing domestic liability regimes may not always be unequivocally applied mutatis mutandis to the MPC context. In other words, these rules may not always plainly fit the very nature of MPC protocols; nor may they be adapted to new technologies in general. In conclusion, due to the substantial divergences between the liability regimes of all member states, the outcome of cases will often be different depending on which jurisdiction applies.
Q1.4. Which are the most common forms of liability in domestic laws applicable to this use case?
Despite these substantial differences between the liability regimes in EU member states, most states’ fault-based regimens are generally rooted in the same criteria (most commonly distinguished as ‘fault’, ‘damage’, and ‘causal relation’). Our concrete case scenario relates to the ‘fault’-criterion (“would committed the wrongful act?”). Fault-based liability Most EU domestic laws share the same legal conception of ‘fault’ under their respective liability laws. To establish ‘fault’, two aspects should be determined: (I) it ought to be identified that the duties of care of the perpetrator have been discharged, and (II) it should be proven that the conduct of the perpetrator of the damage did not discharge those duties as stressed by H Koziol. The duties at issue are determined by a plethora of (non-)legal factors. Occasionally, they are defined beforehand by statutory language prescribing or prohibiting certain specific conduct. Still, often they must be reconstructed after the fact by the court based on social beliefs about the prudent and reasonable course of action in the circumstances (i.e. the principle of good neighbourliness, or bonus pater familias). In other words: can it be expected – from an average and reasonable data provider in similar circumstances – that he or she would share correct data? If the answer to this question is affirmative, it could be argued that the data provider has committed wrongful conduct on this occasion. If it can then subsequently be established that the data user’s (economic) damage can be causally attributed to this wrongful conduct, the data provider can be held liable for these damages. This entire question rests on what can be expected from an average and reasonable data provider in similar circumstances. Suppose the nature of the data is f.i. too technical to be properly understood and correctly shared by the average, suitable data provider, would be difficult to attribute them the liability. Consequently, we should question what can be expected from an average, reasonable data provider whilst providing data to an MPC protocol. These sorts of questions usually depend on the court’s interpretations and their respective balancing exercise. Given the non-existence of relevant case law, it seems necessary regulators need to focus on filling this gap in ascertaining liability in these complex contexts. Strict liability (i.e. non-fault based liability) When it comes to strict liability occurs when the action put in place is intended generate a tort. Consequently, The claimant need only prove that the tort occurred and that the defendant was responsible.Notwithstanding overall understanding across the EU, its precise conditions strongly differ depending on the Member State, though its conditions are generally more restrictive than a fault-based liability . Moreover, it seems unlikely that strict liability would be accepted in the scenario of data trading, as the potentiality of being held liable without fault would undeniably frighten data providers from sharing their data, and would thus hamper the advancement of data marketplaces. Vicarious liability Vicarious liability is a situation in which one party is held partly responsible for the unlawful actions of a third party. The third party also carries his or her own share of the liability. Vicarious liability typically arises in situations where one party is supposed to be responsible for (and have control over) the third party. It is correspondingly negligent in carrying out that responsibility and exercising that control. Nonetheless, in this MPC scenario, no such relationship or responsibility seems to be at play whatsoever. Hence, it seems highly unlikely that this third form of liability would apply to our case scenario.