Comparative analysis of legal regimes for machine-generated data in the EU and other jurisdictions

This paper carries out a comparative analysis of the regulation of machine-generated data in three jurisdictions, the EU, the UK, and Russia. All the compared jurisdictions have strategic documents for developing the data economy, data governance and policy, but with different priorities: the EU aims at empowering the individuals, the UK – at market leadership, and Russia at enhancing the government practices. None of the comparable jurisdictions has a separate regulation dedicated to the machine-regulated data. Special provisions that relate to machine-generated data were identified only in the categories of personal data (in particular communication data) and product and service data, which determine the directions for further analysis. Second chapter is on comparative analysis of the regulation of communication personal machine-generated data, starting from development of a concept that personal data can be machine-generated. Further, approaches to regulation and case law on cookies and IP addresses are compared in the three jurisdictions. Communications machine-generated personal data are specifically addressed in the data retention laws. The EU 'set the tone' for the development of data retention by adopting relevant law later invalidated by the CJEU. However, the Member States have continued to test the position of the CJEU and try to engage national counts in undermining or at least relaxing the restrictions on data retention. The UK has an even more troubled history of data retention laws adopted and invalidated by courts several times, finally coming to some mild compromise. Russia, in the contrary, has a rather strict data retention law which has never been challenged on its merits and is still in full force. Comparison of data retention laws reveals the fundamental differences between Russia and other compared jurisdictions on privacy protection and different distribution of the balance of interests between the state and the individual. The most significant and relevant aspect of regulating machine-generated data is the development of laws on data generated through connected products or online services. Regulation of this data category has been discussed in the EU for almost ten years, and has recently matured into the enacted law - the Data Act (EU DA). EU DA so far is a flagman law, but the UK follows the trend with the Data Protection and Digital Information Bill (UK DPDI) that covers the same area. The comparison reveals substantial differences in practical approaches between the EU and UK, though, based on the strategic goals discussed above. Regulating machine-generated data in the compared jurisdictions is heterogeneous. The EU, having proclaimed empowering individuals as one of its key objectives, continues its trend in the new regulation of machine-generated data to fight international data-driven corporations, while UK focuses on moderate regulation of the data market and creating a regulatory model that will ensure the most active circulation of data in the economy without being too burdensome for business. Russia, in turn, focuses on data availability to meet the needs of state bodies and administration and ignores issues of private data markets. In the future, we will see the development of similar legislation in other countries, as well as increasing complexity of regulatory models and the inclusion of diverse stakeholders with different rights and obligations in data relations.