19 November 2025
Report by Yuan Fang, Washington University in St. Louis

Overview

The sixty-ninth session of UNCITRAL Working Group IV (Electronic Commerce) was held in Vienna, Austria on October 20-24, 2025. The session, with broad participation from Member and observer States, international organizations, and NGOs, focused primarily on the ongoing effort to create harmonized provisions governing cross-border data provision. The Working Group considered the fourth revision of the draft default rules for data provision contract, primarily examining conceptual issues, article-by-article drafting questions (with intensive discussion devoted to Articles 1-9 of the draft rules), and next steps toward finalizing a normative text.

II. Preliminary Matters

The Working Group picked up discussions from its previous sessions on the legal distinction between active and passive data provision. Passive provision refers to situations where data is generated automatically through the use of a device or service without the data provider actively supplying it. Delegates widely supported including passive data provision within the scope of the rules, but applying lighter obligations to data providers given their limited control over data characteristics and transmission.

A draft definition of passive provision was introduced, outlining factors such as: (1) the data recipient accessing data through means it provides; (2) the object of the transaction being access to data generated through the provider’s activities; (3) no data quality or quantity undertaking by the provider; (4) lack of provider responsibility for technical systems collecting and transmitting data; and (5) lack of meaningful influence over contract terms. Delegates generally agreed that the definition should operate as a closed list, refined further in subsequent drafts.

Delegates also emphasized distinguishing “authorization” to access data (a contractual concept) from “consent” under privacy and data protection regimes, noting that the former does not make a person a contractual party merely by agreeing to data processing.

III. Article-by-Article Review

Article 1: Definitions

The definition of “data” may require refinement in various language versions to ensure it is understood as a record or representation, not the underlying information itself. On the definition of “use” of data, delegates questioned whether listing specific operations (e.g., storing, combining, modifying) was useful, and debated adding terms such as generating, saving, disclosing, or analyzing data. Concerns were raised that referencing “disclosing” could introduce personal-data complications. Some suggested deleting the definition altogether and addressing usage concepts solely in Article 9.

Article 2: Scope of Application

Debate centered on whether to exclude contracts involving software, since boundaries between data and software are increasingly blurred, especially with AI. Some States argued for excluding software supply contracts to avoid conflicts with well-established legal frameworks. Others countered that software-as-a-service and cloud services often involve substantial data provision components. A broader concept—excluding contracts involving functional data and representative data—garnered support. Delegates stressed, however, that any exclusions must clearly maintain the rules’ focus on transactions where the data itself is the contractual object.

There was extensive debate about consumer contracts. Some argued that excluding consumer transactions was outdated, especially given the prevalence of passive data flows from consumer devices. Others highlighted the difficulty of harmonizing consumer protection law across States. Delegates decided to defer a final decision until the overall structure of the rules becomes clearer.

Article 3: Party Autonomy

Delegates noted a risk that the current wording might allow parties to derogate from mandatory laws, including those preserved in Article 2(4). The text will likely be adjusted so that contractual freedom explicitly remains subject to mandatory law and applies only to substantive default rules.

Article 4: Interpretation

Delegates supported including guidance on general principles underlying the rules, such as good faith and equity. The explanatory note may also integrate considerations about the unique traits of data and data transactions.

Article 5: Obligation to Provide Data

The relationship between Article 5 (what is provided) and Article 6 (how) was clarified. Delegates debated how to fit passive provision into the framework. While some suggested modifying the operative rule to “allow collection” rather than “make available,” others argued that “making data available” is sufficiently broad if clarified in an explanatory note. Delegates agreed to reinsert language requiring providers to supply information necessary to access the data (e.g., passwords).

Article 6: Mode of Provision of Data

A key outcome was the development of a new paragraph addressing passive data provision. This paragraph states that, in passive scenarios, the data provider’s sole obligation is to allow, and not impede, access to the data or the data source using means supplied by the recipient. Delegates supported retaining references to “data sources,” given the centrality of connected devices. Concerns about data security, integrity, and system functionality were discussed, with the understanding that these issues may be addressed through interactions among Articles 6, 8, mandatory laws, and the duty to cooperate. Article 6 may undergo repositioning or redrafting.

Article 7: Timing of Provision of Data

The Working Group revisited whether “without undue delay” or “within a reasonable time” should be the default standard. While “reasonable time” aligns with the CISG, “without undue delay” was considered more fitting for instantaneous digital environments. Delegates determined that setting a fixed starting point (as in CISG Article 33) may not suit data transactions.

Article 8: Conformity of Data

Delegates agreed to retain paragraph 1, while proposals for paragraph 2 focused on whether conformity should reflect objective standards, recipient purposes, or representations. Paragraph 4, listing characteristics relevant to assessing conformity, was refined by adding “availability” and references to “origin” and “coherence.” Concerns were raised that excessively long lists may be counterproductive. Delegates broadly agreed that conformity rules should not apply to passive provision of data.

Article 9: Use of Data

The chapeau and paragraph (a) were retained, stressing that contractual agreements cannot authorize unlawful use. A new proposed default rule would require the recipient to ensure its data usage does not infringe third-party or provider rights. Challenges remain regarding data deletion obligations, particularly when derived or trained-model data is involved.

IV. Next Steps

There was broad consensus to avoid a convention at this stage. Delegations were split between developing a model law or a legislative guide, ultimately agreeing that the next draft would consist of model legislative provisions with explanatory notes, with a final decision to follow. Completion in 2026 depends on progress at the next session and Commission scheduling.

Submitted to UNCITRAL Working Group II
by FICA (Forum for International Conciliation and Arbitration)
proposal for Model Law on Adjudication and
proposal for Explanatory Notes prepared by
DACABI (Dispute Avoidance, Conciliation and Adjudication Board Institute)

24 March 2021

A link to the Report is below: