European Data Act: a harmonized framework for accessing and sharing data

On 23 February, the European Commission published the long-awaited “European Data Act”, which is a proposal for regulation to establish a harmonized framework for data sharing in the European Union.

The Data Act will make more data available for use and will set up rules on who can use and access what data for which purposes across all economic sectors in the EU. According to the Commission, the new rules are expected to create €270 billion of additional GDP by 2028.

Given how much is at stake for the green digital transition, we at Dr2 Consultants are excited to share our insights into the new proposal. In concrete terms, the Commission includes:

  1. Improved access to private sector data for the public sector (B2G);
  2. Fairness of data access and use in business relationships (B2B);
  3. New rules allowing customers to effectively switch between different cloud data-processing service providers.

What does the European Data Act mean for you?

This blogpost provides an overview of the main implications and opportunities for European businesses, focusing on:

  • Objectives for data sharing and access requirements;
  • Targets, ranging from service providers and gatekeepers to device manufacturers, companies and public authorities;
  • Implications of data sharing, interoperability standards and cloud switching.

Keep in mind, however, that the European Parliament and the Council of the EU will both provide amendments to the text.

What’s the objective of the European Data Act?

Complementing the Data Governance Act, which aimed to increase trust and facilitate data sharing across the EU and between sectors, the Data Act’s core objective is to put users and providers – large and small – on more equal footing in terms of access to data. Concretely, Dr2 Consultants expects every actor that contributes to the generation of data should be able to access said data. This means that users will get standard access to the generated data on any of their integrated tools. These could be virtual assistants, connected home appliances and so forth. The data should be easily and freely accessible and shareable with third parties.

The proposal is based on the results of an open public consultation carried out by the European Commission in 2021, which showed that an EU action is needed on business-to-government (B2G) data sharing for the public interest, especially for emergencies and crisis management, prevention and resilience. For the past three months, the Commission has been working to address certain concerns regarding the necessary legal clarity to B2G data sharing. In the proposal, the Commission appears to have tried to limit mandatory B2G data sharing to cases in which an ‘exceptional need’ exists.

What implications will the European Data Act have for your business?

A piece of horizontal legislation, the Data Act will apply to device manufacturers, providers of digital services and connected products (such as ‘the Internet of Things or IoT) as well as public authorities in the EU. Dr2 Consultants advises businesses to pay close attention to the developments in the coming months.

The proposed legislation mandates data sharing requirements to allow data sharing among businesses, public authorities and users. SMEs are exempted from these obligations, but overall the requirements imply that the European Commission has opted for a one-size-fits-all solution that compels all businesses to adapt.

EU Data Policy Services

Certain limits will be put in place to guarantee that third party access to shared data remains safe and harmless to the parties involved. This entails agreed upon measures to protect confidentiality, privacy and trade secrets as well as restrictions of the use of the data by market competitors of the data holder.

Neither data holders nor third parties will be allowed to influence or prevent the user’s data sharing behaviour in any coercive, manipulative or technical way. Only micro and small companies will be excluded from these strict guidelines if they’re independent from other companies.

In particular, providers with a significant position in the market will be labelled as gatekeepers within the market. Such actors will be subject to more specific restrictions, as third parties are not allowed to share data with these gatekeepers, nor are gatekeepers allowed to request access to these data.

Specific attention goes out to the risk of non-EU countries gaining access to data. The European Data Act goes beyond current restrictions regarding the transfer of personal data outside the EU by extending such restrictions to non-personal data. Only when an international agreement is in place will court orders from third countries be adhered to. This is relevant keeping in mind the ongoing efforts of the US and the EU to reach such an agreement.

Furthermore, the draft sets out provisions to ensure interoperability and cloud switching and safeguards for international data transfers. The previous SWIPO initiative for cloud-switching was deemed insufficient for this purpose as the Commission now opts for binding measures. The goal will be functional equivalence when moving software to another cloud platform. This means required compatibility of interfaces and platforms with all other services. Proper interoperability is essential for fair competition to function in the digital data market. To realistically strive for interoperability, a degree of harmonized standards among cloud services will be necessary. European standardisation organisations will be approached for this purpose, possibly accompanied with a mandatory implementing act if necessary.

Next steps

In the coming weeks, the co-legislators, the Council of the EU and the European Parliament will assess the proposal and kick off the discussions. Because this is a regulation, the legislative act will be immediately applicable in all Member States once the European Parliament and the Council of the EU have concluded their negotiations with the European Commission.

Within the European Parliament, MEP Pilar del Castillo (ES) is likely to lead the EPP in the Industry (ITRE) Committee, while for the Greens MEP Alexandra Geese (DE) announced she would take the lead on this file in the Internal Market and Consumer Protection (IMCO) Committee, sided by MEP Damian Boeselager (DE) in the ITRE Committee.

The Parliament now needs to determine which committee will take the lead. We can expect that the same committees that handle the Data Governance Act will be working on this file: ITRE in the lead, with the Civil Liberties (LIBE), Legal Affairs (JURI) and IMCO Committees giving their respective opinions.

Ahead of the start of the legislative debate among Parliament and Council, the European Commission published on 14 March a call for feedback on the proposed Data Act. Open for a period of 8 weeks, the open call will collect feedback from private and public stakeholders in order to feed the EU decision-making process. Dr2 Consultants stands ready to support organizations in the contribution of their views to the legislative debate.

Dr2 Consultants will follow the legislative developments very closely, and thanks to its expertise and wide range of clients in the digital sector, Dr2 Consultants is expertly placed to assist your company in identifying the impact of and leveraging the opportunities offered by the European Data Act.

Would you like to know more about how your organization can make the most out of the data regulation? Visit our EU Data Policy Services webpage and subscribe to Dr2 Consultants’ EU Data Policy Updates, or get in touch with our Managing Partner Jasper Nagtegaal.