European Data Act: a harmonized framework for accessing and sharing data

On 23 February 2022, the European Commission published the long-awaited “Data Act”, which is a proposal for regulation to establish a harmonized framework for industrial, non-personal data sharing in the European Union.

The European Data Act will make more data available for use and will set up rules on who can use and access what data, for which purposes across all economic sectors in the EU. According to the Commission, the new rules are expected to create €270 billion of additional GDP by 2028.

In concrete terms, the Commission proposes:

  1. Improved access to private sector data for the public sector (B2G);
  2. Fairness of data access and use in business relationships (B2B);
  3. New rules allowing customers to effectively switch between different cloud data-processing services providers.

The EU inter-institutional negotiation: plenty of changes on the plate

The inter-institutional negotiations within the Council of the EU and the European Parliament already started in the past weeks.

As far as the European Parliament is concerned, it endorsed the allocation of competences between its committees on 30 June, after more than four months of internal discussions and bounces. In the final shape, the competences have been attributed as follows:

  • MEP Pilar del Castillo Vera (EPP, ES) in the Industry, Research and Energy (ITRE) Committee is in charge of drafting a report.
  • Adam Bielan (ECR, PL) in the Internal Market and Consumer Protection (IMCO) Committee has shared competences on the entire file, plus exclusive competences on Articles 23, 24, 25 and 26, as well as Recitals 70 until 76.
  • Sergey Lagodinsky (Greens, DE) in the Civil Liberties, Justice and Home Affairs (LIBE) Committee has exclusive competences on Articles 1(3), 1(4), 4(5), 5(6), 5(7), 5(9), 6(1) (only on the caveat for the protection of personal data), 6(2b), 16(2), 18(5), 19(1b), 31(2a), 32(3) (only on specific cooperation mechanism of the GDPR), 33(3) and 33(4). The committee also shared competences on Articles 1-6, 8-12, 14-19 and 31-32.
  • Ibán García del Blanco (S&D, ES) in the Legal Affairs (JURI) Committee has shared competences on the entire file, plus exclusive competence on Articles 4(3), 4(6), 5(5), 5(8), 8(6), 17(2)(c), 27(3) sub-paragraph 2, 35 and 37, as well as the last sentence of Recital 63 and Recital 84.

The ITRE Committee’s rapporteur submitted her draft report in mid-September. Over 1000 amendments were submitted which will change the text significantly. MEPs have most concerns about trade secrets, IP rights, personal data protection, administrative burdens as well as biometrics. Originally, the Data Act aimed to manage the sharing conditions for the data generated by any connected device, except for products that are designed to display or play content, including smart TVs and smartphones. However, some members of the European Parliament, featuring MEP Mituța (RE, RO), found that these products should be included if they function as an Internet of Things (IoT) product, for instance, when it calculates distance or speed. This is a significant change in the scope of the legislation.

Additionally, in her report, del Castillo also made a distinction between raw data, i.e. data as it is collected, and prepared data, i.e. data that was processed to make it more “comprehensible”, specifying that the Data Act only covers the former. For some other MEPs, like MEP Boeselager (Greens, DE), the definition of data holder should be extended to all parties with a contractual right to use the data. He is also vocal about the idea to monetize the non-personal data of users. At the same time, MEP Melchior (RE, DK) stresses that the boundary between personal and non-personal data should be clarified, and also the definition of the different data types should be better defined.

Furthermore, the Commission merged the data holder and the product manufacturer but there is an ask from the European Parliament to differentiate. MEP Niebler (EPP, DE) wants stronger protection of trade secrets by requesting safeguards to be agreed upon in the contract and taken before any data-sharing takes place. Moreover, in the European Commission’s proposal, tech companies that are designated as gatekeepers under the Digital Markets Act are excluded from benefiting from the data-sharing provisions of the data law. MEP Mituța prefers to extend the ban to all companies with a dominant position in the data market. With regards to public access to private data, some MEPs would like to see an extension on when privately-held data can be shared. Others propose to reduce the scope of this part merely to industrial data. Notably, the LIBE Committee’s rapporteur would like to entirely delete Chapter V on mandating data sharing, referring to warnings about the protection of personal data and fundamental rights.

The EP Committees still have to vote on their opinions and report, so further changes are still expected to come.

On the side of the Council of the EU, the Member States are moving much faster, with a new compromise text being tabled for discussions within the Council’s Telecommunications and Information Society Working Party in end-October and early November, explicitly referring to common European data spaces, providing a framework for sharing or jointly processing data related to a specific sector like health or transport. Competent national authorities are also mandated to promote voluntary data-sharing agreements between public and private actors. They also clarified the protection of trade secrets and the definition of the data holder.

Stakeholder reactions

Because the proposal is a horizontal legislation impacting different sectors, many stakeholders have been attempting to influence the legislative process and contribute with their views. While some organizations welcomed the text and proposed to expand the data access rights to more users, others warned that the regulation lacks horizontal specifications and common methodologies for data sharing. As evidenced during the Breakfast webinars (I, II and III) organized by Dr2 Consultants together with policymakers and testimonials from the transport and sustainability sectors, the obligation to share data might actually end up in a loss of competitiveness for the European industry, leading to unintended consequences.

EU Data Policy Services

Next steps

Under the new Swedish Presidency, Stockholm indicated that there are difficulties to find agreement on SMEs exemption, B2G data sharing and trade secrets. The paper was presented at the first Working Party meeting on 10 January 2023. Other member states are asked to provide feeback on these issues. A next compromise text is foreseen for 31 January 2023.

While, the ITRE Committee will vote on its report on 9 February 2023, with a plenary vote scheduled for the following 13 March 2023. However, given the diverging stakeholder reactions and the options tabled within the Council working parties, the draft text is still a malleable piece of legislation, potentially prone to plenty of changes. The Data Act and its trilogue negotiations are not expected to be finalized before Spring 2023.

What’s the objective of the European Data Act?

Complementing the Data Governance Act, which aimed to increase trust and facilitate data sharing across the EU and between sectors, the Data Act’s core objective is to put users and providers – large and small – on more equal footing in terms of access to data. Concretely, Dr2 Consultants expects every actor that contributes to the generation of data should be able to access said data. This means that users will get standard access to the generated data on any of their integrated tools. These could be virtual assistants, connected home appliances and so forth. The data should be easily and freely accessible and shareable with third parties.

The proposal is based on the results of an open public consultation carried out by the European Commission in 2021, which showed that an EU action is needed on business-to-government (B2G) data sharing for the public interest, especially for emergencies and crisis management, prevention and resilience. For the past three months, the Commission has been working to address certain concerns regarding the necessary legal clarity to B2G data sharing. In the proposal, the Commission appears to have tried to limit mandatory B2G data sharing to cases in which an ‘exceptional need’ exists.

What implications will the European Data Act have for your business?

A piece of horizontal legislation, the Data Act will apply to device manufacturers, providers of digital services and connected products (such as ‘the Internet of Things or IoT) as well as public authorities in the EU. Dr2 Consultants advises businesses to pay close attention to the developments in the coming months.

The proposed legislation mandates data sharing requirements to allow data sharing among businesses, public authorities and users. SMEs are exempted from these obligations, but overall the requirements imply that the European Commission has opted for a one-size-fits-all solution that compels all businesses to adapt.

Certain limits will be put in place to guarantee that third party access to shared data remains safe and harmless to the parties involved. This entails agreed upon measures to protect confidentiality, privacy and trade secrets as well as restrictions of the use of the data by market competitors of the data holder.

Neither data holders nor third parties will be allowed to influence or prevent the user’s data sharing behaviour in any coercive, manipulative or technical way. Only micro and small companies will be excluded from these strict guidelines if they’re independent from other companies. In particular, providers with a significant position in the market will be labelled as gatekeepers within the market. Such actors will be subject to more specific restrictions, as third parties are not allowed to share data with these gatekeepers, nor are gatekeepers allowed to request access to these data.

Specific attention goes out to the risk of non-EU countries gaining access to data. The European Data Act goes beyond current restrictions regarding the transfer of personal data outside the EU by extending such restrictions to non-personal data. Only when an international agreement is in place will court orders from third countries be adhered to. This is relevant keeping in mind the ongoing efforts of the US and the EU to reach such an agreement.

Furthermore, the draft sets out provisions to ensure interoperability and cloud switching and safeguards for international data transfers. The previous SWIPO initiative for cloud-switching was deemed insufficient for this purpose as the Commission now opts for binding measures. The goal will be functional equivalence when moving software to another cloud platform. This means required compatibility of interfaces and platforms with all other services. Proper interoperability is essential for fair competition to function in the digital data market. To realistically strive for interoperability, a degree of harmonized standards among cloud services will be necessary. European standardisation organisations will be approached for this purpose, possibly accompanied with a mandatory implementing act if necessary.

What does the European Data Act mean for you?

Because of the targets of the proposed regulation, which range from service providers and gatekeepers to device manufacturers, companies and public authorities, the Data Act will have implications of data sharing, interoperability standards and cloud switching for many industries and sectors of the society.

Dr2 Consultants closely follows legislative developments regarding the Data Act and other data-related policy issues. Thanks to its expertise and wide range of clients in the digital sector, Dr2 Consultants is expertly placed to assist your company in identifying the impact of and leveraging the opportunities offered by the Data Act.

Would you like to know more about how your organization can make the most out of the data regulation? Subscribe to Dr2 Consultants’ newly launched service for EU data-related policies, or get in touch with our Managing Partner Jasper Nagtegaal.