On 23 February 2022, the European Commission published the long-awaited “Data Act”, which is a proposal for regulation to establish a harmonized framework for industrial, non-personal data sharing in the European Union.
The European Data Act will make more data available for use and will set up rules on who can use and access what data, for which purposes across all economic sectors in the EU. According to the Commission, the new rules are expected to create €270 billion of additional GDP by 2028.
In concrete terms, the Commission proposes:
- Improved access to private sector data for the public sector (B2G);
- Fairness of data access and use in business relationships (B2B);
- New rules allowing customers to effectively switch between different cloud data-processing services providers.
The EU inter-institutional negotiation: plenty of changes on the plate
The inter-institutional negotiations within the Council of the EU and the European Parliament already started in the past weeks.
As far as the European Parliament is concerned, it endorsed the allocation of competences between its committees on 30 June, after more than four months of internal discussions and bounces. In the final shape, the competences have been attributed as follows:
- MEP Pilar del Castillo Vera (EPP, ES) in the Industry, Research and Energy (ITRE) Committee is in charge of drafting a report,
- Adam Bielan (ECR, PL) in the Internal Market and Consumer Protection (IMCO) Committee has shared competences on the entire file, plus exclusive competences on Articles 23, 24, 25 and 26, as well as Recitals 70 until 76,
- Sergey Lagodinsky (Greens, DE) in the Civil Liberties, Justice and Home Affairs (LIBE) Committee has shared competences on the entire file, plus exclusive competence on Articles 4(3), 4(6), 5(5), 5(8), 8(6), 17(2)(c), 27(3) sub-paragraph 2, 35 and 37, as well as the last sentence of Recital 63 and Recital 84,
- and Ibán García del Blanco (S&D, ES) in the Legal Affairs (JURI) Committee has exclusive competences on Articles 1(3), 1(4), 4(5), 5(6), 5(7), 5(9), 6(1) (only on the caveat for the protection of personal data), 6(2b), 16(2), 18(5), 19(1b), 31(2a), 32(3) (only on specific cooperation mechanism of the GDPR), 33(3) and 33(4). The committee also shared competences on Articles 1-6, 8-12, 14-19 and 31-32.
Member States on the other side move much faster. Already in mid-July, the Czech Presidency of the Council of the EU tabled a partial draft compromise for discussion within the Council’s Telecommunications and Information Society Working Party of 19 July. During the debates, the scope of the European Data Act was under examination, with for example proposals to delete the mention of “moveable” products, apply the regulation only to a specific list of products, or focus on the types of data generated rather than the type of devices. Restrictions for gatekeepers were also discussed, as well as a reduction of the SME exemptions, and the obligations to make data generated by products more accessible. A second partial compromise text is expected to be discussed on 5 September.
Because the proposal is a horizontal legislation impacting different sectors, many stakeholders have been attempting to influence the legislative process and contribute with their views. While some organizations welcomed the text and proposed to expand the data access rights to more users, others warned that the regulation lacks horizontal specifications and common methodologies for data sharing. As evidenced during the Breakfast webinars (I, II and III) organized by Dr2 Consultants together with policymakers and testimonials from the transport and sustainability sectors, the obligation to share data might actually end up in a loss of competitiveness for the European industry, leading to unintended consequences.
The European Parliament’s committees kickstarted discussions in the second week of September, and on 19 September the ITRE committee had already published its draft report. In a nutshell, the report focuses on broadening the exemptions from small to medium-sized enterprises and ensuring interoperability of cloud switching. However, the other committees still haven’t published their draft opinion.
Amendments to the draft report of the lead ITRE Committee can be tabled until 28 October. However, given the diverging stakeholder reactions and the options tabled within the Council working parties, the draft text is still a malleable piece of legislation, potentially prone to plenty of changes. The Data Act is not expected to be finalized before the end of 2022.
What’s the objective of the European Data Act?
Complementing the Data Governance Act, which aimed to increase trust and facilitate data sharing across the EU and between sectors, the Data Act’s core objective is to put users and providers – large and small – on more equal footing in terms of access to data. Concretely, Dr2 Consultants expects every actor that contributes to the generation of data should be able to access said data. This means that users will get standard access to the generated data on any of their integrated tools. These could be virtual assistants, connected home appliances and so forth. The data should be easily and freely accessible and shareable with third parties.
The proposal is based on the results of an open public consultation carried out by the European Commission in 2021, which showed that an EU action is needed on business-to-government (B2G) data sharing for the public interest, especially for emergencies and crisis management, prevention and resilience. For the past three months, the Commission has been working to address certain concerns regarding the necessary legal clarity to B2G data sharing. In the proposal, the Commission appears to have tried to limit mandatory B2G data sharing to cases in which an ‘exceptional need’ exists.
What implications will the European Data Act have for your business?
A piece of horizontal legislation, the Data Act will apply to device manufacturers, providers of digital services and connected products (such as ‘the Internet of Things or IoT) as well as public authorities in the EU. Dr2 Consultants advises businesses to pay close attention to the developments in the coming months.
The proposed legislation mandates data sharing requirements to allow data sharing among businesses, public authorities and users. SMEs are exempted from these obligations, but overall the requirements imply that the European Commission has opted for a one-size-fits-all solution that compels all businesses to adapt.
Certain limits will be put in place to guarantee that third party access to shared data remains safe and harmless to the parties involved. This entails agreed upon measures to protect confidentiality, privacy and trade secrets as well as restrictions of the use of the data by market competitors of the data holder.
Neither data holders nor third parties will be allowed to influence or prevent the user’s data sharing behaviour in any coercive, manipulative or technical way. Only micro and small companies will be excluded from these strict guidelines if they’re independent from other companies.
In particular, providers with a significant position in the market will be labelled as gatekeepers within the market. Such actors will be subject to more specific restrictions, as third parties are not allowed to share data with these gatekeepers, nor are gatekeepers allowed to request access to these data.
Specific attention goes out to the risk of non-EU countries gaining access to data. The European Data Act goes beyond current restrictions regarding the transfer of personal data outside the EU by extending such restrictions to non-personal data. Only when an international agreement is in place will court orders from third countries be adhered to. This is relevant keeping in mind the ongoing efforts of the US and the EU to reach such an agreement.
Furthermore, the draft sets out provisions to ensure interoperability and cloud switching and safeguards for international data transfers. The previous SWIPO initiative for cloud-switching was deemed insufficient for this purpose as the Commission now opts for binding measures. The goal will be functional equivalence when moving software to another cloud platform. This means required compatibility of interfaces and platforms with all other services. Proper interoperability is essential for fair competition to function in the digital data market. To realistically strive for interoperability, a degree of harmonized standards among cloud services will be necessary. European standardisation organisations will be approached for this purpose, possibly accompanied with a mandatory implementing act if necessary.
What does the European Data Act mean for you?
Because of the targets of the proposed regulation, which range from service providers and gatekeepers to device manufacturers, companies and public authorities, the Data Act will have implications of data sharing, interoperability standards and cloud switching for many industries and sectors of the society.
Dr2 Consultants closely follows legislative developments regarding the Data Act and other data-related policy issues. Thanks to its expertise and wide range of clients in the digital sector, Dr2 Consultants is expertly placed to assist your company in identifying the impact of and leveraging the opportunities offered by the Data Act.
Would you like to know more about how your organization can make the most out of the data regulation? Subscribe to Dr2 Consultants’ newly launched service for EU data-related policies, or get in touch with our Managing Partner Jasper Nagtegaal.