On Wednesday (23 February), the EU executive presented its draft for the new data law with only minor changes compared to the proposal leaked by EURACTIV earlier this month.
The Data Act is intended to provide horizontal legislation for sharing non-personal data by introducing obligations to give users access to the data they contribute generating and to ensure public bodies have access to privately-held data under exceptional circumstances.
“The Data Act clarifies who can access and share data and on what terms. It provides legal certainty, and it aims at removing barriers to data sharing,” said Commission digital chief Margrethe Vestager.
The law is intended to introduce measures on cloud switching and mandatory interoperability standards for cloud services. The Commission is also pitching safeguards for international data transfers, following a similar approach to the one used for personal data.
The Data Act aims to impose data-sharing obligations for the manufacturers of connected products and providers of related services. These companies, generally referred to as the ‘data holders’, would have to provide users easy, immediate and free-of-charge access to the data they helped to generate.
Users might decide to share the data with authorised third parties, which however would not be able to use the data to develop competing products. However, competing services have been excluded compared to the leaked draft.
Specific measures have been included to avoid third parties extorting or manipulating consent to data sharing. Moreover, large online platforms designated as gatekeepers under the Digital Markets Act are not eligible third parties.
The conditions for accessing data should be fair, reasonable and non-discriminatory. A fairness test has been included to prevent the imposition of unfair contractual terms to SMEs, which should not be charged for providing data beyond the actual administrative cost.
The draft law gives public institutions the power to request access to data considered essential to respond to public emergencies, such as terrorist attacks and natural disasters. These requests should be proportionate and limited to the crisis they are meant to address.
Micro and small companies have been excluded from these data-sharing obligations.
Following EURACTIV’s leak, industry associations mobilised to push for economic incentives rather than obligations. In fact, the position of the industry is much more articulated.
Companies providing complementary or maintenance services would benefit from increased access to the data generated by connected devices. Meanwhile, the providers of the final product or service would lose the monopoly over the generated data, especially vis-à-vis their supply chain.
Moreover, completely new business models might emerge as a result of the increased data availability.
“Careful balancing against the right to property and freedom to conduct business should not be ignored,” said Otto Lindholm, head of data practice at Dottir Attorneys.
The automotive industry is a case in point where access to data is increasingly felt like an issue given the growing amounts of data cars produce. For suppliers, vehicle manufacturers use their market position to act as ‘gatekeepers’ for accessing car-generated data.
By contrast, carmakers argue that data sharing is already well functioning via contractual arrangements in the sector.
“Today’s proposed ideas of the Data Act (such as an obligation to make data available and an unfairness test) interfere with these positive developments, entrepreneurial freedom and an overall functioning ecosystem,” said Daniel van Geerenstein, deputy head of legal at VDMA, a trade association that includes major carmakers.
Cloud switching and interoperability
Data Processing Services, which are mostly cloud services, fall within the proposal’s scope. The intention is to remove obstacles to cloud switching, for instance, software and applications that have grown in their use of data are locked in with expensive fees.
The Commission’s previous attempt to address the issue with the nonbinding SWIPO codes of conduct was recognised as ineffective.
“Cloud switching requirements should strike the right balance between avoiding vendor lock-in and allowing cloud providers to offer innovative services,” said Emilie Petras-Sohie, IBM Europe’s senior legal and policy manager.
The draft provides that contracts will need to allow switching to another service within 30 days, with full support and continuity of service during the transition. After three years, the so-called ‘exit service’ would have to be provided for free.
Cloud services would have to ensure compatibility with open interfaces or interoperability standards established at the European level.
International data transfers
Adopting a similar regime as per personal data, cloud services will need to ensure appropriate safeguards to prevent international transfers of industrial data or access by a third government that would not be compatible with EU or national legislation.
“The obligations under the EU General Data Protection Regulation, the Schrems II judgement by the ECJ, and the data protection authorities’ guidelines establish a very complex legal situation which makes every transfer of personal data to a third country rather challenging. The Data Act’s proposal might extend this challenge to non-personal data,” said Jens Schefzig, a partner at law firm Osborne Clarke.
[Edited by Nathalie Weatherald]