Stockholm put forth a new compromise on the Data Act, obtained by EURACTIV, touching on scope, trade secrets, business-to-government (B2G) data access, international transfers, and compensation, among other things.
On Wednesday evening (24 January), the Swedish presidency of the EU Council circulated a new compromise on the Data Act, a proposed data law regulating how data is accessed, ported and shared.
The Swedes requested written and oral comments from other member states on the central questions still open, providing a list of options. The new text will be discussed at the EU Council’s Telecom Working Party (WP) next Tuesday.
“To clarify the process ahead, following the discussions in the WP, the Presidency will ask the delegations to provide feedback on any remaining priority by [3] February 2023,” reads the document, pointing to the intention to close in on the file in the coming weeks.
Scope
The Data Act introduces the principle that users of connected products should have the right to access the data they contributed to generating, as well as the metadata necessary to interpret and use such data, and to share it with a third party of their choice.
However, which type of data should be covered by the data law has been a controversial point. The new compromise notes that “to better define the material scope of the Data Act, it was decided to focus on the functionalities of data instead of products”.
In particular, the text focuses on the pre-processed data automatically generated by the sensors embedded in the connected products like vehicles, home and lifestyle equipment, rather than the products themselves.
Moreover, the definition of data generated by a product or a related service was amended to exclude data generated for displaying content and data recorded using apps other than those strictly related to the product.
Trade secrets
Another pain point is ensuring that the shared data respects the trade secrets of the organisation providing it.
When the original organisation identifies data or metadata that entails trade secrets, the users or the relevant third party should take all the technical and organisational measures to protect them.
The provisions mandating these protection measures have been strengthened, giving the original organisation the right to request compensation if they are not respected.
Business-to-Government
How the Data Act can be made proportional for small and medium-sized enterprises (SMEs) has been another point of discussion in the EU Council. A particularly demanding task relates to the fact that the legislation enables public bodies to request access to privately held data (B2G) under specific circumstances.
Initially, micro and small enterprises were excluded from this B2G obligation. However, the latest compromise makes the micro and small enterprises subject to this obligation only to respond to a public emergency like a pandemic. But, unlike larger businesses, they could ask for compensation.
International data transfers
The proposed law includes restrictions for cloud services for the transfer of non-personal data to a third country and related access from the judicial authority of a foreign jurisdiction.
A new article on contractual transparency obligations on international access and transfer has been added requesting cloud services publish the physical location of their digital infrastructure on their websites, and the measures put in place to prevent foreign governments’ access to EU non-personal data.
The compromise clarifies that national authorities should be involved whenever there is a judicial order to access data that might affect the national security or defence interests of the EU or its member states.
Interplay with the GDPR
As EURACTIV revealed last week, the need to clarify the relationship between the Data Act and the General Data Protection Regulation (GDPR), the EU’s privacy law, was a crucial remark from Germany that lamented the lack of possible overlaps and inconsistencies between the two EU laws.
The text states that the regulation does recognise or create any legal basis in accordance with the GDPR for processing the generated data. Moreover, the organisations concerned by the Data Act’s data-sharing obligations were expanded to public sector bodies.
When a public body requests a data set that includes personal data, the Swedish presidency proposes that the competent data protection authority be informed without delay.
Compensation
The organisation holding the data would have to agree on a reasonable compensation with the organisation receiving it, provided that it is a business and not a consumer.
The Commission recently published a study on what might be deemed ‘reasonable’ compensation. Some of its elements were included, like the costs incurred, the investment required to make the data available, and a margin.
Moreover, the presidency wants the Commission to issue guidelines on calculating such compensation.
Cloud switching
The Data Act also introduces measures to facilitate the switching from one cloud provider to the other. The compromise stresses that the nature of the obstacles might be pre-commercial, commercial, technical, contractual or organisational.
The technical steps of the switching process and the rights and obligations of the different parties have been elaborated.
Contractual fairness
The original proposal included a ‘fairness check’ for contracts related to the regulation’s data-sharing obligations between SMEs and larger companies. This measure has been broadened to all contractual arrangements, regardless of the size.
[Edited by Nathalie Weatherald]
Source: Euractiv.com
Leave a comment