Brussels is blessed with warm weather these days. Summer is approaching, which may be a strong incentive for Data Act negotiators to wrap things up before the holidays. Indeed, reports show the finish line is in sight, and a deal could be reached by 27 June. The European Commission proposed the Data Act in February 2022. It aims to create new requirements governing the use of and access to data of connected products and related services. The Data Act builds on the Data Governance Act, which entered into force in June 2022 and focused on incentivizing data sharing.
Though less prominently than other open files, the Data Act was subjected to much debate. Among other tough issues, negotiators had to agree on what constitutes an "emergency" allowing government agencies to ask for data from businesses operators. For example, in the case of a natural disaster or pandemic, what are the roles and responsibilities for access and sharing of data from connected products between manufacturers, operators and product owners?
Perhaps what created the most concern is the possible impact of the Data Act requirements on European companies' competitiveness. The European tech sector recently voiced concerns that Data Act could put them at a disadvantage against non-European competitors that do not have the safe-sharing obligations. They also fear that trade secrets safeguards might be too weak. Talks have also addressed the role of the Data Act on the competitive environment for cloud service in Europe. EU Commissioner for Internal Market Thierry Breton sees the Data Act as a way to "reduce Europe's dependence" on non-European cloud solutions, while European industry has criticized the negative impact the Data Act would have on contractual freedom.
The IAPP developed a timeline to help privacy professionals track the ongoing legislative proposals.
Here is what else I am looking at this week:
Get out your calculators! The European Data Protection Board formally approved new guidelines on calculating administrative fines under the EU General Data Protection Regulation. The draft guidelines were published in May 2022 and are open to comments during a six-week period. Comments submitted by stakeholders at the time are available here. The version adopted this week details a five-step approach of analysis, evaluation and calculation, noting that "the calculation of a fine is no mere mathematical exercise. Rather, the circumstances of the specific case are the determining factors leading to the final amount."
Next week, the IAPP goes to Rotterdam to host its Data Protection Intensive: Nederland 2023. Aleid Wolfsen, chair of the Netherlands' Data Protection Authority, will open the conference, perhaps sharing his insights on the ongoing process to amend some parts of the Dutch GDPR Implementation Act. The DPA also joined several of its counterparts in taking a closer look at ChatGPT's OpenAI and asked for clarifications, among others, about the handling of personal data when training the system.