A view from Brussels: The implementation challenges of the EU Data Act

Brussels has enacted a package of rules in recent years specifically geared toward facilitating data reuse and sharing, with the obvious and well-meaning intent of creating more value out of it.

Indeed, the European Commission estimates that 80% of industrial data in Europe is never used. By making data available for reuse, it hopes to help create 270 billion euros of additional gross domestic product by 2028.

The EU Data Act, which becomes applicable 12 Sept., is geared toward that objective. It creates new rules on who can access and use industrial data generated by connected products in the EU across all economic sectors.

The effectiveness of the Data Act against this objective, alongside that of the Digital Governance Act and data spaces rulebooks, will need to be assessed over time. The European Commission is due to evaluate its impact in three years at the latest.

In the meantime, the focus is on navigating the implementation challenges it raises for digital governance professionals.

From a legal compliance perspective, the Data Act introduces restrictions on international transfers of nonpersonal data with an ambition to protect trade secrets, business confidential information and intellectual property. In cases in which the transfer conflicts with EU or member states law, the Data Act requires "reasonable technical, legal and organizational measures to prevent the international transfer of or governmental access to non-personal data held in the EU."

A European Commission-led expert group drafted model contractual terms for data sharing and standard contractual clauses for cloud computing contracts. "MCTs and SCCs are non-binding, voluntary and have been drafted so they can be adapted by the parties according to their contractual needs," according to the 183-page final report.

In the same vein, the Data Act implementation builds on the existing EU digital rulebook. It may focus on industrial data but the frontier between nonpersonal and personal data is porous and the articulation with the EU General Data Protection Regulation comes into play in a couple ways. The articulation of Data Act obligations and GDPR provisions on anonymization, data minimization, legal basis for processing and data transfers per the above could prove challenging to square in contractual negotiations.

Several hurdles also emerge at a technical level, from adapting existing data governance frameworks to implementing workflow approval schemes for data requests — and ensuring their alignment with data sharing obligations that may emerge under the Data Governance Act or sectoral laws such as the European Health Data Space. The costs associated with making data available, including technical infrastructure investments, can be substantial, particularly for smaller organizations that may lack existing data-sharing capabilities.

Last but not least, the Data Act includes provisions on cloud switching to "promote competition and choice on the market while preventing vendor lock-in." The expert report details the conditions and timeline laid out in the Data Act. For example, the maximum notice periodfor initiating the switching process is eight weeks, while the default transitional period to execute the switching is 30 days maximum — up to seven months if "switching is technically unfeasible." But a lot of questions are left for debate, including about the monetary compensation schemes that could be established.

Friday, 12 Sept. is also the deadline for member states to edict national rules on penalties in case of noncompliance. The Data Act recommends penalties should be "effective, proportionate and dissuasive" and consistent across a range of tools including financial penalties, warnings, reprimands or orders, to bring business practices into compliance.

Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.