About a year ago, Margrethe Vestager, the EU’s executive vice-president for a Europe fit for the Digital Age, was unveiling the European Commission’s Data Act proposal. The draft regulation proposes harmonized rules on fair access to and use of data to increase the growth and innovation potential that rests on industrial data in Europe — 80% of which is not used, according to the European Commission.
“We want to give consumers and companies even more control over what can be done with their data, clarifying who can access data and on what terms,” Vestager said. Commissioner for Internal Market Thierry Breton added at the time, “the Data Act will ensure that industrial data is shared, stored and processed in full respect of European rules. It will form the cornerstone of a strong, innovative and sovereign European digital economy.”
One year into discussion on this proposal, the text is about halfway through the legislative process. Last week, the European Parliament’s Industry, Research and Energy Committee adopted its draft report. The council has gone through several iterations of the text and is now relatively close to reaching its own internal political agreement — the so-called "general approach." Once it does, the EU institutions will kick off the trilogue negotiations to land on an agreement on the final text to become law.
Where the Data Governance Act was about creating a mechanism to enable the safe reuse of public sector data, the Data Act aims to “ensure that users of a product or related service in the Union can access, in a timely manner, the data generated by the use of that product or related service and that those users can use the data, including by sharing them with third parties of their choice.”
Among others, the Data Act proposal looks at the following aspects:
- It would adapt contract law to “prevent the exploitation of contractual imbalances that hinder fair data access and use for micro, small or medium-sized enterprises.”
- It would require of data holders to make data available to public sector bodies, where there is an exceptional need for public interest.
- It would facilitate switching between data processing services and enhance interoperability, in particular for cloud services.
While directed primarily at nonpersonal data, the Data Act will raise numerous compatibility questions with well-established privacy obligations under the EU General Data Protection Regulation — and the e-privacy directive to some extent — in particular as mixed data sets are concerned. Among the areas to watch are how the Data Act will intersect with a.o. legal basis for processing and purpose limitation, data minimization, processing of sensitive data, data protection by design/by default, as well international data transfers.
To end on a lighter note, the IAPP is in full swing as it gets ready to launch a new year of conferences for all the privacy pros out there, starting with Data Protection Intensive: UK (March 8-9), Data Protection Intensive: France (March 14-15) and the Global Privacy Summit (April 4-5). We look forward to seeing many of you there!