The European Commission published its proposal for a Data Act, the second building block of its data strategy. The first step was the Data Governance Act, legislation adopted at the end of last year that provides a legal framework for sharing non-personal data.

The Data Act is meant to go one step forward, introducing binding requirements for the manufacturer of connected devices and related services to provide access to the data that users create.

"We want to give consumers and companies even more control over what can be done with their data, clarifying who can access data and on what terms," said Margrethe Vestager, the Commission's executive vice president responsible for the digital portfolio.

Data-sharing obligations

The overall principle of the Data Act is that business users and consumers should be able to access, manage and share the data they contribute to creating when using a connected device or a respective service such as virtual assistants.

Therefore, the providers of these services, defined as data holders, should create by default an interface where users can easily access and manage their data at no extra cost. The users might decide to share that data with a third party, although the data holder might at the same time protect trade secrets and other confidential information.

"Balancing trade secrets or confidentiality (to protect companies' assets) with open access and fostering innovation is complex," noted Charles Helleputte, CIPP/E, and Diletta De Cicco, CIPP/E, head of data practice and associate at Steptoe & Johnson, respectively.

The authorized third party might be an external platform or even a direct competitor of the data holder to increase competition in the data economy. While these organizations are forbidden from using the obtained data to develop a directly competing product, they will be able to use it to create an alternative service to the one of the data holders.

"Half-hearted attempts at creating new business models around the data generated by their products will likely fail because there will be companies who will use this data in an innovative and creative way to the benefit of the customers," Jens Schefzig, a partner at law firm Osborne Clarke, said.

Anti-dark patterns measures have been included to avoid third-parties from extorting consent to sharing data. Similarly, the data holders should not overcomplicate data sharing with technical or excessive information requests.

The proposal defines the online platforms designated as "gatekeepers" under the Digital Markets Act as not eligible to be authorized third parties. The EU executive seems determined to prevent Big Tech companies and the likes from further concentrating data.

Public emergencies

Under exceptional circumstances, public bodies might require access to data held by private companies to respond to a public emergency, such as a terrorist attack, health crisis or natural disaster. This definition does not cover day-to-day law enforcement.

The request would be proportionate and limited to the urgent need, and the public body would not retain the data. If the request requires the disclosure of personal data, the data holder should make best efforts to anonymize as far as compatible with the request.

"This provision is intended for exceptional scenarios and requires compensation and is subject to a genuine proportionality test. It is very difficult to determine if such a provision would have a strong practical significance," Schefzig said.

Micro, small and medium-sized companies

The draft law includes special provisions for SMEs, mainly to avoid the data holders unilaterally imposing unfair contractual terms. The burden of proof is reversed to the data holder to show before a court or conflict resolution body that the terms are reasonable and non-discriminatory.

Moreover, providing data to SMEs should not exceed the actual administrative cost. Micro and small companies are exempted from all the data sharing obligations, including the request from public bodies unless a larger entity controls them.

Winners and losers

An initial draft of the Data Act was leaked earlier this month. Industry reaction was swift and vehement, as already the next day, trade associations started coordinating a reaction letter that called on economic incentives rather than binding obligations.

"The Data Act proposal is well-intentioned but in need of improvements," said Alexandre Roure, public policy director at the Computer & Communications Industry Association, one of the promoters of the letter.

Whether the data-sharing obligations will benefit or damage an organization will depend on its position in the supply chain. Suppliers, maintenance companies and complementary service providers will provide better services or even invent new ones based on the increased access to data.

By contrast, manufacturers or service providers of Internet-of-Things products would lose their monopoly over user-generated data and face stronger competition. This clash is taking particular resonance in one of Europe's most vital sectors, the automotive.

The automotive case

The amount of data produced by connected cars has exponentially increased in recent years and is expected to explode as vehicles become more and more digitalized. However, suppliers and consumers of the automotive industry lamented that vehicle manufacturers act as gatekeepers for that wealth of data.

"When I buy a car, I'm also the owner of the data it is gathering while it's in my possession, and it shouldn't be the car manufacturer," MEP Tom Berendsen said. For the lawmaker, the European paradigm should empower people and small businesses instead of the American approach based on large platforms and the Chinese system centered around the state.

On the other hand, carmakers argue that the track record of the automotive sector shows that fair contractual arrangements for data-sharing are the norm, and any intervention in this sense would disrupt these best practices.

"We fear that the regulatory approaches will interfere too much with well-functioning data relationships between industrial partners and cause uncertainty and burdens for innovative mechanical engineering companies. For Industry 4.0, the Data Act could thus prove to be a disservice," Hartmut Rauen, deputy executive director of trade association VDMA, said.

"What we want is that users have a choice and can benefit as well. That it's not a one-way street," Laurianne Krid, director general at Fédération Internationale de l'Automobile, said.

For Krid, the Data Act is needed because the EU General Data Protection Regulation has proved insufficient to guarantee consumers' freedom to choose with data portability.

Personal and non-personal data

"The Data Act proposal addresses a fundamental shortcoming of EU law. So far, non-personal data has been considered merely an invisible externality of other processes, which ignores the economic reality that access to data is a key source of profit and of market power," MEP Damian Boeselager said.

The Data Act is just another milestone in the European Commission's strategy to build a Schengen area for data, notably by unleashing the untapped potential of vast amounts of industrial data that are currently not being used.

"The European Commission might think that while Europe has lost the race with regard to business models based on personal data, it still has a chance with regard to business models based on non-personal data," Osborne Clarke's Schefzig said.

At the same time, the Data Act will interact with several EU laws, from the GDPR to the database directive. Legal compliance with data-sharing obligations and data protection rules might prove challenging, as the line between personal and non-personal data is not always clearly defined. Moreover, the process of anonymization has been considered challenging to execute.

"Fitting GDPR together with the Data Act will turn out to be a challenge," Lindholm said. "At the moment we're seeing a trend of rather expansive interpretation on practically all central concepts of GDPR. Many actors who will have to accept obligations from the Data Act (on data sharing) will also have to carry the uncertainty around the interpretation of GPDR."

At the same time, Helleputte and De Cicco emphasize the Data Act largely draws from GDPR concepts such as user control over data, data portability and conditions for international data transfers.

International data transfers

The draft law requires data processing services, namely cloud service providers, to take all reasonable steps to prevent government access to or transfer non-personal data that would breach EU or national law.

The access to data by foreign authorities and courts would only be allowed if based on an international agreement. The ordering country would also need to fulfill certain conditions, and the minimum amount of data permissible could be shared.

In other words, conditions similar to those established for personal data due to the "Schrems II" ruling would apply to industrial data in the future. While until now, not processing personal data was a way to escape the EU rules on international data transfers, that would no longer be true once the Data Act is in place.

"Keeping data in geographical silos is a definite theme of the decade and can be challenging for organizations to implement in practice," warned Elle Todd, a partner at Reed Smith.

Potential risks

Detractors of the proposal point to the fact that it relies excessively on the good faith of third parties, as the legal implications if someone violates the trade secret protections are immediately evident. In addition, the access to data might be used to reverse engineer the software and, potentially, identify vulnerabilities.

Photo by François Genon on Unsplash