The EU's Proposed Data Act: Unease about the Flow
The Data Act (DA) proposed by the European Commission aims to prevent the growing asymmetry between companies—mostly SMEs—in access to data. The new regulations, apart from targeting device manufacturers, also affects users and other companies that handle data generated when using certain devices, especially those generated by “smart” objects (i.e., connected to a network and communicating with each other, such as cars and household appliances) or stored in the cloud. However, the proposed solutions raise doubts in the context of personal data protection, trade secrets, and competition on the EU market.
On 23 February, the Commission (EC) presented a draft regulation on harmonised rules on fair access to and use of data (Data Act). Along with last year’s Data Governance Act, the Data Act forms the main pillar of the European Data Strategy. It is a response to the challenges of the digital economy related to the exponential growth of the amount of generated data with the simultaneous concentration of profits by a few data-driven companies (mostly non-European). The aim of the Data Act is to increase competitiveness in the EU in this area and open up development opportunities for small and medium-sized enterprises (SMEs), as well as to improve the quality of services for consumers.
Content of the Data Act
The act aims to facilitate the flow of data by specifying the conditions for data transfer in the private sector and between companies and the public sector in order to create a genuine data single market in the EU.
The act imposes a number of obligations on manufacturers of devices connected to the internet (as part of the Internet of Things, or IoT, concept), providing users with access to the data they generate, including in order to share the data with other entities. For example, Amazon’s Alexa voice assistant would be able to order products for users from other platforms. The owner of a smart washing machine can choose a service technician other than one designated by the manufacturer who will have access to the necessary information to perform the service. The aftermarket for the automotive industry sector (including autonomous vehicles) would function similarly. The obligation to provide data does not apply to the smallest enterprises. Access to information will not be granted to companies classified as “gatekeepers” (the largest online platforms defined in the Act on Digital Markets). Both limitations are intended to prevent the widening of the asymmetry in access to data between the global technology companies and the rest of the market. The EC forecasts that by 2030, IoT-related services and products may reach a global value of around $5.5-12.6 trillion.
The act also provides for easier and cost-free change of cloud service providers (and similar data-processing services). Providers will have to ensure the technical and legal portability of user data to other entities. According to the Commission’s calculations, more than 500,000 EU companies have unfavourable contracts now in force with providers of cloud solutions and experienced a decrease in turnover or profits under them.
The Commission also proposes to protect micro-enterprises and SMEs from the disadvantageous unilateral imposition of data-sharing conditions (e.g., data use, liability) by companies with a competitive advantage. It introduces criteria for recognising contractual clauses as unfair and thus non-binding. The act also assumes access by public authorities of the Member States to private sector data, including the possibility of their use in exceptional circumstances, such as natural disasters or armed conflicts.
Challenges for the Introduction of the Data Act
In its current form, the proposal presents a vision that may prove problematic to implement in practice, as it is difficult to reconcile with other binding norms in the EU.
The first thing that draws attention is a potential conflict with the assumptions of the GDPR. The EU regulation on the protection of personal data aims to limit processing such data, while the Data Act moves in the opposite direction. Although the content of the data proposal repeatedly emphasises its compliance with the GDPR, mere references to the regulation in the EC proposal will not solve all of the difficulties that may arise in practice, such as delineating the boundary between personal and non-personal data. The Data Act text distinguishes these two categories, but due to the tendency to extend the protection of personal data, separation of the types may prove problematic, especially since not all data can be anonymised or pseudonymised (disguised in reversible form) for the purposes of the services provided. For example, non-personal data from a car’s navigation system in conjunction with the personal data of its owner processed by the service technician can provide extensive knowledge about the user’s habits, place of residence, and so forth. Another challenge for businesses may be the adaptation of documentation on the processing of personal data adopted in connection with the GDPR to the new realities.
Less frequently discussed, but of no less importance, is the issue of the influence of the Data Act on competition in the EU internal market. On the one hand, the proposal should be in line with EU competition rules. This is because the act limits the possibility of companies to abuse their dominant position by forcing them to share information. Sharing data also can hardly be considered concerted practice, which is usually prohibited by EU law (as such practice distorts competition in the common market through, e.g., price fixing, limiting or controlling production or technical development)it contributes to the improvement of product distribution, supports technical and economic progress, and does not lead to the elimination of competition. On the other hand, the reluctance of enterprises to disclose data containing their business secrets and know-how may be a problem as it risks a loss of competitive advantage. Sharing data as demanded by the Data Act may also require mass verification and adjustment of previously concluded confidentiality agreements (e.g., with manufacturers of elements used in the production of a given device).
The proposed “reasonable compensation” for entities collecting data for sharing at the user’s request also may be widely discussed so that it does not turn into a fixed fee for the transfer of data, which is against the intentions of the Commission, but only covers the costs of their reproduction or delivery.
Conclusions and Recommendations
Unlocking the potential of European private sector data requires a number of practical challenges in the negotiation process. The Data Act may bring benefits for EU consumers, but it also will require certain concessions, above all consent to wider processing of their personal data. Greater choice between service technicians may be associated with benefits such as faster troubleshooting of equipment in a more convenient location, but the Data Act will not prevent the loss of the manufacturer’s warranty in case of intervention by another supplier.
A compromise could ensure voluntary and cost-effective data sharing, especially in areas of strategic importance for the European high-tech industry (e.g., automotive, household appliances, smart home and city solutions). This would require, in addition to creating a general regulation, the delineation of sectoral rules for data-sharing. This would deepen collaboration and complement existing initiatives such as the Catena-X (a data space developed by several German automotive companies), which was based on guidelines developed by the International Data Spaces Association.
Large European companies that produce IoT (household appliances and electronics, but also the automotive industry) may criticise the risk of disclosing trade secrets and losing their competitive advantages, particularly if customers massively transfer data from one manufacturer to a competitor. Countries including Germany, France, and Italy, where the largest European IoT producers are located, may try to reduce the obligations of these companies.
European micro-enterprises and SMEs may be among the biggest beneficiaries of the Data Act, as it will open up the data market for them. Uniform rules for sharing information and safeguarding against abuse by stronger entities will have a positive impact on their development prospects. For Poland, this would mean an improvement in the operating conditions for companies offering IoT solutions, including in the household appliances sector (about 35% of European production comes from Poland). An area of increasing competitiveness is the European cloud market, which until recently was dominated by just three American companies (Google, Amazon, Microsoft combined had 70% of it), is also promising.