The European Union’s Data Act, a legislative resolution decisively passed by the European Parliament on November 9, 2023, represents a transformative approach to regulating the data economy within the EU. Its enactment is currently awaiting the European Council’s approval.
The Act targets the intricate relationship between data generation, access, and use, particularly from connected products and services. Its scope is vast, impacting various stakeholders from individual users to large corporations, and spanning across multiple legal domains.
- The Act’s primary goal is to facilitate user access to data from smart devices, addressing the underutilization of such data, as highlighted by the European Commission (which notes that 80% of such data is currently unused).
Note: “Connected products and services”: Those products and services that generate data through connectivity and data processing capabilities. Essentially, these are products and services that can connect to the internet (or other networks) and can collect, transmit, or process data.
Includes a wide range of modern digital and electronic devices, from smartphones and smart home devices to connected vehicles and IoT (Internet of Things) devices, along with the services associated with or enabled by these devices.
B. Overview of the Data Act:
1. Scope and Objectives: This regulation primarily focuses on data generated via connected products or services. Its objectives are to empower users, stimulate innovation, and safeguard public interests in the digital landscape.
2. Data Access Rights: A cornerstone of the Act is granting users the right to access, utilize, and share their data. Data holders are obligated to facilitate this access transparently and fairly.
3. Data Design and Information Requirements: The Act mandates that connected products and services be designed to enable easy data access and usage. It also requires providers to inform users about the nature of data generated and the methods to access it.
4. Data Use and Sharing Regulations: The Act clarifies legal frameworks for data use and sharing among various entities, including restrictions to prevent the misuse of data in ways that could harm users’ commercial interests.
5. Complementary to Other Legal Acts: It aligns with existing EU laws on data protection, privacy, intellectual property, consumer protection, and competition, providing a holistic legal framework.
6. Protection of Trade Secrets: Provisions are made for data holders to require confidentiality agreements, safeguarding trade secrets.
7. Limitations on Data Use: Users and third parties are restricted to lawful data use and prohibited from using data to develop competing products or for profiling, except when necessary.
8. Exclusion of Gatekeepers: Certain entities, designated as gatekeepers, are barred from accessing users’ data, promoting fairness in the digital market.
9. Exemptions and Fair Contract Terms: The Act provides exemptions for micro and small enterprises and invalidates unfair contractual terms.
10. Data Requests in Exceptional Circumstances: Outlines conditions under which public sector bodies and EU entities can request data during emergencies.
11. Public Sector Data Access: Sets specific conditions and procedures for public sector data requests based on exceptional needs.
12. Compensation and Data Sharing Rules: Details when and how data holders are compensated for data provision and the conditions for sharing data for research or statistical purposes.
13. Switching and Interoperability in Data Services: Emphasizes the need for data service providers to support easy switching between services and ensure interoperability.
14. Smart Contracts and European Data Spaces: Establishes standards for smart contracts in data sharing and promotes interoperability within European data spaces.
15. Regulating Non-Personal Data Access by Third Countries: Addresses how non-personal data in the EU can be accessed by third-country authorities, with safeguards against unlawful access.
16. Artificial Intelligence Development Concerns: References concerns by notable business leaders regarding the potential risks of AI model training.
17. Obligations in Exceptional Needs Cases: Outlines specific obligations of data holders and requesting entities in exceptional situations, including compensation and stipulations for data sharing.
18. International Data Processing and Access: Specifies requirements for data processing service providers, particularly concerning access by third-country authorities.
19. Enactment and Application: Details the regulation’s entry into force and its varying application dates.
C. Industry Reactions and Challenges:
(i) Smart Contract Clause Concerns:
A notable feature of the Act is the requirement for smart contracts to be capable of termination or interruption, a provision that has sparked debate.
- The clause’s broad and unclear definition regarding the interruption or termination of smart contracts has drawn criticism.
- Blockchain advocacy groups and crypto firms have raised alarms, fearing that smart contracts on platforms like Ethereum might conflict with this new law.
(ii) Objections from U.S. Digital Platforms:
- The Act extends the ‘gatekeeper’ classification from the Digital Markets Act (DMA), limiting these entities from using the right to transfer data to other gatekeepers. This has been perceived as unfavourable to U.S.-based cloud providers, hindering data portability for European users between large American platforms.
(iii) European Business Groups’ Concerns:
- BusinessEurope (represents businesses of all sizes in the European Union) and VDMA (Verband Deutscher Maschinen- und Anlagenbau, known in English as the German Mechanical Engineering Industry Association) advocate for maintaining contractual freedom in data sharing, suggesting that it should be voluntary in a business context.
- German giants SAP and Siemens caution that mandatory data sharing provisions could negatively impact European competitiveness by forcing the sharing of sensitive know-how and design data.
- A coalition of 30 trade associations urges caution, recommending that the Act’s provisions be tested under real-world conditions to avoid unforeseen economic impacts.
(iv) Universities and Research Sector:
- Academic institutions are advocating for improved access to industrial data for research, along with additional policy revisions.
- The Act has been critiqued for not adequately meeting the research community’s needs, emphasizing the importance of research enablement and support.
(v) Digital Europe’s Appeal for Reconsideration:
- Digital Europe, an industry representative body, is calling for a halt and reconsideration of the legislation, underlining the necessity for robust safeguards to protect sensitive data, with particular concerns about mandatory data sharing and the potential threat to trade secrets and cybersecurity.
The EU Data Act is a significant regulation in the digital era, aiming to balance the scales of data access, user empowerment, and innovation with the need for security and privacy. As it moves towards implementation, it presents both opportunities and challenges. Policymakers will need to carefully navigate these complexities to ensure the Act fulfils its promise without unintended consequences for the European data economy.