After much anticipation, the European Commission published its draft Data Act on Wednesday, which sets a raft of new rules for data sharing and forms part of the European Union’s strategy to make the bloc a leader in the data-agile economy.
In a nutshell, the proposed legislation aims to make data sharing and use easier and set a standard at an EU-wide level. It calls for manufacturers to allow owners of connected devices to see what data they are gathering.
"We want to give consumers and companies even more control over what can be done with their data, clarifying who can access data and on what terms," commission Vice President Margrethe Vestager said.
Who does it apply to?
The draft legislation will apply to manufacturers of products and services, such as the Internet of Things (IoT) devices and cloud service providers in the EU.
It will also affect users, including businesses and individuals. It would mean they would have to open up their data to the users (including businesses or consumers) that help to create it.
The users will then be able to provide this data to third parties or use it for their own purposes and the users may also demand that the data be made available directly to third parties.
But this data sharing must respect trade secrets and not compete with the original holder of the data.
The new rules also mean public and government bodies will be able to request access to privately-held data for public emergencies or legal obligations but not day-to-day law enforcement activities.
Safeguards to prevent access to data from foreign jurisdictions were also put in place. Such emergencies would include terrorist attacks, pandemics and natural disasters.
What does this mean for the EU and Big Tech?
The new legislation also wants to "place safeguards against unlawful data transfer", which could affect US or other foreign companies.
Data disputes between the EU and the US tech giants have been growing since the Edward Snowden revelations of mass US surveillance in 2013. More recently, Meta said it could pull Facebook and Instagram out of Europe over the data transfer debate.
In 2020, The European Court of Justice scrapped the Privacy Shield, a transatlantic data transfer legal basis that meant companies could carry out transatlantic data transfers, in a decision called Schrems II.
Europe’s top court decided to annul the treaty due to violations of data protection. The bloc's highest legal authority argued the standard does not adequately protect European citizens’ privacy.
As a result, US companies were restricted in sending European user data to the US and have had to rely on SCCs (standard contractual clauses).
The EU and US have said they are working on a new or updated version of the treaty.
"International data transfers of personal data keep all European data protection lawyers busy,” said Dr Jens Schefzig, IT and data protection partner at law firm Osborne Clarke.
He said that providers of Data Processing Services will have to take all reasonable steps to prevent government access to or transfer of non-personal data that would be incompatible with European or national law.
“Access to the data by authorities or courts located in third countries would only be lawful under certain conditions which are similar to the conditions established for personal data in the Schrems II decision,” he added.
“Thus, while not processing personal data was the best escape from the very strict data transfer regulations under the EU General Data Protection Regulation, the Data Act might apply in these scenarios in the future".
Could it boost European innovation?
The Data Act may have a big impact on Europe’s data economy and could offer innovation.
Schefzig said It offers opportunities and challenges, and it really depends on a company’s business model and its ability to adapt and prepare whether the opportunities or the challenges prevail.
"Companies which rely on data stemming from connected products, like maintenance companies or companies offering complementary services, will have the opportunity to provide better services,” he said.
“It can also be expected that the availability of the data will lead to entirely new business models and indeed trigger innovation in Europe.
“The European Commission might think that while Europe has lost the race with regards to business models based on personal data, it still has a chance with regards to business models based on non-personal data. The Data Act will certainly extend the market for data”.
What are the other key points?
These are some of the other details contained within the Data Act:
1. Products and services should be designed to allow easy accessibility by users.
2. Access to the data will have to be granted without undue delay, free of charge and – where applicable – continuously and in real-time.
3. The data holders shall provide comprehensive information on the data that will be generated when using the product or service.
4. The data holder will upon request by the user provide the data to a third party authorised by the user. The data might have to be provided to external platforms or even competitors.
5. Companies must take steps to prevent access to data from outside the EU.
6. Data shall be made available under fair, reasonable and non-discriminatory terms.
7. One surprising element of the Act is that it would remove current obstacles to switching between cloud services.
When will it come into force?
For now, the proposed Data Act is a proposal and likely to be subject to change in the 12-month implementation period from when it is finally approved. It is unclear when this will be.
The commission forecasts the rules would add 270 billion euros to the EU's GDP over the next six years.
The EU's internal market commissioner, Thierry Breton, said the Data Act would unlock "a wealth of industrial data in Europe", adding that much of its potential is still untapped.