Not everyone’s a fan
The European Union’s member states have agreed a “negotiating mandate” as the basis to for talks on the Data Act. The Data Act is a horizontal European regulation and the second main legislative initiative following the Data Governance Act, resulting from European Data Strategy. Its purpose is to define fair access, the uses of data, who can create value from it and in what circumstances. Published by the European Commission in February 2022 the Data Act was adopted by the European Parliament by April that year. The aim is to bring it into force from September 2023. The intention behind the Act is to remove obstacles preventing the movement of data between businesses by regulating “the rights and obligations of all the economic actors involved in sharing data from internet of things (IoT) products”.
Negotiations are to start with the European Parliament, the Council of Europe and the European Commission and will centre around how put into practice the principle that the owners of connected devices have the right to access and share the data they were instrumental in generating. MEP Damian Boeselager, a strong supporter of the Act, stated it is time to move on from a situation “where data is mostly kept hidden on private servers, to a future in which data is widely shared and further used for innovative business models, more efficient processes and better policy making.”
Other objectives of the proposed Act are to prevent unlawful transfer of data by cloud providers and the development of interoperability standards so data can be “reused” between sectors. Cloud providers will also be obliged to locate their data infrastructure in Europe. There are business-to-consumer (B2C) domain issues too. If a consumer opts for a repair of a smart home appliance from a provider other than the manufacturer, then the manufacturer must provide data about the appliance without direct or indirectly charging for it. However, since the manufacturer will have to cover the inevitable cost, this seems naïve.
Other clauses are designed to guard against “the abuse of contractual imbalances in data-sharing contracts due to unfair contractual terms imposed by a party with a significantly stronger bargaining position.” Finally, public sector bodies will be allowed to access and use data held by the private sector in “exceptional circumstances” such as public emergencies.
Here is what the International Network of Privacy Professionals has to say about the proposed Act:
In our view, the scope of work of the Data Act seems sometimes unclear since some Chapters concern the reuse of data generated by the IoT, while other chapters (e.g. safeguards for SMEs/fairness test, sharing of data with the public sector bodies) seems to apply in general words to all data.
In terms of legislative process, the number of regulations concerning the big data seems quite high, potentially slightly overlapping and the exact scope of each of these seems rather difficult to follow, especially for players that cannot dedicate sufficient resources to understand the impact or the benefits of the various regulations (e.g. the Free Flow of Non-Personal Data Regulation, the Database Directive, the Open Data Directive, the Data Governance Act, etc.)
Thirdly, in terms of business impact, while the scope of the mandatory sharing of data generated by the IoT is limited (sharing to the user and proxy holders of the user), and notwithstanding the fact that the sharing is intended to lead to increased competition (and while protecting the trade secrets), such sharing may in our view lead to an increase in anticompetitive / unfair practices among businesses.
Also, various businesses, especially the holders of data generated by the IoT will most likely experience lots of pressure and costs in implementing the various measures imposed by the Data Act, such as in relation to data access by design and business to business contractual framework for data access.