With the data economy estimated to account for only 3 per cent of Europe’s GDP, the Data Act must strive to unlock European companies’ full potential to develop new digital solutions. While all the right ambitions have been included in the European Commission’s proposal, numerous changes will be to ensure the final text can act as an enabler of Europe’s data aspirations – rather than stifling them.
The proposal would impose across-the-board horizontal rules obliging data sharing, as opposed to more flexible enabling measures to spur voluntary sharing. However, there is little, largely circumstantial evidence to justify radical measures, which can on the contrary directly impact companies’ entrepreneurial freedom and economic opportunities without any tested macroeconomic benefits.
The final Data Act should allow companies much more predictability about what it covers, what obligations apply, and how the rules will be enforced.
Central definitions must better delimit the proposal’s nature and impact. The final Regulation should apply to finished connected products, clarify its applicability only to raw data, and identify data holders based on the notions of control and ability to make data available.
Proper limits to data availability must be incorporated in order to avert incentives for data misuse and unfair competition. This must include: a clear exemption of trade secrets and an acknowledgement of the risk of ‘reverse-engineering’ for confidential business data; protections against the development of competing products and services; clearer obligations and penalties against data misuse by data recipients; and a recognition of the need for data holders and data recipients to agree suitable contractual and compensation terms.
Much more stringent conditions must be set out to prevent the risk of public bodies’ misuse of data supplied to them, and to ensure the key criteria of lawfulness, necessity and proportionality under Union law are fulfilled.
The final switching rules for cloud service providers must better reflect the variety of cloud services, the volume and complexity of data stored and processed on them, and the shared responsibilities between cloud providers and customers.
The proposed restrictions concerning international access and transfer must be removed. Although they are aimed at non-personal data, these rules address laws (such as the US CLOUD Act and e-evidence) that will tend to involve personal data and are already covered by the GDPR. They would only bring further uncertainty to companies’ international operations, which have already been severely tested by the CJEU’s Schrems II See DIGITALEUROPE’s study.
A formal coordination and consistency mechanism must be established, allowing for the identification of one single lead competent authority and an EU-level body able to make binding decisions. This is vital to prevent what would otherwise be an inevitable multiplication of both interpretation and enforcement by a disparate set of authorities.
Clearer rules on the relationship with the EU data protection and privacy frameworks must be stipulated. Importantly, the Data Act should require authorities to assess what elements of cases before them might involve personal data or mixed datasets, and should therefore be yielded to the competent data protection authority (DPA) instead.
Alonger transition period of 36 months to allow for the development of relevant interoperability standards and for companies to prepare for compliance.