European data strategy: EU Commission publishes impact assessment on the Data Act

The implementation of the European data strategy is picking up pace: On 28 May 2021, the EU Commission published its impact assessment for a Data Act, which is being envisaged as another step of the European data strategy. These include measures to provide government institutions and private companies with improved access to data from (other) private companies, as well as incentives to promote cloud computing business models.

European data strategy

The European data strategy presented on 19 February 2020 (Communication from the Commission, COM(2020) 66 final) is a flagship project of the EU Commission. It aims to facilitate the exchange and use of data and to promote the development of a single European internal market for data. Both are of particular significance for the competitiveness of European businesses and the efficiency of public administration. In view of the leading data economy regions of the USA and China, the EU Commission seeks to combine an effective data access with a high level of data protection and an effective competition policy.

In addition to the Data Act, the planned Data Governance Act – which aims to promote the establishment and development of common European data regions in strategic areas – is one of the key legislative proposals of the European data strategy. It is still somewhat vague how clear systematic distinctions from other regulations is to be ensured in the process, in particular from the GDPR (Regulation (EU) 2016/6799), the Directive on the Protection of Trade Secrets (Directive (EU) 2016/943) and the planned ePrivacy Regulation.

EU Commission’s Data Act impact assessment

In its impact assessment, the EU Commission first describes six current challenges facing the European data economy. It then proposes possible legislative solutions and makes a preliminary assessment of their economic and social impact. In the following, this article outlines both the challenges raised and the solutions proposed.

Use of privately-held data by the public sector

The first challenge identified by the EU Commission is that the public sector is currently limited in its ability to exploit the potential of data processed by private companies. One reason for this is the lack of a systematic legal framework for data transfers to the public sector. Further, there are no (financial) incentives for businesses to give access to data to the public sector. Therefore, the EU Commission concludes that the Data Act should provide the public sector with a fair, reliable and transparent access to privately held data.

Data access and use in B2B relationships

The EU Commission emphasizes the central importance of access to data for the digital economy. This applies in particular to new and small businesses. As a result of this, abusive constellations could arise where “data owners” with strong bargaining power could exploit their position at the expense of weaker market participants. To facilitate B2B data access, the EU Commission proposes the introduction of (sector-) specific data access and usage rights. In addition, a fairness test is to prevent unfair one-sided conditions.

According to the EU Commission, the potential of machine-generated data also remains untapped. One reason for this is often contractual restrictions. The Data Act aims to facilitate access to data and thus enable further value creation and innovation. In this context, the EU Commission also proposes to evaluate and, if necessary, reform the Database Directive (Directive 96/9/EC). In particular, it seeks to regulate the applicability of database rights to machine-generated data in a legally secure manner.

Technical design of data portability

In addition, the EU Commission proposes to specify the right to data portability of Article 20 of the GDPR, which has proven to be too vague. Whereas the technical implementation of data portability has so far been left up to businesses, the EU Commission is now considering to oblige providers of smart home applications and wearables to enable real-time interfaces for data transfers. This should counteract lock-in effects and give consumers a wider choice of services.

Standards for smart contracts

Furthermore, the EU Commission highlights the potential of smart contracts to automate, simplify and speed up B2G and B2B data use and portability. However, there is still a lack of harmonized standards for smart contracts, which hinders their interoperability and impedes market and cross-border use. According to the EU Commission, the Data Act could establish the regulatory framework for technical standards.

Establishing more competitive markets for cloud computing services

The EU Commission also recognizes a challenge in the establishment of a competitive market for cloud computing. After all, European organizations are increasingly dependent on cloud services for processing data. To foster an open market, cloud users would need to be able to transfer data as easily as possible between different cloud service providers. Although service providers and users have jointly developed codes of conduct, these are incomplete and barely contain any provisions on technical requirements and costs in connection with a cloud switch.

With the Data Act, the EU Commission therefore wants to improve portability between cloud providers overall. To this end, it proposes the introduction of a new portability law. This is intended to reduce technical, contractual or economic barriers to data transfer in favor of an open cloud market and a strengthened user position.

Safeguards for non-personal data in international contexts

Finally, the EU Commission points out the lack of regulation on the handling of non-personal data in the international context – for example in conjunction with requests from law enforcement agencies from third countries. Therefore, the EU Commission proposes that providers of online services (e.g. cloud computing providers) be required to:

• inform their users in the event of corresponding inquiries from foreign authorities and also, if necessary, and/or
• to take appropriate legal, technical and organizational measures to refuse such requests if they would be prohibited by EU law or the law of the respective Member State concerned.
  
  

Outlook

The specific content of the Data Act is still largely uncertain. In particular, the specific formulation of the individual rights and obligations proposed still requires considerable detailed work. In terms of the time schedule, the EU Commission aims to produce a draft regulation in the fourth quarter of 2021.

Businesses in the digital economy should observe developments and adapt their processes early on if necessary. So far, the only thing which is certain, is that the Data Act and other legislative plans in the context European data strategy will bring about considerable changes. It remains to be seen whether the EU Commission will be able to achieve its somewhat contradictory objectives – simplified data use while maintaining a very high level of data protection – and where compromises may become necessary.