The draft impact assessment of the EU Data Act, seen by EURACTIV, illustrates the key aspects of the upcoming legislative proposal that has recently failed an independent review.
The Regulatory Scrutiny Board, an independent body that quality-checks the Commission’s impact assessments for new legislative proposals, rejected the Data Act on Wednesday (27 October) for reportedly not providing sufficient information on the conditions for public bodies to access data, the compensation for businesses and the relation with other legislative measures.
“The Data Act’s general aim is to make more data in the EU usable to support sustainable growth and innovation across all sectors in the data economy and evidence-based and efficient public policies and services,” the impact assessment reads.
The proposal is a crucial part of the European data strategy and is expected to impact the cloud market particularly.
“This provides further examples of the Commission seeking tools outside competition policy to address perceived competitive imbalances in markets such as cloud,” a stakeholder told EURACTIV on condition of anonymity.
Access to data
The Data Act aims to introduce general conditions for consumers and businesses to access the data they generate when using a product or a service in a fair, transparent, and non-discriminatory fashion.
However, sectorial legislation would mainly define data access rights to allow for enough flexibility for each sector. A dispute resolution mechanism would be established in future legislation to ensure these conditions are consistently applied.
The stakeholder noted that “the data act may not itself provide significant access rights despite some conflicting references in the impact assessment, highlighting the internal debate over the shape of the proposal.”
According to the Commission’s preferred option, these general conditions would not include the right to access supply chain data, as manufacturers and service providers would retain access to the data generated by their services and products.
A data-sharing arrangement would be ‘encouraged’ via smart contracts and application programming interfaces. However, the text also refers to the introduction of ‘essential’ technical measures for interoperability, raising the question of whether these measures would be mandatory or not.
The proposal would also introduce a contractual fairness test for business-to-business (B2B) data-sharing arrangements, which would be limited to contractual terms that were single-handily imposed by one party.
The Commission proposes an expert group that would advise the EU executive, especially on business-to-business data sharing and cloud computing contracts.
Transparency obligations would force service providers to specify in the agreement what type of data is likely to be generated and how it can be accessed by customers, with SMEs exempted.
The Commission also anticipates a review of the Database Directive to exclude machine-generated data from the scope, making this type of data more accessible and preventing lock-in situations.
Public access to data
Regarding the obligation for companies to share data with public authorities, access would be based on a list of purposes defined at the EU level limited to “only the most pressing social needs, where other means of accessing data are not available,” including exceptional circumstances, environmental protection and public health.
Furthermore, the Commission proposes leaving member states to add more purposes to the list based on public need analysis. EU countries would also have to establish national coordination structures that facilitate and register data sharing with public and private entities.
The data law would put safeguards to ensure B2G data sharing is proportionate and respects fundamental rights and the company’s interests in providing the data. However, the concept of public interest and how proportionality is ensured do not seem sufficiently developed.
Businesses providing the data should be compensated with lower prices under a preferential treatment regime, although it remains unclear how an economic value is attributed to data. The data requested for public emergencies would have to be offered free.
Cloud switching and extraterritoriality
The impact assessment envisages the introduction of legal requirements that would ensure ‘switchability’ from one cloud service provider to the other, notably by setting up minimum levels of functionality via a standardisation framework.
However, the Commission proposes not to provide technical features or standards for data sharing in the Data Act but rather to leave the possibility of adopting secondary legislation related to the standard-setting process or mandate specific switching standards.
“The Commission would be empowered to endorse data interoperability requirements elaborated by standardisation bodies or industry for selected common European data spaces in delegated acts. The requirements would not be mandatory for stakeholders in the data spaces,” the impact assessment reads.
The stakeholder notes that the scrutiny on ‘data processing service providers’ is expected to mainly concentrate on cloud providers. Still, the broad terminology might open the door for a wider scope.
Following similar provisions in the Data Governance Act, the Data Act requires private providers to take technical, legal and organisational measures that prevent the transfer of data with countries with legislation in conflict with EU or national laws.
The adoption of the Data Act is now expected by the first quarter of 2022.
[Edited by Alice Taylor]