LEAK: Data Act’s proposed rules for data sharing, cloud switching, interoperability

The Data Act is a pillar of the European Data Strategy. [lukeylukas7/Shutterstock]

The Data Act proposal defines the rules for sharing data, conditions for access by public bodies, international data transfers, cloud switching and interoperability, according to a draft seen by EURACTIV.

The Data Act is horizontal legislation for non-personal data that the European Commission plans to present on 23 February. The new rules will apply to the manufacturers of connected products, digital service providers and users in the EU.

“The volume of data generated by humans and machines has been increasing exponentially, but most data are unused, or their value is concentrated in the hands of relatively few large companies,” the proposal reads.

The Commission intends to unleash the potential of data-driven innovation by creating legal obligations for data-sharing when connected devices (Internet of Things) are starting to be widespread.

Right to access

The Data Act introduces the principle that every user, individual or organisation, should have access to the data it contributed to generating.

Conversely, connected products and related services, including virtual assistants, should make the data available to the user in an accessible manner by default. The user will be able to use this data or share it with third parties free of charge.

When sharing data with third parties, the data holder and the user can agree on measures to preserve the confidentiality of the data and trade secrets. The transmitted data cannot be used to develop products in competition with the data holder.

Notably, the users or third parties cannot share such data with organisations designated as gatekeepers under the Digital Markets Act (DMA). In turn, the gatekeepers are forbidden from soliciting the user to share data with them nor to receive data.

EU parliament adopts regulation targeting internet giants

EU lawmakers adopted their version of the Digital Markets Act (DMA) in a plenary vote on Wednesday (15 December), formalizing their mandate to enter interinstitutional negotiations on this key piece of digital legislation with the European Council and Commission.

Data holders will not be able to put in place coercive means or technically prevent data sharing and can only request information to verify that the request comes from a user or authorised party.

To prevent dark patterns, third parties cannot “in any way coerce, deceive or manipulate the user, by subverting or impairing the autonomy, decision-making or choices of the user, including by means of a digital interface with the user.”

Micro and small companies are excluded by these obligations unless they are “economically dependent on another enterprise which does not qualify as a micro or small enterprise.”

Unfair contractual obligations

The contractual terms should be fair, reasonable and non-discriminatory, otherwise they would be considered null. An unfair contractual term “grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing.”

The draft law reverses the burden of proof stating that “where the other enterprise considers conditions to be discriminatory, it shall be for the data holder to prove that there has been no such discrimination.”

In case of disagreement, the two parties can refer to dispute settlement bodies, certified by member states, but only for disputes that another body or court has not already addressed will be rejected. Parties could still seek a remedy before a national court.

Compensations for making data available should be reasonable and non-discriminatory. For SMEs, compensation should not exceed the actual cost of the request.

LEAK: Draft impact assessment sheds some light on upcoming Data Act

The draft impact assessment of the EU Data Act, seen by EURACTIV, illustrates the key aspects of the upcoming legislative proposal that has recently failed an independent review.

The Regulatory Scrutiny Board, an independent body that quality-checks the Commission’s impact assessments …

Public sector access

Public bodies might access data in exceptional circumstances, notably to respond to a public emergency or fulfil legal obligations.

Public emergencies include natural disasters, public health emergencies and terrorist attacks, whereas law enforcement is excluded. In case of emergency, the data should be provided free of charge, whereas the data holder can seek compensation equal to the actual costs for other cases.

The data sharing requests should be proportionate and not to the detriment of the data holder. The public body will not reuse the obtained data but could make it available for scientific research.

When relevant, the data holder should “take reasonable efforts to pseudonymise the data.”

Cloud switching and interoperability

The proposal notes that SWIPO, a non-binding initiative to facilitate cloud switching, “seems not to have affected market dynamics significantly.”

Therefore, the legislation introduces obligations for contracts to contain clauses to support switching, interoperability requirements, and a transition period to ultimately prohibit data processing service providers from charging any fee for switching.

If someone decides to move an operating service, software or application from one cloud service to the other it should enjoy ‘functional equivalence’. The providers need to ensure compatibility with open standards or interoperability interfaces for all other services.

The Commission will request one or more European standardisation organisations to draft harmonised standards for the interoperability of cloud services. If deemed insufficient, the EU executive could adopt implementing act mandating common specifications, open standards, or open interfaces.

The Netherlands publishes non-paper on upcoming Data Act

A non-paper pressing for data sharing provisions, interoperability requirements, and data access for the public sector in the European Commissions Data Act proposal was circulated by the Dutch government on Friday (30 September). The act is expected to be formally presented by the end of 2021.

Data transfers

Cloud service providers should take all reasonable measures to prevent governmental access or transfers of non-personal data that would conflict with European or national law.

Court orders from third countries would only be recognisable if based on an international agreement. If the ordering country fulfils certain conditions, the minimum amount of data permissible can be shared.

Enforcement

Enforcement is left in the hands of the competent authorities designed by the member states, with penalties also being defined at the national level.

[Edited by Nathalie Weatherald]

Subscribe to our newsletters

Subscribe