This regulations roundup uncovers how the European Union has been busy laying the groundwork for a world of open data sharing and digital sovereignty. The forthcoming EU Data Act and Data Governance Act aim to make more data available for society and the economy. By doing so, the EU wants to avoid data processing becoming concentrated in the hands of a few dominant players as data gatekeepers in today’s digital world.
This is the second part of this blog series, following up on our previous post about the Digital Services Act and the Digital Markets Act. In our next blog, we’ll delve into the Artificial Intelligence Act.
To give some background and context, let’s go back to 2020. Then, the European Commission outlined its European Data Strategy. One of its goals was to create a single common data market based on a harmonised framework for exchanging data.
The EU believes data-driven applications will benefit citizens and businesses in many ways, from improving healthcare to creating safer transport systems to improving sustainability and energy efficiency. The EU argues this can make life better for everyone. But it also wants to ensure the companies and individuals who generate this data do so while respecting citizens’ rights.
What is the EU Data Act?
The European Union Data Act aims to make it easier for organisations and people to access data by removing barriers to sharing it. It aims to make data sharing and its use/reuse easier for everyone by setting standards at an EU-wide level.
European Commissioner Margarethe Vestager described the Act’s aims as giving consumers and companies “even more control over what can be done with their data, clarifying who can access data and on what terms. This is a key digital principle that will contribute to creating a solid and fair data-driven economy and guide the Digital transformation by .”
The Act will regulate the use of data generated by Internet of Things (IoT) devices. For example, manufacturers don’t always design their products in a way that allows users, both professionals and consumers, to take full advantage of the digital data they create when using IoT objects. The Act addresses this, with rules and measures that:
- Allow customers to effectively switch between different cloud data-processing services providers and putting in place safeguards against unlawful data transfer.
- Rebalance negotiating power for small and medium enterprises by preventing abuse of contractual imbalances in data sharing contracts.
- Shield SMEs from unfair contractual terms imposed by a party with a significantly stronger bargaining position.
- Allow users of connected devices to gain access to data generated by them, which is often exclusively harvested by manufacturers.
Who does it apply to?
The Act will apply to device manufacturers, providers of digital services and connected products (such as the Internet of Things or IoT) as well as public authorities in the EU. The Act will have broad territorial applications, meaning within the EU and organisations outside of the EU who place their devices and products into the EU market.
Notably, the Act clarifies that databases containing data from IoT devices and objects should not be subject to separate legal protection. This will ensure they can be accessed and used by the user of those devices. The Act will make more data available for the benefit of companies, citizens and public administrations.
When will it be enforced?
This Act is expected mid-2024, The draft of the Data Act was published on 23 February 2022.
How does it interact with the GDPR?
The EU Data Act will coincide with the GDPR but provides wider rules that apply to all ‘data’, which covers sound, visual or audio-visual recordings. This means more control for people over ‘all’ their data, not just personal data which falls under the GDPR’s remit.
For example, the Data Act should help customers to effectively switch between services. Organisations, particularly smaller businesses, will be able to access data they create. The Act focuses on making clear who can create value from data and under what conditions. Along with the Data Governance Act, the EU Data Act aims to make the EU a leader in a data-driven society. The EU Data Act will govern devices such as domestic machines and cars, but it will exclude anything with screens; for example phones or laptops.
What is the Data Governance Act?
The Data Governance Act (DGA) focuses on the reuse of certain data within public sector bodies. It’s part of the EU strategy for data and it aims to increase trust in data sharing, strengthen mechanisms to increase data availability and overcome technical obstacles to the reuse of data.
Current data sharing models don’t always allow this. As the data privacy lawyer Pertuta Pirvan wrote, COVID-19 showed the shortcomings in how it works now. Attempts to process and share health data for research during the pandemic ran aground because of inadequate data sharing infrastructure and also “regulatory restrictions, notably imposed by the GDPR”.
The Act aims to rectify this by providing a set of safeguards for public authorities to comply with when sharing data. It will facilitate data sharing across sectors and EU countries, making more data available overall.
The Act will introduce measures such as data intermediaries which will act as trustworthy organisers of data sharing, and will make it easier for citizens and businesses to make their data available for the benefit of society. Each EU Member State will be obliged to establish a single information point to receive inquiries or requests for data re-use. At the European level, a European single information point will offer an electronic registry of data available at national level.
Who does it apply to?
The DGA applies both to personal data and to any digital representation of acts, facts or information.
When will it come into force?
The Act will apply from 2023, having been proposed in 2021 and then entered into force in 2022. Member states have until September 24, 2023, to notify the Commission of the provisions and measures. The DGA will not explicitly provide for sanctions; it’s leaving that to Member States to set appropriate penalties for violations of obligations, as well as enforcement measures.
Overall, the Act aims to establish mechanisms that allow for the re-use of specific categories of protected data from the public sector, the exchange of data between companies, and the transfer of data from individuals through reliable data intermediation services that promote data altruism throughout the EU. Data altruism is the concept whereby individuals and companies voluntarily share the data they generate used freely in the public interest.
Other key points to note are:
- These services will help organisations to fulfil legal obligations on data sharing
- The Act will introduce data intermediation services that intend to provide a secure environment for organisations or individuals to access information
- It will implement measures to facilitate data sharing, especially making it possible for data to be used across sectors and borders, and to enable the right data to be found for the right purpose
- Organisations cannot monetise the data in any way
- Any data and metadata acquired can only be used to improve the services.
There will be a lot more to say and write as these regulations near completion or come into force. The sweep of the proposals mean that it makes sense to understand the various ways they affect organisations and individuals. It’s never too soon to familiarise yourself with the Acts and start planning for them.
The first step organisations should take is assessing whether or not these upcoming Acts will apply to them. They demonstrate both the importance of, and need for, further regulation surrounding data and the online sphere that data finds itself in. Although we have the GDPR that protects personal data, there is indeed a need for more extensive legislation surrounding data as a whole.
The introduction of these Acts shows another shift towards the importance of people having a right to their data, e.g. The Data Act concerns the right to access and use one’s data. Further regulation also shows the slow and steady reining in of power that big tech companies have over users’ data.
Cliona Perrick is a data protection analyst with BH Consulting