Private sector companies face obligations to open access to data under planned EU proposal

The forthcoming Data Act is intended to complete a digital single market in which data flows between countries and sectors, and where there are fair, practical and clear rules for access and use of the data. It would take the form of a horizontal legislative initiative, complementing the proposal for a Regulation on European Data Governance, which was published last year and is currently under negotiation. The aim would be to further facilitate access to data and data sharing, which will benefit start-ups and SMEs in particular.

Following the pandemic experience in which government decisions relied heavily on data, the proposal would also seek to promote access to and use of (big) data sources held by private companies that could lead to faster and more targeted responses to societal challenges. Among other goals, the initiative would aim to improve data portability between cloud computing services in the whole data economy. Additionally, the existing Database Directive could be amended so that it supports the objectives of this initiative.

However, companies that generate proprietorial data will be concerned about the prospect of new legislation undermining their investments and potentially exposing trade secrets. There will also be concerns that the Data Act may take away certain privileged positions of some companies, in particular original equipment manufacturers (OEMs) of Internet-connected objects, and thereby threaten investments into data-generating objects.

At present, the Commission is considering the following policy options:

• Improved access to private sector data for the public sector: this could include the design of a more flexible framework for access and use of such data sources, including data-sharing requirements, transparency requirements and safeguards. One option which could prove to be controversial would be to lay down a right of public sector to access privately-held data for a range of defined public interest purposes.
• Ensuring fairness of data access and use in B2B situations: options to be studied include:

1. Specific transparency obligations for manufacturers of connected objects on rights to access and use of non-personal data in professional use for the benefit of users of such objects;
2. A B2B fairness test to avoid unilaterally imposed unfair conditions for access to and use of data. Such a test could be complemented by model contract terms recommended by the Commission;
3. Laying down data access and use rights, potentially based on fair, reasonable, proportionate, transparent and non-discriminatory (FRAND) terms for non-personal data. This could also apply to specific data, such as non-personal data generated by IoT objects;
4. Providing a harmonisation of horizontal modalities for access to data, for example on FRAND terms, which could apply to data access rights established in specific sectoral rules taking into account specific characteristics of the relevant market, e.g. rules on in-vehicle data;
5. Examination of the role of the current rights and exceptions under the existing Database Directive to ensure that it does not pose an obstacle to the access and use of data, in particular machine-generated data and data generated in the context of Internet of Things.

• Contribute to portability of data generated by individuals: The legal instrument would provide for technical specifications to help individuals take advantage of the portability right under the General Data Protection Regulation (GDPR). It could mandate companies selling smart home appliances, wearables and home assistants to allow for real-time portability of the data these devices collect during their use.
• Safeguarding a competitive cloud market by ensuring easy cloud service portability: The Data Act could introduce a binding obligation for cloud computing service providers to offer data and application portability. Different scenarios could involve:

1. limiting intervention to mandating Standard Contractual Clauses, developed on the basis of elements of the Codes of Conduct already provided by the industry;
2. formulating high-level legal requirements in the Data Act, to all cloud computing service providers on the market;
3. developing more specific legal requirements defining distinct conditions of contractual, technical and economic nature.

• Define essential requirements for smart contract interoperability that could accompany a potential mandate for the European Standardisation Organisations for setting technical standards for smart contracts.
• To mitigate the risks resulting from government access to non-personal data of companies established in the Union, held by cloud computing service providers and to ensure trust in the use of cloud computing services, the following two options will be considered:

1. Creating an obligation for cloud computing service providers to notify, to the extent possible under the foreign law in question, the user every time they receive a request for access to data by foreign authorities, as well as to notify the Commission of all different laws of non-EU jurisdictions with extraterritorial effect to which they are subject. This information will then be published on an EU Transparency Portal.
2. The first option and, in addition, mandate cloud computing service providers to ensure that they have all reasonable legal, technical and organisational measures in place, in order to prevent the transfer of or access to non-personal data of companies established in the Union and held by cloud computing service providers to third countries’ governmental authorities, where such transfer or access would be in conflict with EU or national laws.

Next steps

The Inception Impact Assessment is open for feedback from stakeholders until 25 June. Responses to this consultation process, an evidence collection exercise and the eventual results of an ongoing study on fairness in data sharing and access to data, will feed into the eventual proposal for a Data Act, which is due to be published in the third or fourth quarter of 2021.

For further information contact: Francine Cunningham, Regulatory & Public Affairs Director, Bird & Bird (Brussels).

Sign up for our Connected newsletter for a monthly round-up from our Regulatory & Public Affairs team.