EU proposes law forcing manufacturers to share data
Users set to get right to access products' data stream, public sector might dip in too
In proposals aimed at IoT and machine data, the European Commission has put forward the Data Act, which promises to force manufacturers to share streams of after-sale data with third-party tech firms.
In a move set to shake up the market for digital services based around products, the EU's executive branch said it wanted to give users of connected devices access to the data generated by them.
Consumers and other users would then also have the right to ensure manufacturers share such data with third parties to provide aftermarket or other data-driven services.
Manufacturers would have their costs covered and be protected from competitors accessing data, according to the proposed legislation. Both of these caveats seem aimed at addressing concerns of private firms since the EU first presented the data strategy in early 2020 (see here).
By May 2021, when the commission published its "impact assessment" for the Data Act, companies that generate what they consider to be "proprietorial" data were worried about "undermining their investments and potentially exposing trade secrets," as one Brussels-based lawyer put it.
Bird & Bird LLP's Francine Cunningham added: "There will also be concerns that the Data Act may take away certain privileged positions of some companies, in particular original equipment manufacturers (OEMs) of internet-connected objects, and thereby threaten investments into data-generating objects."
At a press conference, commission executive vice president Margrethe Vestager said: "The Data Act defines who can use what data and under what conditions. We want to ensure greater fairness in the allocation of the value created by data. [People are] buying more products that generate data —from smartwatches to connected cars. Currently, it's mainly the manufacturers of these products who hold and use the data.
"To empower consumers, we want to change this by building data portability. First, consumers will have the right to access all of this data free of charge, and in real-time. Secondly, [they] will have the rights to oblige the manufacturer to share this data with another company: a company that [they] have chosen to provide additional services [such as] maintenance and repairs. This gives [people] greater control over [their] data. It also boosts competition by allowing more companies to offer their services to [consumers]."
The proposals also aim to give SMEs more power to help prevent abuse of contractual imbalances in data sharing contracts and shield them from unfair contractual terms imposed by a party with a significantly stronger bargaining position.
In light of the pandemic, public-sector bodies will be given access to data held by the private sector in exceptional circumstances, "particularly in case of a public emergency, such as floods and wildfires, or to implement a legal mandate if data are not otherwise available," the commission said.
Lastly, the Act promises to make it easier to move data between cloud providers, both for businesses and consumers.
Vestager said the Act aimed "to remove commercial technical contractual obstacles that still prevent customers from switching between cloud services."
"This will not only empower customers; it will also allow for more competition in an area that is increasingly important for business users and governments alike," she said.
- Dutch govt issues data protection report card for Microsoft
- EU digital sovereignty: Cloud players unconvinced
- EU Data Protection Board probes public sector use of cloud
- France says Google Analytics breaches GDPR when it sends data to US
Guillaume Couneson, data protection and technology partner at law firm Linklaters, said that if adopted in its current form, the Act would have an important impact on a number of big tech players providing IoT, virtual assistant, cloud or blockchain-based products and services.
"Such companies may have to make data generated through the use of their products and services accessible to users, provide transparent information in that respect and remove obstacles which inhibit switching," he said.
"To enable the sharing of data with third parties, big tech players may among others need to conclude 'data sharing agreements' on fair, reasonable and non-discriminatory terms. The current proposal of the Data Act would also introduce a mechanism banning unfair contract terms."
Couneson said that Data Act was designed to be "generally complementary" to rights granted under the General Data Protection Regulation (GDPR), in some cases extending some of the rights and obligations to non-personal data without modifying GDPR.
But consequences of GDPR, in terms of sharing personal data between jurisdictions, are far from settled. French data protection authority CNIL declared that Google Analytics breaches the regs because it transfers European netizens' data to America following a similar ruling by the Austrian authority.
Meanwhile, US and EU negotiators are said to be nearing some conclusion in coming up with a replacement for Privacy Shield, the data-sharing arrangement struck down by the EU Court of Justice in what became known as the Schrems II ruling in 2020.
France says Google Analytics breaches GDPR when it sends data to USREAD MORE
In a press conference, Vestager said the EU was still negotiating with US officials on a solution. "This is a high-priority endeavour. This is not easy because we take the guidance from the court who ruled on the basis of the Charter of Fundamental Rights, which is not something that we can or will change. We need to find a way of working with the Americans that is in accordance with this in order not to get a negative Schrems III judgment. It is a priority for us in order to enable the business community to make the most of data under safe and transparent conditions."
The Software Alliance's Thomas Boué, EMEA director general of policy at the BSA, said of the Data Act: "While the proposed Data Act is an important recognition of the need for a fair data economy, it will require fine-tuning."
"We believe that organizations that hold data — that is, the customers that BSA member companies serve — should retain full control over whether they share or transfer data, to whom, and on what terms.
"Mandating organizations in the EU to share the data they own — or, equally, restricting them from sharing or transferring data to third countries — will not only prevent EU businesses from reaping the full benefits of the digital transition but will render them less able to innovate and compete effectively in global markets."
The Data Act will go before the directly elected European Parliament and the Council of Ministers – representatives from the governments of members states. They will come up with their own texts with the commission acting as an "honest broker" to negotiate a final text to be put before parliament. The process rarely takes less than a year and usually takes 18 months to two years. ®