The European Commission’s proposal for a Data Act

European Commission

Key messages

• The proposal is a significant step towards a more competitive and innovative data economy in Europe and, if implemented effectively, improves SMEs’ opportunities to access, share and use data, and to switch data processing services.
• In addition to a horizontal legal framework now proposed, sector-specific rules may be required to enable users and third parties to exercise their right to access data in practice.
• The proposition to exempt micro and small enterprises that manufacture connected products or provide related services from the data sharing obligations is well founded.
• The definition of ‘data’ should include all raw and metadata but also other relevant sets of processed, refined, or aggregated data that does not include trade secrets.
• When sharing data that includes trade secrets, it needs to be ensured that confidentiality measures are utilized in a limited manner and only when dealing with data that includes trade secrets as defined by law.
• •It should be expressed more clearly that users and third parties are permitted to develop products, based on the data generated by use of the original product, that are not substitutes of the original product.
• The obligations for data holders to make data available under fair, reasonable and non-discriminatory terms and in a transparent manner will level the playing field for SMEs acting as data recipients.
• The unfairness test is a welcome instrument, but the lists of unfair practices covered by the test need to be reviewed and revised based on a regular market investigation by the Commission. SMEs’ awareness on the provisions that make up the unfairness test must also be raised.
• The proposals to remove obstacles to effective switching between providers of data processing services are welcome. The provider of data processing services should ensure the technical feasibility of transfer before it can sell its services.
• The provisions related to international access and transfer of non-personal data risk creating undue friction in international data sharing and should be reconsidered.
• It is important to involve SMEs and their representatives in the shaping of the interoperability instruments of the essential soft infrastructure underlying the European data economy, including standards.
• SMEs should be a main target group for the promotion of the Regulation. This should consist of making available relevant guidance and efficient support measures, including model contractual terms.

General remarks

We consider the Commission’s proposal for a Data Act (DA) a significant step towards a more competitive and innovative data economy in Europe. It is important that especially small and medium-sized enterprises have better and fairer opportunities to access, share and use data, and to switch data processing services. The main provisions of the DA address this issue relatively effectively, and we hope the EU co-legislators will build on this strong basis.

Currently, many SMEs lack access to data whose generation they have contributed to when using IoT equipment or related services they own, rent or lease. Furthermore, innovative SMEs and startups fail to create added value in the form of novel products and complementary services for the users of IoT solutions due to their inability to get hold of data these solutions churn out. This undercuts the performance of the Digital Single Market.

Although harmonised legislation is a crucial instrument in boosting the data-fueled Digital Single Market, it is worth reminding that regulation will bring the European industry only so far when it comes to achieving increased competitiveness and productivity. In short, the EU cannot regulate its way to the top.

Therefore, the EU and the Member States must pay more attention to enhancing the capacity of European companies, especially SMEs and startups, to participate in and contribute to the data economy in Europe and globally. This requires more investments in education and training, research and development, and common data spaces and digital infrastructure which underpin data-based value creation.

Definitions

The definitions of ‘data’, ‘product’, ‘related service’ and ‘public emergency’, provided in Chapter I, are instrumental for the successful implementation of the DA and therefore need to be outlined clearly and aligned with the aims of the proposal.

As for ‘data’, it is unclear where the text draws the line between so-called raw data and data that is processed, refined, or aggregated. In practice, it is often hard to differentiate different types of data. Therefore, it would be reasonable and practical that users and data recipients have unhindered access to data which is essential to the functioning, repairing or servicing of the connected products and related services. This would include all raw data and underlying metadata but also other relevant sets of processed, refined, or aggregated data that does not include trade secrets. If necessary, the relevancy of processed, refined or aggregated data could be specified in sector-specific regulation. Articles 2 and 3 would need to be redrafted to reflect this position.

As for ‘product’, it is important that the DA covers all physical products that obtain, generate or collect data concerning their performance, use or environment and that can communicate that data via a publicly available electronic communications service. In addition to a broad spectrum of IoT equipment, this definition should also include personal computers, tablets, smart phones and other similar connected devices, contrary to what is stated in Recital 15, when they are used in a function comparable to that of stand-alone IoT products. The text would need to be revised to illustrate this.

As for ‘related service’, it is necessary that the DA also includes incorporated or inter-connected digital services, including software, provided by primary sellers, renters or lessors or third parties, without which connected products could not perform their functions. Although the premise of the text is sound in this respect, it would be advisable to clarify what is meant by a ‘function’ of the product. It should be outlined in a broad sense, covering functions, both front-end and back-end, that are essential for users to enjoy the best possible performance of the product and based on which third parties are able to provide services and complementary products to users.

Lastly, the notion of ‘public emergency’ is vague and risks causing multiple interpretation. The definition should be specified to include public health emergencies; emergencies resulting from environmental degradation and major natural disasters, including those exacerbated by climate change; and major man-made disasters, such as major cybersecurity incidents.

Business-to-business data sharing

Chapter II lays out obligations for manufacturers of connected products and providers of related services to make data generated by the use of products or related services accessible to user or to a third party upon request by a user. Overall, from the perspective of SMEs, these obligations are well constructed and proportionate.

It is important to allow the user to know the identity of the data holder, the type of data generated, the means of accessing that data, and the purposes to which this data is used by the supplier or third parties. It is also important to make available to the user or to the third party of the user’s choosing, upon a simple electronic request and without unnecessary information requirements, data without undue delay, free of charge to the user and, where applicable, continuously and in real-time.

Similarly, it is welcome that the data holder is not allowed to use the data to undermine the commercial position of the user or the third party.

A gatekeeper, as defined by the Digital Markets Act, would not be an eligible third party and would therefore be outside the data sharing mandate. This would not, according to Recital 36, prevent the eligible third party from using services offered by a designated gatekeeper to process the data the third party has received. To avoid misunderstandings, it would be necessary to stipulate this also in Article 5. Both users and third parties should have the possibility to use data processing tools provided by gatekeepers to process data made available to users or third parties pursuant their rights enshrined by the DA.

Trade secrets need to be respected in handling the data. Like proposed, it is reasonable to allow the data sharing parties to take necessary measures to preserve confidentiality, in particular when confidential data is shared with third parties. However, it needs to be ensured that such confidentiality measures are utilized in a limited manner and only when dealing with data that includes trade secrets as defined by the EU or national law. The data holder needs to be able to prove the existence of trade secrets in a data set whenever this data set is subjected to extra precautions. To avoid legal uncertainty, the DA should define, by referring to relevant regulations, what is protected under the valid legal notion of ‘trade secret’.

To ensure the manufacturer of a connected product is sufficiently incentivised to invest in the development of its product, it is sensible to forbid the user or the third party to develop a product that competes with the product from which the data originated. However, the text should express more clearly that users and third parties are permitted to develop products, based on the data generated by use of the original product, that are not substitutes of the original product.

The proposition to exempt micro and small enterprises that manufacture connected products or provide related services from the obligations is well founded. Micro and small businesses should nevertheless be encouraged and advised to adhere to the data sharing requirements on a voluntary basis. It is in the interest of these smaller businesses, especially growth-oriented startups, to be integrated in data ecosystems from the get-go.

The DA is a horizontal legislation and would apply to all industry sectors. However, sector-specific rules may be required to enable users and third parties to exercise their right to access data generated by the use of products, such as vehicles, in practice.

Obligations for data holders legally obliged to make data available

Chapter III outlines the obligations for data holders to make data available under fair, reasonable and non-discriminatory terms and in a transparent manner when fulfilling their data sharing requirements under the DA. The burden of proof when the data receiver suspects discrimination is on the data holder. These provisions are well composed and balanced and will level the playing field for SMEs acting as data recipients.

Furthermore, any compensation a data recipient agrees to pay to a data holder for accessing data shall be reasonable and in case of SMEs cannot exceed the costs directly related to making the data available. The text should clearly express that only costs related to the actual transmission of data are covered. Moreover, the notion of ‘reasonable compensation’ should be explicitly defined or it will lead to legal uncertainty benefiting the data holder. Lastly, it needs to be ensured through efficient enforcement and swift dispute settlement that the actual costs remain reasonable for SMEs.

Unfair terms related to data access and use between enterprises

Chapter IV lays out an ‘unfairness test’ concerning data sharing contracts. The test is meant to shield SMEs from unilaterally imposed contractual terms that are unfair. Terms that are unilaterally imposed on an SME and unfair shall not be binding on the SME. The contracting party that supplied a contractual term bears the burden of proving that the term has not been unilaterally imposed.

Given the centralizing forces embedded in the data economy, the unfairness test is a welcome instrument. If effectively implemented and enforced, it will reduce the adverse effects resulting from imbalanced bargaining relationship between big businesses and SMEs that tends to favour the former, creating more avenues for smaller players to thrive and grow in European data ecosystems.

However, there is a need to include an obligation in Article 13 for a regular market investigation by the Commission to review and revise the lists of unfair practices. In this way, new unfair business practices can be discovered quickly, and the list can be expanded by means of a delegated act.

It is crucial to ensure that SMEs have the means to resort to the unfairness test and protect themselves from unfair contractual practices. Model contractual terms provided by the Commission are a necessary tool in this respect but need to be complemented with other support from the competent national authorities. The model contractual terms need to be available at the latest when the DA enters into force and, preferably, even earlier. Furthermore, the Commission together with the national authorities and other stakeholders must focus on raising SMEs’ awareness on the provisions that make up the unfairness test.

Business-to-government data sharing based on exceptional need

Chapter V obliges data holders to make data available to public sector bodies upon request that is based on an exceptional need, for example to respond to a public emergency. This would not apply to data holders that are small or micro enterprises. The exemption should be extended to medium-sized enterprises to avoid burdening SMEs in a disproportionate manner.

In general, it appears acceptable to allow public sector bodies access data that is necessary to protect the public interest in exceptional circumstances. However, this should always be conducted in a proportionate and limited way that minimizes the burden imposed on the company making the data available. The circumstances deemed as an ‘exceptional need’ should be clarified to leave no room for inconsistent interpretation. This could be done by stipulating that the request to make data available for an exceptional need must be necessary, appropriate, and proportionate to the need.

Public sector bodies must also ensure that the data the company entrusts with them remains safe, that it is not breached or leaked and that its use remains within legal and ethical boundaries.

The Regulation would grant research organisations the right to share data received with individuals or organisations for the purpose of conducting scientific research. To ensure consistency with current legislation on personal data, this type of data sharing should be limited only to anonymised data. The protection of personal data has become a fundamental principle and should be preserved.

It is in the EU’s and Member States’ interest to support the creation of independent trusted organisations that intermediate technically, contractually, operationally, and financially the voluntary or mandatory sharing of data between businesses and governments. These organisations could also act as dispute settlement bodies.

Switching between data processing services

Chapter VI requires providers of data processing services, for example cloud computing providers, to remove commercial, technical, contractual and organisational obstacles to effective switching between providers of data processing services.

Given the issues stemming from lock-in effects in the data processing markets, these proposals, including the proposition to gradually withdraw the switching charges, are welcome. They are especially important for SMEs who are increasingly dependent on cloud and other data processing services. Their ability to switch data processing services by porting non-personal data and applications between different providers is a key component of a healthy and vibrant digital economy. It should not be left to the self-regulation of the service providers. This should also apply to personal data when it is done in compliance with GDPR.

With regards to contractual terms, the DA is right in requiring that the contractual clauses allowing the customer to change data processing service provider be set out in a written contract. However, the provider of data processing services should ensure the ‘technical feasibility’ of transfer before it can sell its services. This condition must be prior to the contract between the two parties.

The contractual terms should also include the costs associated with the transfer of data and digital assets when changing service providers. It is essential that the customer is fully aware of the costs involved in such a transfer.

Furthermore, a minimum period for data recovery of 30 days is too short for SMEs. Indeed, SMEs are in most cases forced to use an external service to manage IT services and must be able to benefit from a period of at least 60 days to recover their data.

It is important to enforce these new rules effectively, including imposing clearly defined sanctions when necessary, and to introduce further measures should the ones now on the table fall short of their goal of creating a more dynamic market for cloud and other data processing services.

Safeguards related to international access and transfer of non-personal data

Chapter VII introduces new safeguards with respect to international access and transfer of non-personal data.

Although it is important to mitigate the risks stemming from disproportionate or inappropriate access to confidential non-personal data in international contexts by third-country authorities, the means to do this should avoid creating unnecessary obstacles to international flows of non-personal data. The provisions in Chapter VII risk creating undue friction in international data sharing and should therefore be reconsidered.

The risks involved in international access and transfer of non-personal data can best be reduced at EU level by introducing obligations for data processing providers to notify business users within 24 hours whenever they receive a data access request from third-country authorities. It might also be necessary to require providers to be more transparent about third-country laws to which they are subject, and which grant third-country authorities access to data they store or process.

In the end, it should be the business user who has the final say over which providers process its non-personal data and whether it approves or disapproves of processing its non-personal data in the EU or third countries. It would be advisable to redraft Chapter VII based on these suggestions.

Interoperability

Chapter VIII concerns with interoperability of data spaces, data processing services and smart contracts. Generally, it is necessary to improve the compatibility of the essential soft infrastructure underlying the European data economy and this can best be done through open harmonised European standards and common specifications.

It is important to involve SMEs and their representatives, such as Small Business Standards, in the shaping of these interoperability instruments to ensure they can be adopted by SMEs who provide parts and services for this soft infrastructure. The text ought to stipulate this in a clear manner.

Implementation and enforcement

Chapter IX outlines the implementation framework for the DA. Competent national authorities established by Member States are charged with the application and enforcement of the Regulation. Among other things, the competent authorities are responsible for promoting awareness among users and entities falling within the scope of the DA.

Given their limited resources and unfamiliarity with the topic of data sharing, SMEs should be a main target group for the promotion of the Regulation. This should consist of making available relevant guidance and efficient support measures, including model contractual terms, for SMEs by the national authorities and industry stakeholders.

To ensure the efficiency of sanctions, the Commission should be given the possibility to reinforce the sanctioning regime by means of delegated acts should reports of repeated abusive behavior emerge.

The Federation of Finnish Enterprises

Joonas Mikkilä
Head of Digital and Educational Affairs