External view of the modern metal and glass palaces which house the European Parliament showing Data Act data sharing rules

European Commission Draft Data Act Lays Out Data Sharing Obligations for Device Manufacturers, Industrial Systems

Following in the footsteps of the Data Governance Act, the 2021 regulation that established a framework for the handling of non-personal data, the European Commission (EC) is moving ahead with a bill that covers connected devices and their associated services. The Data Act would make data sharing terms more easily accessible to end users, allowing them direct access to stored data and controls to limit its use and movement.

Data Act a win for consumers, riles communications and IoT businesses

The Data Act focuses on the ream of information created and traded by connected devices and attached services. It seeks to give consumers a clear and simple portal into all of this, with direct controls over what is stored and how data sharing is conducted.

In addition to this, the consent process for data sharing is shored up with new rules that include a ban on “dark patterns” that can potentially trick end users into agreeing to unfavorable terms. The Data Act will also prevent government agencies from free access to this collected data, restricting them only to “proportionate and limited” requests during an established public emergency (i.e. a terrorist attack or public health issue). Routine law enforcement actions are specifically excluded from the Data Act terms.

The EC touted the Data Act as a core element of fairness in the digital realm, a catalyst for a competitive data market and data-driven innovation, and a means to make data and data sharing terms more accessible to the average EU resident. It also points out the recent massive growth of overall data volume, and that industrial data in particular goes unused 80% of the time and that €270 billion of additional GDP is possible by 2028 with the new data sharing rules.

Provisions have been added to protect small-to-medium enterprises (SMEs) from being locked out of all this by parties with stronger leverage, laying out terms for fair data sharing contracts. Very small “micro” companies will be excluded from obligations entirely, so long as they are not dependent on another company that qualifies for regulation. And there is one final perk for end users: the ability to more easily switch between different cloud data-processing services providers and have legal safeguards against unlawful transfers.

While also touted as an overall win for all types of businesses and industrial organizations due to expanded access to device data for purposes such as analytics and comparison shopping, the development is not being taken well by certain industries, particularly tech companies and smart device manufacturers who will be forced to give up their essential monopoly on device-generated data. Vehicle manufacturers are also generally displeased with the Data Act, seemingly hoping to sit on the unique collection of data generated by the sensors now commonly found throughout cars.

Data sharing proposal seeks to balance “untapped market potential” with privacy

This is the first public reveal of the Data Act, but a draft was leaked to media network Euractiv in early February. In spite of a fairly strong amount of industry lobbying, the version shown to the public only mildly differs from the earlier leaked version.

One of the differences is that competing services will no longer have access to a company’s data even if the user authorizes personal data sharing with them. The earlier draft had already prevented data from being used to develop a competing product, but it appears that data can be used to create a similar alternative service.

Very large online platforms such as social media giants, companies designated as “gatekeepers” under the terms of the Digital Markets Act, are also not qualified as valid third parties for this type of data sharing. This cuts off another potential gigantic funnel of information to titans such as Facebook and Amazon.

There is also some concern that the Data Act will extend the international data sharing terms established by the Schrems II decision to non-personal data. The act is asking cloud services to ensure that industrial data is protected in a very similar way, demonstrating mechanisms that ensure foreign governments do not have unauthorized access to it.

Trade associations have drafted letters in opposition to the Data Act, but appear to be resigned to rules of this nature inevitably being put in place. The objection tends to focus on implementation of economic incentives for sharing rather than punishments for not opening the doors and following all the rules. Opponents are also arguing that the new mandatory contract terms might conflict with existing anti-competition law in various localities, and that there could be substantial business interruption due to security incidents.

And even neutral experts are predicting difficulties in integrating the Data Act with existing General Data Protection Regulation (GDPR) terms, particularly as some core GDPR concepts expand in the wake of successful legal challenges.