Published by The Lawfare Institute
in Cooperation With
On February 23, the European Commission proposed the Data Act, the latest in an ambitious set of legislative proposals governing access to and use of data. It follows earlier initiatives—the Digital Markets Act (DMA), Digital Services Act (DSA), Artificial Intelligence Act, and Data Governance Act (DGA)—now making their way through the EU’s elaborate legislative process.
So far, the U.S. government has focused on the DMA and DSA, which aim to rein in the market power and social consequences of dominant platforms like Facebook and Google. It also remains absorbed by the lengthy effort to negotiate a new legal framework to replace the invalidated Privacy Shield as a basis for transferring personal data from EU territory to the United States.
Now, however, Washington will have to devote attention as well to another dimension of the EU’s emerging data governance architecture. Collectively, the Data Act and the Data Governance Act aim for no less than a reshaping of Europe’s markets for non-personal data—everything, that is, not already covered by the regime for personal data established by the well-known General Data Protection Regulation (GDPR).
The Commission first envisioned these measures in its 2020 European Strategy for Data where it has announced an intention to improve Europe’s global position in an economy where data has become a central asset. The Strategy aimed at “setting up a true European data space, a single market for data, to unlock unused data, allowing it to flow freely within the European Union and across sectors for the benefit of businesses, researchers and public administrations.”
Voltaire’s famous counsel—‘il faut cultiver notre jardin’—could be the credo for the EU’s planned data governance regime. But since the EU’s plans for planting its data garden includes building strong fences to restrain foreign interlopers, ‘tending to our own affairs’ will have more than local consequences.
The Commission, in the explanatory memorandum accompanying the Data Act, observes that while “the volume of data generated by humans and machines has been increasing exponentially in recent years,” “most data are unused however, or its value is concentrated in the hands of relatively few large companies.” It points out that as much as 80% of this data could be profitably reused across industrial sectors, potentially adding as much as 270 billion euros to the EU’s gross domestic product by 2028.
European Commissioner for the Internal Market Thierry Breton emphasized at the press conference unveiling the legislation that its goal was for data to be “shared, stored and processed in full respect of European rules,” and to form “the cornerstone of a strong, innovative and sovereign European digital economy.” Breton, a former executive of a major French technology company, has consistently stressed the sovereign motivation for the Commission’s data policy agenda, previously telling the Financial Times that “my goal is to prepare ourselves so the data will be used for Europeans, by Europeans and with our values.”
At the same press conference, Commission executive vice president Margrethe Vestager explained the scope of the proposal. “The data we have in mind is typically generated by connected machines or connected devices,” she said, such as a smart watch or a connected car. Much of this large and growing body of data is non-personal and currently unused, Vestager continued. Unlocking its value for new products or services first requires rules “to define who has control over such data, and who can use it for what purpose.”
Even though the scope of the Data Act will reach personal as well as non-personal data, the new law would not displace the GDPR. Instead, it will operate as a parallel regime. While the GDPR protects personal privacy interests, the Data Act, by contrast, “is about economic rights rather than fundamental rights,” observes Christian d’Cunha, one of its drafters.
The law’s principal effect would be on manufacturers of connected products and providers of related services offered in the EU, as well as on consumers and business users of those products and services. Companies must design their products and services so that users may easily access the data they generate and port it to a third party. Data must be made available to users upon request, without delay, free of charge, and in real-time.
Small and medium-sized companies have long complained of unreasonably high prices demanded by holders of large data pools. The Data Act would require that data holders offer them fair, reasonable, and non-discriminatory contractual terms. It expressly outlaws unilateral contractual terms imposed in a data sharing contract that deviate from ‘good commercial practice’ by, for example, excluding a party’s liability or the availability of remedies for non-performance. But d’Cunha notes that “while the Data Act opens up access to IoT data, it keeps the door shut to big data aggregators—the ‘gatekeepers’ of the Digital Markets Act.”. A recital clause in the proposed regulation justifies excluding large tech platforms from the proposed third-party use regime by pointing to their existing “unrivalled ability to acquire data”.
The legislation also tackles difficulties that businesses experience in shifting between providers of cloud storage and processing services. It would speed the switching process and gradually phase out charges for changing providers—like what the EU already has done with telecommunications roaming charges. Operators of data spaces and data processing services must facilitate interoperability of data by complying with standards to be set by the Commission.
Another chapter of the Data Act looks out for the interests of governments in obtaining data held in the private sector—a largely unregulated area. The Commission proposes that in exceptional circumstances, such as a terrorist attack, health crisis, or natural disaster—public bodies may demand access to relevant data, and in most circumstances companies would be compensated for supplying it. The government requests must be proportionate to the need and adhere to other safeguards like data minimization.
Data Governance Act
The Data Governance Act is a more modest measure that was agreed by the EU’s co-legislators in late 2021 but has yet to be formally adopted. Unlike the Data Act, it does not alter material rights to data. Instead, its goal is to facilitate the reuse of government-held data for both commercial and non-commercial purposes—the converse to business-to-government sharing envisaged in the Data Act. Examples include data originally collected by public health, environmental, and transport authorities. The DGA was spurred in part by the realization, in early stages of the COVID-19 pandemic, that European governments lacked a workable legal framework for hospitals to obtain public health data for research purposes.
Commissioner Breton was characteristically geo-political when announcing the proposed Act: The Commission’s goal was “an open yet sovereign European Single Market for data.” Vice President Vestager expressed a similar sentiment: the Data Governance Act offered “an alternative model to the current data-handling practices offered by Big Tech platforms.”
The DGA confronts the reality that many public-sector datasets are encumbered by privacy, intellectual property, trade secret or other business confidential protections. The legislation aims to make them, as the Commission explains, “findable, accessible, interoperable and re-usable”. Although public-sector bodies are not obliged to allow re-use of data, they are encouraged to do so. The access arrangements they devise must be “non-discriminatory, proportionate and objectively justified”.
The legislation suggests techniques for reconciling reuse with the legal restrictions attaching to many databases. For example, to manage privacy or commercial confidentiality risks, public sector actors may require that data be anonymized, pseudonymized, or encrypted. Public bodies also may continue to exercise a measure of control over data shared with outside entities, by supervising how it is reused and insisting that it be stored in secure physical premises. None of these techniques constitute a silver bullet, however. As one legal commentator drily suggested, balancing the interests of reuse and protection “will be difficult”. In other words, the DGA itself may well not result in a dramatic unlocking of the potential for reusing government data.
A more innovative part of the law is its creation of two types of new actors to mediate data transactions. EU member states may empower non-profit ‘data altruism’ organizations, who will use the data voluntarily contributed by individuals and other data holders for general interest goals such as furthering scientific research or improving public services. And a new category of commercial ‘data sharing service providers’, overseen by member states, also may mediate data reuse but only so long as they do not utilize the data for their own purposes. This restriction appears to rule out major cloud service providers moving into a new field of data exploitation.
Building Garden Walls
The EU’s Court of Justice and data protection authorities have long voiced concerns about foreign security authorities obtaining access to personal data transferred abroad for commercial purposes. The Data Act and the Data Governance Act add another set of transfer concerns to the mix—foreign theft of intellectual property and industrial espionage, both longtime concerns of Europe’s industrial giants. The Commission’s goal appears to be bolstering national law and global intellectual property conventions aimed at these problems.
Under the Data Act, providers of data processing services must take “all reasonable technical, legal, and organizational measures” to prevent the international transfer of, or foreign governmental access to, non-personal data, where the result otherwise would be in conflict with European privacy, intellectual property or trade secret law. Providers may comply with foreign demands for personal data held in the territory of the European Union that are based on an international agreement, such as a mutual legal assistance treaty used in the criminal law context. However, providers may honor unilateral requests issued by foreign courts or administrative authorities only if the requests are specific and proportionate, and subject to judicial review in the third country. Although international transfers would not be barred outright, a leading law firm nonetheless has described the Data Act transfer regime as entailing “severe restrictions”.
The Data Governance Act transfer regime is also potentially limiting, in ways that mirror the requirements laid down in the GDPR. It empowers the Commission to determine whether the intellectual property and trade secret laws of individual third countries are “essentially equivalent” to those in the EU. In the absence of such an umbrella ‘adequacy’ finding, transfers to a third country would only be possible if the foreign recipient contractually assumes responsibility for safeguarding IP and trade secrets. International transfers of highly sensitive categories of data, such as health data, could be banned outright.
A new economic study commissioned by a trade association finds that the envisaged international transfer requirements could lead to as many as 40% of the polled EU companies to stop moving non-personal, commercially sensitive data to jurisdictions beyond its borders, implying a GDP loss of 79 billion euros per year. This finding contrasts, however, with another recent survey finding that three-quarters of companies subject to the personal data transfer rules of the GDPR nonetheless have continued transfers from the EU, despite the demise of Privacy Shield.
International trade lawyers have begun to speculate whether these provisions on transfer of non-personal data are consistent with the World Trade Organization’s Global Agreement on Trade in Services (GATS). The EU has committed under the GATS to ensure that cross-border providers of data processing services enjoy access to its market, and to afford them national treatment as well. Limits on international transfers of non-personal data conceivably could violate one or both guarantees, although governments enjoy some discretion to regulate for privacy, security, or other public policy reasons.
The Data Act may have a slower and more difficult path to passage than the Data Governance Act did, due to its sprawling scope and greater range of affected corporate and societal interests. A verdict on the efficacy of some of its most innovative elements, such as strengthening the negotiating hand of companies seeking to re-use other companies’ non-personal data, lies well in the future. What is already certain, though, is that these data governance measures are far more systematic than anything that has been tried before and that they therefore could inspire comparable legislative efforts elsewhere.
Foreign responses to these twin efforts to structure data governance inevitably will be colored by their restrictive data transfer features. The Commission has not yet explained in any detail why existing protections against intellectual property theft and industrial espionage are insufficient for international flows of non-personal data. Borrowing the data transfer safeguards originally developed to protect individuals’ privacy seems a cumbersome and imprecise solution, in any case. The immediate consequence, as the Data Act begins to wind through the legislative labyrinth, could be a foreign concern that the EU’s bid for greater autonomy in the data economy is once again headed in a protectionist direction.