EU institutions are due to reach a political agreement on the Data Act next week, with ongoing discussions on the issue of trade secrets, governance, territorial scope, product safety and time of application.
The Data Act is a flagship legislative proposal to regulate how industrial data is accessed and shared. The file is at the last stage of the legislative process, with an agreement expected as early as next Tuesday (27 June) between the EU Council, Parliament and Commission in the so-called trilogues.
The Swedish Presidency of the EU Council of Ministers circulated an updated document on Tuesday (20 June) providing an overview of the main changes and the outstanding political issue to request an updated negotiating mandate at a meeting of EU ambassadors, COREPER, on Friday (23 June).
Data sharing obligations
The Data Act introduces the principle that users of connected devices such as smart fridges should be able to access the data they contribute to generating or share it with a third party.
The chapter regulating Business-to-Customer and Business-to-Business data-sharing has now been largely agreed upon with only minor changes to define better “the data falling within the scope of the Regulation and clarifying the different actors’ rights and obligations,” the document reads.
The most significant amendment is the distinction introduced by the EU Parliament between ‘product data’, the data generated by the use of a connected product, and ‘related service data’, which represents the digitalisation of users’ actions.
At the same time, the horizontal concept of ‘readily available data’ was maintained to indicate data that can be obtained without a disproportionate effort.
Trade secrets
How to protect commercially sensitive information when disclosing data to another company remains a sensitive point. However, significant progress has already been made in merging the positions of EU governments and MEPs.
The Swedish presidency is asking national representatives for flexibility to introduce the ‘trade secret holder’ concept to distinguish situations where the organisation controlling the data, the data holder, is not the same as the one affected by the commercially sensitive information.
In addition, the member states are asked to agree on limiting the possibility for data holders to deny data access requests to exceptional circumstances.
Cloud switching
The Data Act also includes measures to remove barriers to switching from one cloud service provider to another.
“The revision of this chapter aimed at making the provision concerning effective switching clearer and more widely applicable, much in line with the COREPER mandate,” reads the presidency’s note.
Some amendments from the European Parliament have been taken on board, notably introducing an obligation for cloud providers not to impose obstacles or remove them, whether they exist, that would prevent the customers from unbundling different cloud services.
MEPs also included information obligations for cloud providers concerning the switching conditions and related technical limitations and an up-to-date register detailing the data structures and formats.
In addition, a new article requires all the parties involved in the switching process to collaborate in good faith for timely data transfer and maintain the continuity of service.
Governance
On the governance architecture, MEPs and EU countries disagree on whether there should be a single point of contact, the data coordinator, for all enforcement actions under this regulation at the national level.
The presidency considers that some concessions must be made, assigning additional cross-sectorial tasks to one competent authority, which might be related to trade secrets, data sharing with public bodies or the entire Data Act.
Territorial scope
One of the issues where the EU co-legislators are farther apart is on the geographical scope of the regulation, with the EU Council that wants to make it applicable regardless of where the data recipient is located and the Parliament sceptical it could be enforced outside the EU.
The presidency asked the member states whether they are open to moving toward the MEPs’ more limited scope, which allows data holders to deny data access requests from entities established outside of Europe.
Product safety
The European Parliament’s mandate includes a provision allowing users and data holders to contractually agree on restricting access, use or further sharing of data, particularly in situations that could seriously damage people’s health and safety.
No such provision was included in the Council’s text, although the issue had been discussed. The presidency is asking member states whether they would be open to accepting it.
B2G data-sharing
The Data Act allows public bodies to ask private companies for their data under specific circumstances. Sharing personal data was limited to responding to a public emergency, with the European Commission tasked with evaluating this provision.
Date of application
Another point that will need to be settled is the entry into application of the regulation, with the Parliament pushing for an 18 months delay and the Council asking for 24.
Source: Euractive
