On the 23rd of February 2022, the European Commission unveiled its proposal for a Regulation on harmonized rules on fair access to and use of data – the Data Act (DA). The long-awaited piece of legislation is one of the crucial pillars of the European Strategy for Data. Together with the Data Governance Act (DGA), the DA aims to provide a new blueprint for the European data economy in the years to come by increasing society-access and reuse of data. Not only that, both measures are intended as key foundations of European digital sovereignty, bearing extraterritorial effects on markets and states alike. As such, they have a direct impact on the Datasphere as well as on the emergence of global data governance regimes.
This blog post discusses five implications stemming from the new Act¹: the establishment of a new framework for Business-to-Consumer (B2C), Business-to-Business (B2B), and Business-to-Government (B2G) data sharing, but also for new interoperability rules, and cross-border transfers of non-personal data.
In the previous blog post on the DGA, I posited a “tale of two cities” scenario for global data governance. This could be ascribed to the fact that the DGA, on the one hand, introduced provisions that encouraged internal data sharing to increase the value derived from society-wide access to data between Member States, while, on the other hand, it posed significant challenges to the cross-border exchange of non-personal data with the rest of the world. In this light, the DA seems to confirm this trend, namely a new geoeconomic role of the EU in global data governance discussions where the “Brussels Effect” is once again prominent in influencing markets’ and states’ conducts worldwide. By means of internal market regulation, the EU is crystallizing its geopolitical role in the global race to digital regulation.
The Data Act in a nutshell
The DA is a horizontal piece of legislation which aims to ensure fairness in the allocation of value from data among actors in the data economy and to foster access and use of data. There are five main changes introduced by the new Regulation, with regards to:
Business-to-Consumers. First, the Commission is proposing new access rights for users of “products” and “related services” to data generated by Internet of Things (IoT) devices, which are either owned or leased by consumers and businesses. The regulatory burden here falls on manufacturers of such products and services since they will have to ensure that the generated data is easily accessible by users, and that there are sufficiently transparent conditions for the use of such data by manufacturers. In this light, new access rights would consist of making sure that users, by default, can access data generated by their use of such a product and that they have the right to share such data with third parties upon their request.
However, IoT generated data cannot be shared with business entities which qualify as ‘gatekeepers’ under the Digital Markets Act. In addition, data cannot be shared with third parties which aim to develop a competing product. Finally, the Commission clarifies that sui generis Database rights cannot be invoked on databases containing data obtained from or generated by the use of a product or a related service.
Business-to-Business. Second, the measure provides additional rules for B2B data sharing situations to make sure that data is shared under fair, reasonable, non-discriminatory, and transparent terms. In addition, it includes provisions for adequate and reasonable compensation for data holders to make data available to third parties. The gist of this regulatory goal can be found in Chapter IV, which aims to address unfair contractual terms unilaterally imposed on micro, small or medium-sized enterprises by declaring such agreements void; but also in Chapter III with the institution of dispute settlement bodies to remedy potential conflicts between contracting parties.
Business-to-Government. Third, the DA establishes a new framework for B2G data sharing in situations of ‘exceptional need’. It can be divided into two main categories. First, to address public emergencies. Second, to prevent or assist public emergencies and “where the lack of available data prevents the public sector body (…) from fulfilling a specific task in the public interest” (article 15). In the first scenario, for situations of public emergency, public bodies can request access to privately-owned data free of remuneration. In the second case, they need to remunerate private actors at the level of incurred marginal costs, plus a reasonable margin. As a bottom line rule across both situations, public bodies have the obligation to demonstrate an ‘exceptional need’, make sure that such a request for data is proportionate, and destroy the data once it has fulfilled the stated purpose. In addition, they cannot make the data available for reuse by third parties, save for individuals and research organizations engaged in public interest research. To protect trade secrets and commercially confidential information, they need to undertake “appropriate technical measures”. On the other hand, private bodies have to transmit as little data as possible.
Interoperability. Fourth, the Commission aims to provide a new interoperability framework for the development of common European data spaces; and it does so by empowering European standardization organizations to draft harmonized interoperability standards. This is done with the objective of going beyond the initial EU General Data Protection Regulation (GDPR) approach to personal data portability by extending the remit of this right to non-personal data. This was previously hindered by the lack of important technical specifications – such as for APIs – and by legal language that foresaw interoperability ‘only where technically feasible’. Two types of actors are the main targets of such technical requirements: ‘operators of data spaces’ and ‘cloud computing providers’. They will be obliged to enable users’ data portability and switchability across digital services.
Cross-border Transfers. Finally, Chapter VII touches on the cross-border transfer of non-personal data. The measure, in article 27, compels cloud computing providers to take all reasonable technical, legal and organizational measures, including contractual arrangements to “prevent international transfer or governmental access to non-personal data held in the Union where such a transfer or access would create a conflict with Union law (…)”. As Kenneth Propp from the Atlantic Council notes, article 27 DA adopts an identical approach taken in the DGA, with one small but significant addition: “under Article 27(3), a service provider may ask a relevant EU or member state authority to assist in determining whether it may positively respond to a foreign access request relating to commercially sensitive data or implicating national security interests”. In other words, this means that the Commission will be charged to develop guidelines consistent with the recommendations of the European Data Innovation Board, to be established under the DGA.
At a practical level, the proposed rules for international data transfers have important implications for cloud computing service providers as the Commission is strongly restricting foreign governments’ access to non-personal data stored in Europe, unless these are based on international agreements, such as mutual legal assistance treaties. This seems to be a direct response to the previous controversies sparked by the CLOUD Act, which foresees executive agreements between the US government and third countries’ law enforcement agencies to grant reciprocal access to data held by cloud providers in each other’s territories. In the absence of international agreements, the DA allows for transfer of data hosted by cloud computing providers if and only if the third country provides an equitable level of protection to EU law. If these are met, the minimum amount of data permissible in response to a request shall be transmitted. This is in line with the data transfer regimes stipulated in the GDPR for personal data and the DGA for non-personal data.
The emergence of European data?
After the GDPR and the DGA, the DA aims to establish another gold standard in data governance. It would not only alter market practice at the European level but also bear wide repercussions for the rest of the world. This is once again in line with what Anu Bradford called the Brussels Effect, namely the EU’s ability to exert global influence in the tech field by means of internal market regulation. And in doing so the EU is implicitly translating its digital sovereignty ambitions into a complex system of regulations which grants Brussels a preferential access to data stored in Europe, and also a direct channel of external influence.
With these recent regulatory initiatives, the EU is crystallizing its new geoeconomic position in the tech domain. The EU has – perhaps naively – long been perceived as a value-oriented actor concerned first and foremost with the protection of its citizens’ personal data. This approach was conceptualized by O’Hare and Hall as the “Brussels’ Bourgeois vision of the Internet” and can be summed up around the protection of liberty, civil liberties, and the neutralization of harm through anticipatory regulation. Yet, this seems to have largely changed as legislative interventions that are at the core of the European strategy for Data – such as the DGA and DA – reveal a proactive geopolitical role, especially for industrial data. This is evident not only for reasons of data protection, but also to ensure economic competitiveness on a global scale. This ambition was clearly spelled out in this emblematic passage of the European strategy for data:
“the winners of today will not necessarily be the winners of tomorrow” (p. 3).
Seen as a whole, both the DA and DGA can be claimed to be giving rise to a new geographical approach to data governance in Europe where, on the one hand, European companies and Member States rely on increasing free flows of personal and non-personal information, while, on the other hand, the new rules restrict cross-border exchanges with the rest of the world. The end goal sitting behind this dichotomy is to make sure that the value derived from data access, processing, use, and reuse remains in Europe and that it is enjoyed by European companies and citizens at large. Eventually, if matching standards of protection are met, the least amount of data possible can be transmitted to the rest of the world.
Data has long been conceptualized as a commodity with non-rivalrous yet excludable properties. Yet, the potential emergence of European data challenges this axiom. This is because European data is subject to an intricate legal regime, both for personal and non-personal data, characterized by high standards of protection from outside interferences. Not only that, leaving legal considerations aside, this geographical approach to data can also be seen as a channel of geopolitical soft power to influence markets’ and states’ conduct worldwide. This reflection sparks the attractiveness of the European single market in data governance discussion which, as demonstrated by the GDPR, is a conducive factor for third countries to adopt similar standards of protection, with the hope of entering it. And although Renda estimates the impact of the Brussels’ effect to be largely overestimated due to “Europe’s inability to exercise legal empathy – ie, respect for and dialogue with other legal systems” (p. 12), the ambition to become a trendsetter in digital regulation remains, and it is actually reinforced for industrial data given the DA and DGA remit of application.
In light of this growing opposition between the local and global (internal versus external) dimensions of data governance taking shape in Europe, the open question revolves around whether the two can be reconciled in the context of cross-border data flows with the rest of the world. In other words, whether a “glocal” data governance regime can take shape, at least between like-minded countries, underpinned by legal and normative interoperability. This specific issue will be the focus of my next essay under the Datasphere Initiative, which will be focusing on the rise of global data governance trilemma in international data governance discussions due to a rise of a geographical approach to data in Europe.
¹This is a highly simplistic account as the measure is extremely ambitious in its scope. For a longer read, I recommend giving a look at these three policy briefs that I have co-authored