Today, the European Commission published its proposal for a Data Act. The proposal is the second major element of the European Data Strategy presented in 2019 and complements the Data Governance Act that is expected to be formally adopted this spring. The proposed Data Act introduces rules strengthening user access and portability to data generated by connected devices (ranging from industrial appliances to personal virtual assistants), rules related to the interoperability of data spaces and cloud services, and new requirements for businesses to share data with the public sector bodies.
The Data Act is a welcome proposal that gets many things right. It does not fall into the trap of structuring access to data via ill-fitted ownership rights and instead relies on broadening access rights to data — this is something we had argued for previously.
The new access right meaningfully expands the concept of data portability that has been introduced by Article 20 of the GDPR. It applies to all data — both personal and non-personal — generated by the use of connected devices, as well as to both Business to Consumer (B2C) and Business to Business (B2B) or industrial settings (this is worth keeping in mind when assessing the impact of these provisions). Measures introducing interoperability and cloud switching are equally welcome and underline the Commission’s resolve to build a more interoperable and decentralized public space.
Where the proposal disappoints most is in the area of Business to Government (B2G) data sharing. Instead of introducing a framework for structural access to privately-held data in situations where there is a clear public interest justification, the Commission proposal does not get much further than a requirement to share data in exceptional situations. A stronger mandate was on the table, with more robust rules based on the Open Data framework, but was scrapped in favor of a moderate option. One preferred by business, despite strong support — as expressed in consultations — by public bodies and the civic sector. As such, these rules will have limited impact as a framework for ad-hoc B2G data sharing only.
Today we are publishing three policy briefs that explore these three issues in more detail and provide analysis and recommendations for improving the proposal: policy brief #2.1 on Access to Data in the Data Act, policy brief #2.2 on Interoperability in the Data Act, and policy brief #2.3 on Business to Government data sharing in the Data Act. These policy briefs are intended to start a conversation on how the proposed Data Act can be further developed into an instrument that strengthens the data commons.
One area where the Data Act almost completely fails to deliver is the promised review of the Sui generis Database Right that was introduced by the 1996 Database Directive. Instead, the proposal limits itself to a single Article (supported by a 230-page study) stating that “In order not to hinder the exercise of the right of users to access and use such data,” the SGDR does not apply to databases containing data obtained from or generated by the use of a connected device.
While this is a welcome clarification, it is yet another example of the Commission shying away from addressing the elephant in the room — that the Sui Generis Database Right is a failed experiment that creates more problems than it solves.
It was expected that in drafting the Data Act, the Commission would need to balance several factors: the interests of commercial actors who play a key role in the data economy, the public interest together with the need to increase the power of public bodies, and a vision of open and interoperable data spaces and markets. It is clear that the Commission is moving forward on the last issue, proposing a robust interoperability framework for different aspects of the data economy. It also confirms its willingness to regulate the IoT space by limiting the role of gatekeeper platforms and by increasing competition through data portability. These provisions should be seen in parallel with the Digital Markets Act, meant to curb the power of the largest online actors.
But where the proposal fails is on the public interest front. The Commission shies away from introducing strong public interest data sharing provisions that would establish a “data for good” framework. One that could complement the GDPR in establishing a data governance model that sets a global standard for a more just data economy.