EU institutions discuss and amend new rules on access and use of data

Written By

feyo sickinghe Module
Feyo Sickinghe

Of Counsel
Netherlands

I am a Principal Regulatory Counsel in our Regulatory & Public Affairs practice in the Netherlands and Brussels. I have a focus on tech and comms and digital markets regulation, drawing on in-depth business knowledge and extensive experience in TMT and public administration.

Both the European Parliament and the Council are making progress on discussing and amending the proposal for a European Data Regulation (Data Act, “DA”), which was presented by the European Commission in February 2022. To recall, the DA puts forward harmonised rules for fair access and use of data. With the DA, the Commission aims to promote competition in the digital environment by creating opportunities for data-driven innovation and making data more accessible. The Commission expects that the DA will lead to new, innovative services and more competitive prices for aftermarket services and repairs of connected objects.

Presidency compromise texts

The Czech presidency has put forward proposals for adjustment of the draft DA in so-called compromise texts.[1] It has been added that smartwatches should be included in the definition of "product" as they collect data on indicators or movements of the human body. It has been added which types of data fall under specific chapters of the proposal. For clarification purposes, definitions of 'personal data', 'non-personal data', 'consent' and 'data subject' have been added to ensure alignment with the Data Governance Act (DGA) that entered into force in June 2022. Furthermore, the definitions of "product", "related service", "virtual assistant" and "user" have been refined to more accurately reflect the explanations in the recitals or, as in the case of "virtual assistant", to ensure alignment with existing legislation such as the DMA.

New definitions were added for 'customer', 'digital assets', 'on premise' and 'operators within data spaces'. In parallel, the definitions of 'service type' and 'electronic ledger' were updated. Furthermore, the definition of 'public emergency' has been changed. This partly meets the objections raised by market parties. The definition now includes some examples and a reference to Union or national law procedures to determine whether a particular exceptional situation is a public emergency. Another amendment intends to clarify the requirements that public authorities must meet when requesting data in exceptional situations, including the requirement to explain the intended use of the requested data by a third party, and the requirement to specify which metadata should be provided as part of the request.

Another amendment aims to ensure that data generated through the use of products or related services that are accessible to the user must be free by default and must be made available in a structured, commonly used and machine-readable format. This change is based on the wording in the GDPR. Also was added that the users’ right to access and use data generated through the use of products or related services includes metadata. Data holders and manufacturers of products and related services may not act in a way that could impair the user's right to access, use and portability of data. An additional reference has been added to clarify that the proposal does not oblige a data holder to share trade secrets with a data recipient, unless expressly provided for by law. However, this is without prejudice to the premise that trade secrets will also have to be shared under the DA, provided that all specific necessary measures are taken in advance to ensure the confidentiality of trade secrets. It has been clarified what to do in cases of unauthorised use or disclosure of data. In that case, the data holder may require the data recipient to destroy the data and any copies thereof and to cease production, import, export or storage of infringing goods. Personal data should be anonymised where possible, and if that is not possible, pseudonymisation should take place. The presidency has made several detailed proposals to improve the ability to switch providers of data intermediation services, such as strengthening functional equivalence after a switch, providing free open interfaces and associated information, and meeting interoperability standards by other services than cloud services.

A notable improvement is the enhancment of the role of the European Data Protection Supervisor (EDPS) in monitoring the application regarding personal data. The DA now includes a reference to standard contractual clauses for cloud computing contracts, which the Commission will have to develop alongside non-binding standard contractual clauses on data access and use.

Interestingly, the presidency has also presented two options for amending the exclusion of the sui generis right for databases to Member States.

European Parliament

The proposal for the DA has been discussed in five committees of the European Parliament led by Chief Rapporteur Pilar del Castillo Vera on behalf of the Committee on Industry, Research and Energy (ITRE). The responsibility for parts of the proposal is divided among the five committees. The draft report of 14 September 2022 contains concrete proposals for amendments.

The Chief Rapporteur has added that access to data and metadata of electronic communications services is exclusively covered by the ePrivacy Directive and thus excluded from the DA. She emphasises that data holders should not refuse a request for access to trade secrets as this would undermine the main purpose of the Regulation. Access to metadata is explicitly included to avoid the risk of lack of usability and misinterpretation of the data received.

To some extent, the rapporteur addressed industry concerns about the protection of trade secrets by delineating the scope of the data covered by the obligations, strengthening protection enforcement and provisions on unauthorised use or disclosure of data and exclusion of obligations for products not yet on the market or in the development phase.

The rapporteur believes there is a risk of overburdening SMEs and proposes to exclude micro, small and medium-sized enterprises from the access obligations and the obligation to make data available to public authorities. With regard to the retrieval of data by public authorities in extraordinary circumstances, the rapporteur shares the view that only in cases where the government aims to respond to a public emergency, companies must provide the data free of charge. In all other cases, the recipient must be able to request a fair, cost-effective compensation.

In the meantime, Adam Bielan, the rapporteur for the Committee on the Internal Market and Consumer Protection (IMCO) has also presented proposals for amendments. The committee is not leading in the entire file but does have exclusive powers regarding the chapter on cloud services.

The most glaring issue concerns the functional equivalence of services. The Commission proposes to force cloud service providers to switch customers to a competitor within 30 days while ensuring 'functional equivalence' so that the same functions work in the new environment. Contrary, Bielan believes that cloud service providers should not be required to provide an equivalent level of service when a customer changes provider.

Next steps

It is by no means certain that all changes and additions from the presidency and the European Parliament will make it to the finish line. Much depends on the so-called inter-institutional negotiations between the Commission, the Member States and the European Parliament, which are expected to start in early 2023. The DA is expected to enter into force 12 months after its official publication. Member States will therefore have little time to adapt their legislation to the DA before it comes into force.

For more information, please contact Feyo Sickinghe

[1]

https://data.consilium.europa.eu/doc/document/ST-11194-2022-INIT/en/pdf

https://data.consilium.europa.eu/doc/document/ST-11556-2022-INIT/en/pdf

https://data.consilium.europa.eu/doc/document/ST-12169-2022-INIT/en/pdf

Latest insights

More Insights
Curiosity line yellow background

Talent Wars: The Impact of Artificial Intelligence on Human Resource Practices Across Asia

Dec 27 2024

Read More
green space

A sneak peek into the draft NESRS: What sustainability reporting standards may non-EU parent companies expect?

Dec 24 2024

Read More
Curiosity line pink background

China Cybersecurity and Data Protection: Monthly Update - December 2024 Issue

17 minutes Dec 23 2024

Read More