Data Act: Five things that EU policymakers should get right

European digital champions and scaleups are eager to take advantage of the Data Act’s potential to offer innovative services for both businesses and consumers. To make this happen, the Data Act needs to get the basics right. 

The European Tech Alliance (EUTA) gathers digital successful companies built across Europe, with a total of 29 companies from 14 European countries. We call on the European Parliament and EU Member States to use their co-decision-making powers to adjust five essential elements of the Data Act.

1. Clarify which entity users should approach for their data request

The Data Act aims to empower users to have control over their own data generated when using a product or service. 

One question is central: which entity should users request their data from? 

In the Data Act, the answer to this question should be as straightforward as possible. The data sharing obligations should fall upon the party having concluded the sales, rent or lease contract with the user and falling in the definition of “data holder”.

An unambiguous definition would be:

The “data holder” is the legal or natural person, other than the user, who has the right, or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, to make available non-personal data generated using a connected product to the user or can enable access to the data through control of the technical design of the product and related services.

2. Align with EU data protection rules (e.g., GDPR)

It goes without saying that the Data Act must comply with the EU data protection framework, especially data transfers involving  third parties receiving data at the request of a user. At the same time, the Data Act should not undermine European businesses’ ability to offer personalised offers, products and services. This is a key driver for innovation and competitiveness today.

The Data Act should not alter the General Data Protection Regulation (GDPR).

For example, the Data Act shouldn’t prohibit data processing activities for certain actors in the chain, while others can go ahead. It risks creating an anti-competitive, uneven level playing-field when innovating with data – which is the opposite of what the Data Act seeks to achieve. 

3. Create fair business-to-government (B2G) data sharing obligations

Another ambition of the Data Act is to facilitate national authorities’ access to businesses data.  This could take place in case of “public emergency” and “exceptional need”. Concretely, it remains unclear what these concepts mean in the Data Act; it must be specified. 

Public authorities should provide proper justification and demonstrate proportionality in their requests for data. Businesses should respond within a reasonable amount of time (i.e. at least 30 days in the case of exceptional needs). 

Data already shared under sector-specific EU legislation and personal data should not be in scope.

4. Ensure proportionality in business-to-business data sharing

Generally, the Data Act aims to facilitate data access and data innovation in some specific situations, such as in the case of Internet of Things (IoT) devices. However, some legislative proposals go beyond this clear scope and propose to mandate, through the Data Act, the access of some businesses to the data of other businesses. 

The Data Act should not force businesses to share more data than is contractually and legally necessary with other businesses.  It endangers existing business models and data innovation.

5. For switching, the scope needs to be narrow, 100% functional equivalence is unrealistic & 30 days is not enough 

The Data Act aims to enable easy switching between providers of cloud, edge and other data processing services. The intention is good and it will likely benefit European Tech companies too, as users of such services. However, the scope of these obligations must be gotten right. 

The definition of a “data processing service” was too broad in the Commission’s original proposal. It risked encompassing services which were not cloud (or comparable) services. To avoid that any platform falls in the scope simply because it is “run with data”, we propose to exclude online platforms as defined in the DSA (Article 3(i)). In the DSA, this actually covers a narrow category of actors. 

Introducing a requirement for functional equivalence between data processing services in the Data Act aims to avoid that technical considerations be turned into barriers for switching. However, a 100% equivalence of services, as can be understood from the terms “will deliver the same output at the same performance and with the same level of security, operational resilience and quality of service” is unrealistic.

Our proposal is to consider functional equivalence as providing the same functional capabilities (i.e. storing and organising data in a certain way in a cloud).

For any company, big or small, the process of switching data processing providers is crucial to business continuity and future operations. For providers of data processing services, winning or losing a customer should rest on a fair balance of interest. 

Mandating switching in 30 days in general goes against this balance, knowing that every practical case may be different. Our proposal is to establish a duty to act in a reasonably expeditious manner in the case of business users of providers of data processing services. 

European digital champions and scaleups urge EU policymakers to strike the right balance between giving users control over the data they generate while using products and related services and at the same time enable businesses a return on their investments by creating valuable products and services people love.