On 23 February, the European Commission unveiled one of the most ambitious, complex and controversial regulatory proposals of the Von der Leyen era: the so-called ‘Data Act’. This is the most far-reaching legislative initiative in the context of the EU’s Data Strategy, which comprises a complementary regulation (the Data Governance Act, DGA), due to be adopted soon; new initiatives on the EU federated cloud, an industry alliance for edge/cloud architectures, and the creation of both horizontal and vertical (sector-specific) data spaces. All of these are pieces of a complex puzzle, one which promises to revolutionise the EU’s approach to the digital economy.
It is no mystery that the EU institutions consider data as one of the most essential inputs for a competitive economy. Depending on other jurisdictions and market players for the storage, processing and provision of data is seen as tantamount to enslaving the European economy to foreign powers. Consequently, the Commission’s approach to data echoes very much the approach adopted for other key inputs to European industrial value chains, such as rare earths or microchips (in the newly presented CHIPS Act). The Commission’s estimate is that 90 % of European data are currently in the hands of a fistful of US-based tech giants. This has led to an urgent call for a ‘repatriation’ of data towards the EU (labelled as ‘digital sovereignty’) and a fairer distribution of data and value from large tech giants to individual users and small companies.
A data strategy that achieves this double result is thus to be seen as a survival strategy, not as a useful add-on to the EU’s overarching agenda. It is a mixture of measures broadly aimed at avoiding Europe’s loss of industrial power, and pursuing an economically sustainable approach to digital regulation. Given Europe’s industrial power in many sectors of the economy, failing to transform industry could send European economic power off into the sunset, never to return.
A myriad of challenges to address
Against this backdrop, the Data Act pursues at least six challenging goals.
First, it seeks to encourage business-to-business (B2B) data-sharing transactions, especially in the context of future (and yet largely undefined) data spaces and industrial value chains. It does so by seeking to provide enhanced legal certainty and introducing provisions that prevent larger incumbents from exploiting their bargaining power by restricting data flows, or appropriating the lion’s share of the contractual surplus.
Second, the Act seeks to reduce so-called ‘vendor lock-in’ problems, by giving smaller companies and individuals portability rights on their data, in an attempt that echoes a similar measure introduced by the EU’s GDPR. The Act also introduces a general obligation to keep devices and data separate, allowing end users to switch to alternative cloud/edge services providers for the data generated by their devices, without depending on the integrated device vendor.
Third, the Act goes further by providing that when a user wishes to transfer data services to competing providers, the data holder should ensure that data are shared in fair, reasonable and non-discriminatory conditions. This provision seems to generalise the approach adopted by the EU in sector-specific legislation, such as the Second Payment Services Directive (PSD2), where banks were obliged to transfer data to third party providers through an Open Application Programming Interface, with the consent of the customer. In addition, service providers are requested to take action to ensure that outgoing customers maintain ‘functional equivalence’ after they have switched to another provider.
Fourth, the Act provides that in exceptional situations, public bodies and the EU institutions may obtain access to privately held data free of charge (in the case of pandemics or disasters) or on a cost-basis (in all other cases). This provision has proved controversial since work on the Data Act began, with businesses expressing fear that vaguely defined, or generously interpreted, ‘emergency situations’ could lead to widespread expropriation of private data for public use, with little or no compensation for the data holders.
Fifth, the Data Act ventures into the content of contracts for the sharing of data between businesses, in an attempt to promote fairness and avoid contractual agreements built on imbalances in negotiating power between the contractual parties. Following a consolidated tradition in EU law, dating back at least to Directive 93/13 on unfair terms in consumer contracts, the proposed ‘unfairness test’ includes both a general provision and a list of clauses that are either always unfair (‘black list’) or presumed to be unfair (‘grey list’). Unfairness, when found, impedes the use of data by both contractual parties.
Sixth, the Data Act introduces interoperability provisions by empowering the Commission, with the support of standardisation bodies, to intervene with common specifications to promote the interoperability of data processing services, to facilitate the pooling of data (e.g. in data spaces, or data provision ‘for good’) and promote easier switching across data providers. This provision will apply in particular to smart contracts for data spaces, as already announced in the Commission’s annual strategy on standardisation for 2022.
A regulatory straitjacket in the making?
All in all, and if coupled with the provisions being introduced by the Data Governance Act (mostly focused on voluntary data sharing and data intermediaries), these provisions portray a completely different view of the digital economy, from the locus of free-flowing data to a patchwork of private data, shared data, and publicly available (and appropriable) data. With the ambition to reach the optimal level of sharing for each of these types, over time, and with adequate regulatory monitoring, the key problem of the Data Act is that it does not seek to consolidate existing market trends. Rather, the Commission is trying to invert established market dynamics by deepening the regulatory control of a wide variety of data-related transactions, and imposing rules that only with a Herculean effort it may ultimately be able to monitor and enforce.
In this latter respect, to be effective the Data Act will have to reverse another trend that has reigned in cyberspace since the earliest days of the World Wide Web: the lack of effective enforcement, and the ability of tech giants to dodge regulation, or even use it to pursue their own interests. One then wonders whether the Commission will be able to convince EU Member States and the European Parliament that the proposed regulation is proportionate and needed; and that there is no risk that in trying to counter the dominance of large-scale US cloud giants, the Commission instead ends up crafting an unnecessary regulatory straightjacket, strangling the nascent European data-driven economy.