Briefing for the Impact Assessment of the Data Act Has Been Published
Introduction
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data”[1] as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy, has aimed to outline a strategy for creating a single market for data that will ensure Europe’s global competitiveness and data sovereignty. On the basis of this strategy, the Commission launched an extensive consultation on the measures which can be taken to keep the EU at the forefront of the “data-agile economy,” including new legislative proposals to complement existing laws.
Subsequently, in March 2021, the Commission also announced “Europe's Digital Decade”[2] and presented a vision, targets and avenues for a successful digital transformation of Europe by 2030. As clearly stated in this announcement, it is proposed to arrange a set of digital principles, to launch multi-country projects, to prepare a legislative proposal to create a powerful governance framework and to monitor progress towards these goals.
Ultimately, on 23 February 2022, the Commission proposed the draft Data Act which complements the Data Governance Act as a part of the European Data Strategy, and aims to make the EU a leader in the data-driven society.
In addition, the European Parliament Research Service has recently published a briefing[3] (“Briefing”) for an impact assessment (“IA”) of the regulation of the European Parliament and the European Council on harmonized rules on fair access to and use of data, namely the Data Act. In this Newsletter, this Briefing and the related acts and proposals will be examined in a nutshell.
The Scope of the Data Act and Differences Between it and Other Related Legislation
The Data Act[4] basically aims to maximise the value of data in the economy by providing that a wider range of stakeholders gain control over their data and that more data is available for innovative use, while preserving incentives to invest in data generation and collection.
The Data Act, in general, covers both personal and non-personal data and co-generated (i.e. Internet of Things) data, aiming “to ensure fairness in the allocation of data value among actors in the data economy and to foster access to and use of data.” The proposal regulates business-to-business (B2B), business-to-consumer (B2C) and business-to-government (B2G) data sharing and will be applicable to the manufacturers of the connected products and providers of related services, enterprises, data recipients and public sector bodies along with the data processing service providers within the EU.
The main regulations set forth under the proposal of the Data Act could be summarized as regulations and obligations regarding B2B and B2C data sharing, access to data related to the Internet of Things, government access to data, data transfer and access restrictions to nonpersonal data, smart contract requirements, switching between data processing services (cloud and edge services), and contractual relationships between data holders and data recipients, especially concerning the position of small and medium enterprises (“SMEs”). As stated, the Data Act complements the two other major instruments forming the European single market for data: the Data Governance Act and the Digital Markets Act.
The Data Governance Act[5] designates robust mechanisms to facilitate the reuse of certain categories of protected public-sector data, increase trust in data intermediation services and foster data altruism across the EU. It also aims to bolster the data economy. Within this scope, the Data Governance Act is to be a legislative framework for creating a mechanism to enable the safe re-use of certain categories of public-sector data which are subject to the rights of others, such as trade secrets, personal data, and data protected by intellectual property rights.
The Digital Markets Act,[6] on the other hand, presents a set of rules targeting the big online platform companies that are defined as gatekeepers by the Commission. It aims to protect SMEs in their competition with the big tech companies, and hence, enhance consumer welfare.
It is apparent that while the Data Governance Act focuses on providing a legal framework, processes and structures to promote data sharing and the Digital Markets Act creates rules on fair competition between gatekeepers and other market players, the Data Act clarifies who can create value from data and under what conditions.
Lastly, as emphasized by the Commission, the Data Act is fully consistent with the General Data Protection Regulation[7] (“GDPR”) and builds on GDPR rules, in particular on the right to data portability. Data portability allows data subjects to move their data between controllers who offer competing services. While the GDPR is limited to personal data processed on certain legal bases, the Data Act allows consumers to access and port any data generated by the Internet of Things, both personal and nonpersonal.
Which Issues Does the Briefing Include?
The Briefing provides an initial analysis of the strengths and weaknesses of the Commission's IA[8] on the Data Act.
The IA, without being exhaustive, highlights four problems, which represent different aspects of the overall problem of insufficient availability of data for use and re-use within the EU or for societal purposes. Moreover, a problem tree illustrates these problems by identifying the nature of the problem, the drivers behind them, affected parties and possible consequences without the intervention of the EU, and provides the reader a clear overview of the link between them.
First of all, having a limited ability to realize the value of the data generated by the usage of connected products (such as smart home appliances or fitness trackers) and related services by consumers and companies is defined as a problem for B2B / B2C data access. “Low levels of data availability for creating added value in B2B relations” due to abuse of contractual imbalances concerning data access (such as excessive pricing which especially affects SMEs) and lack of common data sharing practices is identified as a problem in the second place.
According to the IA, the third problem is that inefficient practices for the usage of private sector data by the public sector could put an undue administrative burden on the companies. These concerns are raised especially in emergencies such as Covid-19, extreme weather events, and environmental degradation. Lastly, the problem for data processing services is considered as barriers to switching of cloud and edge computing services and risks of unlawful third country access to data. In this context, not having a competitive market for cloud and edge services in place is evaluated as an obstacle in the value creation based on data for many actors.
The IA indicates that the above-mentioned problems could result in limited competition, slower data innovations, higher prices for data products and services, loss of EU competitiveness in the global data economy, low quality public services and lack of necessary and adequate computing resources for data sharing.
The IA observes that these problems are not EU member state-specific, and that data value chains in the EU are already structured largely in a cross-border manner. It argues that national intervention cannot guarantee a coherent framework in the entire single market and ensure comparable data access and use conditions of data access and use throughout. Thus, it concludes that a EU intervention, unlike national intervention, can ensure a coherent framework in the single market for national as well as sectoral approaches to tackling data barriers, and ensure comparable access and use conditions for common European data spaces.
It is also understood from the Briefing that based on analysis and comparison of three policy options, which were explained in the IA, option two is preferred. This option aims to balance existing incentives to invest in data-generating activities with legislative measures that strengthen legal certainty on how data can be used and by whom, along with a light regulatory approach defining minimum framework conditions for switching between cloud and edge providers. According to the Briefing, the presented options appear to be realistic alternatives offering a range of measures that build on existing and planned data-sharing instruments and other initiatives under the European Strategy for Data.
The IA distinguished between various stakeholders and reflects their views throughout; they were taken into account when analysing and comparing the options. Moreover, the IA deems that the initiative is highly relevant for SMEs: “Data is a critical resource for start-ups and SMEs, in particular, as a business can be set up with very low initial capital. Some 85 % of new jobs in the data economy over the last years have been created by SMEs.”[9]Accordingly, there are some exemptions included for SMEs and micro-enterprises to both optimise benefits for and minimise burden on SMEs.
The complementarity of the Data Act is emphasized as one of its significant qualifications since it leaves room for vertical legislation to set more comprehensive rules addressing sector-specific technical aspects of data access, such as cyber security or data formats.
As a result, the Briefing concludes that the Data Act proposal appears to correspond essentially to the preferred policy option specified in the IA, except for one minor discrepancy regarding the timeframe for evaluating the proposal.
Conclusion
It is an undeniable fact that digital technologies have seriously affected and dramatically changed both the world’s economy and our daily lives over the last few years. Data is, naturally, the core component of this transformation. Nowadays, as clearly stated by the Commission, data is a substantial element and resource for businesses, their economic growth, competitiveness, innovation, and job opportunities, as well as for the improvement of societies.[10] It seems that the Commission is continuing to expand its data laws by taking the importance and value of the data, access, its usage, and possible effects into account. The Data Act, which is defined as the last horizontal building block of the Commission’s data strategy, appears to make data sharing and use/reuse easier for all by providing standards at an EU-wide level. It should be noted that this is the draft legislative proposal of the Commission and needs to be approved and adopted by the competent authorities. The implementation and the actual effects of the above-mentioned and forthcoming regulations on all the actors of the data economy will be eagerly awaited.
- https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52020DC0066, (Access date: 01.08.2022).
- https://ec.europa.eu/commission/presscorner/detail/en/ip_21_983, (Access date: 01.08.2022).
- Briefing on Initial Appraisal of a European Commission Impact Assessment, https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2022)730351, (Access date: 01.08.2022).
- https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52022PC0068, (Access Date: 01.08.2022).
- On 3 June 2022, Regulation (EU) 2022/868 on European data governance has been published in the official journal of the EU and entered into force on the 20th day from its publication. It shall apply from 24 September 2023, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R0868, (Access date: 01.08.2022).
- https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020PC0842&from=en, (Access date: 01.08.2022).
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), https://eur-lex.europa.eu/eli/reg/2016/679/oj, (Access date: 01.08.2022).
- Commission Staff Workıng Document Impact Assessment Report – Accompanying the document Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act), 23 February 2022, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52022SC0034&from=EN, (Access date: 01.08.2022).
- Commission Staff Workıng Document Impact Assessment Report, p. 2.
- https://digital-strategy.ec.europa.eu/en/policies/strategy-data, (Access date: 01.08.2022).
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
The first “Artificial Intelligence Act” of all time, which includes rules and regulations that directly affect tools such as ChatGPT, Bard and Midjourney adopted by the European Parliament with a majority of votes. Thus, the European Parliament has officially taken the steps of a regulation that could be a turning point for...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
ChatGPT, a large language model (LLM) developed by OpenAI, is an artificial intelligence (AI) system based on deep learning techniques and neural networks for natural language processing. ChatGPT can process and generate human-like text, chat, analyse and answer follow-up questions, and acknowledge errors...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...
