The body of EU member state representatives, also known as Coreper, has finalized its common position on the upcoming EU legislation about fair access to and use of data, known as the Data Act. This includes several changes compared to the document originally put forward by the European Commission, with more fine-tuning likely during the next stage of negotiations, this time between the three main EU institutions.

Coreper's mandate paves the way to negotiations between the European Commission, the Council of the European Union (not to be confused with the Council of Europe) and the European Parliament (EP), also called trilogue. The EP finalized its version of the Data Act earlier in March, which was another step needed to reach the trilogue stage.

Figure 1: The European Parliament has already approved its version of the legislation.
(Source: Abaca Press / Alamy Stock Photo)

The Data Act serves several purposes, the first of which is to improve access to data generated by smart objects and devices. Under the Data Act, customers would, in a nutshell, be given as much free access as is possible to the data generated by their devices, while businesses would be able to purchase non-personal data generated.

Based on the current positions of Coreper and EP, small and midsized enterprises (SMEs) would need only to pay a fee that corresponds to the costs of making the data available, while larger entities may also need to pay a margin. This could help incentivize companies to collect the data in the first place.

There are, of course, caveats. Companies will not be able to use the data to create a competing product, and businesses can refuse to share data if doing so would betray trade secrets.

ECS data exempt

According to Coreper, the changes it proposes would grant businesses more protection against misuse of shared data, including guarantees of dispute settlement mechanisms discouraging abuse and bad-faith behaviour.

In the telecom industry, there was some concern that data generated by electronic communication services (ECS) would not be exempt from the Data Act. It now seems this has been cleared and ECS data is not within the legislation's scope.

ECS data, according to an LE Europe study commissioned by the European Telecommunications Network Operators' Association (ETNO), pertains to a device's use of the network, rather than any specific functionality of said device. The study also notes that including ECS data would have risked creating "disproportionate regulatory obligations for telecommunications service providers" while creating little added value for IoT users.

Another goal of the Data Act is to protect SMEs from contractual rules imposed by larger parties (think Big Tech) that are deemed unfair. This is to be done, for example, by offering model contract clauses that can be used by small businesses during negotiations.

Data portability is also addressed by the Data Act. The EU seeks to simplify transfers of data from one cloud provider to another, tackling an issue that has long exasperated telcos (and many others).

Here, Coreper has proposed changes that would prevent data-processing service providers from obstructing the porting of a customer's data. Further, all customers would have the right to request full deletion of their data under the proposed text.

Disaster data

But ETNO and the GSM Association, a telco lobby group, have argued that further tweaks are needed to differentiate between source providers of data processing and resellers. They argue additional provisions are needed to ensure resellers can implement the switching process by the source provider of cloud services.

Perhaps the most sensitive part of the Data Act is the one dealing with data transfer from businesses to governments. During exceptional circumstances, such as public health emergencies, natural disasters and major cybersecurity incidents, governments and EU bodies could be granted access to the data necessary to respond. They may also request access to data if that is demonstrably necessary to prevent such events.

Here, Coreper says its proposed tweaks focus on clarifying what constitutes an exceptional need, as well as guarantees regarding potential third-party data use.

It is possible that, much as with GDPR, the Data Act will have repercussions beyond the EU. One may, however, join Finland's minister of transport and communications, Timo Harakka, in saying its impact will also depend on how strictly the regulation is implemented and enforced by member states, as shown by experiences with GDPR.

Related posts:

— Tereza Krásová, Associate Editor, Light Reading