Data Access at the Crossroads
On 23 February 2022, the European Commission officially published its draft of the forthcoming Regulation on ensuring fairness in the allocation of value across the data economy (Data Act). We had already reported on this keystone of the EU’s Digital Strategy, which seeks to implement rules on access to data generated by the use of connected products and related services by design.
As highlighted by Executive Vice-President Vestager, the Data Act seeks to “give consumers and companies even more control over what can be done with their data”, to boost competition and to provide more opportunities for data-driven innovation. This will have far-reaching implications for many business models, particularly when related to the Internet of Things, and impose burdensome compliance requirements for companies which have to be considered as early as in the product design stage.
Data privacy and competition law–driven requirements are intertwined in the proposal, with the Data Act drawing heavily from common themes across recent European regulation and enforcement actions in the digital space.
Overview of the Key Proposals
The Data Act proposes a number of far-reaching data access and sharing obligations. In particular:
- Users would be able to access data – both personal and non-personal data – generated by the use of connected products and related services in the EU and to share this data with third parties of their choice. The data holder would be required to comply with a user access request without undue delay, free of charge, and where applicable continuously and in real-time.
- Upon request by a user, or by a party acting on behalf of a user, the data holder would be required to make available the data generated by the use of a product or related service to a third party. Third parties would get access under fair, reasonable and non-discriminatory (FRAND) terms and be able process the data only for purposes and under conditions agreed with the user (subject to the rights of data subjects in the case of personal data).
- Manufacturers and product designers would have to design products, related services and virtual assistants in a way that the data is easily, securely and (where appropriate) directly accessible by default – establishing the rule of “data access by design”.
There are also other rules relating to: (i) shielding SMEs from unfair contractual terms; (ii) providing data to the public sector where data is necessary to respond to a public emergency and situations of exceptional need; (iii) enabling customers to effectively switch between different cloud data-processing services and putting in place GDPR-style cross-border transfer restrictions for those services.
The Digital Markets Act: Casting a Large Shadow
The Data Act’s interplay with the EU’s proposed Digital Markets Act (DMA) shows how – while the DMA is not yet enacted – it is already casting a large shadow. It has been proposed that companies designated as “gatekeepers” under the DMA will not be able to benefit from the right to access data under the Data Act; they cannot request access to data being hold by a data holder, shall not receive data from a user, and third parties are not allowed to share data with a gatekeeper pursuant to the Data Act.
Notably, the proposed data access and sharing obligations under the DMA are primarily linked to a gatekeeper’s main services (“core platform services”). In contrast, the Data Act significantly extends the regulatory reach by capturing all services provided by a gatekeeper, including all its legal entities. If implemented in this way, this would mean that “gatekeepers” need to be fully compliant with the aforementioned requirements but cannot benefit from the data access rights under the Data Act.
Towards a Competitive Data Market?
In the Data Act and the accompanying materials, the European Commission goes to great lengths to emphasise how the Data Act is seeking to create a more “competitive data market”. But sharing data is not guaranteed to increase competition; if data sharing requirements are too generous, they may stifle investment incentives, innovation and, in turn, competition. The challenge in striking the right balance between increasing data access and preserving innovation incentives is why competition authorities have generally steered clear of broad-brush and generalised data access and sharing requirements. Companies should expect that this approach may change, and that the Data Act will result in more regulators putting data at the core of their enforcement actions and impose far-reaching obligations.
In addition, it will be interesting to see how the European Commission tries to balance the facilitation of data pooling, particularly between competitors, with EU competition laws, a question which has invited great legal uncertainty given the limits on information exchange under EU competition laws. Shortly after publication of the Data Act, the European Commission also invited comments on draft revised rules on horizontal cooperation agreements between companies, which contain additional guidance on data pooling arrangements, for example encouraging the use of independent data trustees.
Dark Patterns
Another area where data privacy and competition law come together is the question of user choice. Increasingly, regulators and legislators have grappled with what it means to give users sufficient choice in the context of obtaining consent for data processing activities by a company (e.g. with regard to the design of cookie banners). The Data Act now makes it clear that third parties, which access data from a data holder following an authorisation by an end user, should not rely on so-called “dark patterns” when designing their digital interfaces. Dark patterns are design techniques that are deemed to push, nudge or deceive consumers into decisions that have negative consequences for them, i.e. by designing a choice architecture in a way that the user would be tempted to consent to rather than to disagree with data processing.
The Question of Compensation
A final point to highlight: The Data Act lays out that whenever a data holder is obliged to make data available to a third party, it shall do so under FRAND terms. If other frameworks consisting of similar rules (particularly from competition and IP law) are of any indication, the question of what constitutes “reasonable” compensation will likely be a contentious one between data holders and data recipients.
What Comes Next?
The Data Act will continue to make its way through the legislative process, in all likelihood changing shape until it is enacted. The interplay with other regulatory rules and proposals – be they at national or at EU level – will be of particular interest.
In any event, access to data remains front and centre of the agenda. It is difficult to predict when the Data Act will come into force (2023 is possible), but the proposed 12-month implementation period after the date of entry into force appears particularly short. Companies should therefore already start to assess whether they might fall under the scope of the Data Act and take the proposal into account when it comes to product design and business strategy decisions.
If you would like to discuss the proposals in more detail please get in touch with your contacts in our Data and Antitrust, Competition and Trade teams. You can also reach out to Natalie Pettinger Kearney or Eugene McQuaid in our EU Regulatory and Public Affairs team, who are following the legislative process closely.