How the Data Act can make Europe fit for the Digital Age
Winter is coming, and so is the EU’s latest flagship data legislation, otherwise known as the Data Act. But rather than chill European businesses with new data restrictions, the European Commission is warming up to the idea that data can significantly drive economic growth and innovation, transform businesses, and improve social welfare. This blog post reflects CCIA Europe comments this week on the Data Act public consultation, and is the first of a series investigating how the Data Act can make Europe fit for the Digital Age.
Until recently, the conversation about data in Europe’s policy circles focused on mitigating the risks intrinsic to the use of data. Now that the GDPR is in force and a new e-Privacy Regulation is well underway, EU policymakers appear much more inclined to talk about the good that data can do. To quote the European Commission:
“The Commission is convinced that businesses and the public sector in the EU can be empowered through the use of data to make better decisions. . . . [The] potential [of data] should be put to work to address the needs of individuals and thus create value for the economy and society. To release this potential, there is a need to ensure better access to data and its responsible usage.”
This is where the Data Act proposal, scheduled for the end of the year, comes in. The question is, what would a new data legislation need to address to further tap into Europe’s data potential? The European Commission is still exploring several options, but according to preliminary documents, the Data Act proposal could include new rules on when, where, and how companies should be able to access, process, and share data with other companies and governments. This is all well and good, but a heavy-handed approach may risk hamstringing Europe’s thriving data economy and achieve the very opposite of what is intended.
Let’s focus on policy options to increase data-sharing among businesses for a moment. The reality on the ground is that European companies increasingly share data with one another. According to a recent Commission study, “around 40 % of the surveyed companies reported to share and/or re-use data with/from other companies.” For businesses that have not made the leap yet, the study reports that “a considerable proportion of [them] expects to start sharing and re-using data in the next five years.” To support this trend, the European Commission should “keep a minimal regulatory approach”, coupled with practical tools to clarify applicable for companies interested in making their data available and/or accessing data from others. One such practical tool could be setting up voluntary standard contractual terms built upon applicable EU rules that are relevant for B2B data-sharing purposes, e.g. rules on data protection and privacy in electronic communications, database rights, and data localisation prohibition.
How companies share data with one another should remain a business decision, and preserving as wide a range of B2B data-sharing governance models as possible is essential. There is no one right way for businesses to share or access data, and licensing agreements based on fair, reasonable, and non-discriminatory (‘FRAND’) terms cannot be the sole governance model for data sharing in Europe. That would be a huge disservice to European businesses which, according to the same Commission study, primarily access data through open data frameworks – a governance model which typically provides more generous conditions to data users than FRAND licensing terms.
The Data Act proposal will also likely deal with governments’ access to business data for “public interest purposes.” There is certainly merit for public bodies obtaining data from businesses for urban planning purposes, traffic analysis, or during public health emergencies, and businesses have recognised that. In the mobility sector for instance, European transport authorities and ride-hailing companies are increasingly working on data sharing agreements for traffic congestion analysis, or urban planning purposes. This is what happened in Lisbon, and Amsterdam, while the Flander region is currently working on a similar project.
The downside is that public bodies and businesses end up having the same discussion over and over about which data should be shared, for which purpose(s), in which format, and using which protocol to ensure that all parties comply with rules on privacy and intellectual property rights. This is where the EU can step in and develop practical tools for local authorities and businesses to consider when they are negotiating voluntary data sharing agreements. But let’s make no mistake: forcing companies to relinquish data to public authorities for a range of public interests and simply because it may be convenient for them should raise significant public and business concerns not least with regard to intellectual property rights and user privacy.
Finally, successful policies fostering the sharing and free flow of information necessarily rely on unencumbered cross-border data transfers. It is positive to see that the EU has committed to uphold the principle of free flow data and address common challenges with like-minded governments. One such challenge is undeniably the impact of extraterritorial government data access, and the EU and its G7 and G20 partners have recently set out a roadmap supporting the work of the OECD and delivering tangible progress on this issue.
Despite this welcome move, the European Commission is now considering introducing new unilateral GDPR-style restrictions for business data so as “to mitigate the risks resulting from government access to non-personal data of companies established in the Union.” This would stand in stark contrast with the EU’s recent commitments to work on common solutions with G7 and G20 governments. And however laudable the Commission’s goal may be, data transfer restrictions ‘à la Bruxelloise’ not only predate the Internet, they have also recently thrown European businesses into unprecedented legal uncertainty. So much so that some authorities have essentially argued it would be virtually impossible to do business in Europe as a foreign company or a European company with operations abroad. Now apply that logic to corporate data, and Europe ends up being a digital island, with little to no connection with the outside world.
There is a wealth of evidence that shows that data transfer restrictions or otherwise similar measures “impose considerable costs on those forced to abide by [these requirements]”, from reduced competition among vendors and increased upfront costs for customers, and generally “have a negative and significant impact on the performance of downstream firms in sectors reliant on electronic data.” From a vendors’ perspective, domestic data transfer restrictions “barring [or restricting] access to foreign services only invite reciprocal [measures] from one’s trading partners”, and undermine local vendors’ chances of exports.
It’s hard to imagine how Europe could ever be a “world class data hub” if it pursues policies that would sever its digital ties with the rest of the world and turn Europe into a digital island. The path to mitigate concerns over foreign extraterritorial government access to private and corporate information is multilateral solutions, not isolated unilateral acts.
In the coming months, the Data Act could be a chance for Europe to accelerate data-driven economic and social welfare in Europe and make the continent fit for the digital age. Will policymakers seize that opportunity?