The new compromise on the draft data law, seen by EURACTIV, further refines the protection of trade secrets and clarifies the relationship with data protection rules and the application of the cloud-switching provisions.
The Swedish presidency shared the sixth compromise text on the Data Act on Wednesday (8 March), with the view of discussing it on 14 March at the Telecom Working Party, a technical body of the EU Council.
The Data Act is a flagship legislative proposal intended to regulate how data is shared, accessed and ported. If no significant opposition is raised next week, the presidency’s text will land on the Committee of Permanent Representatives (COREPER) table on 22 March.
The intent is to quickly launch interinstitutional negotiations with the European Parliament, which is set to formalise its position at the plenary session next week.
Scope
The Data Act introduces the principle that users of connected devices should have the right to access and share the data they contribute to generating. However, which type of data should be covered by these data-sharing obligations has been a contested topic.
The controversy lies in that data might contain commercially sensitive or trade secrets related to how the organisation controlling the data, the data holder, processes it to obtain insights and other information.
With this in mind, in the previous compromise, the Swedish presidency proposed cutting out of the scope all data processed via systems subject to Intellectual Property (IP) rights or specific know-how of the data holder.
This reference to ‘specific know-how’ was removed from the new text, as it was considered to lead to legal uncertainty since the concept is not defined in the proposal.
Trade secrets
In the last compromise, the presidency also introduced the possibility for data holders to refuse to share data under exceptional circumstances. That is, if they can demonstrate it will be highly likely to cause them severe damage despite the possible safeguards the receivers might put in place.
The scope of this exceptional refusal has been broadened from unlawful misuse or disclosure of information covered by IP rights to any trade secret. The data holder would have to duly substantiate the reasoning for its denial and inform the competent national authority.
Serious damage was defined as “damage with an adverse effect on the conduct of economic activity, when the data holder would face significant economic losses, which could, in particular, threaten its viability or pose a serious risk of bankruptcy”.
The text’s preamble lists factors to be considered, such as the lack of enforceability for trade secrets protection in the jurisdiction where the data would be transferred, the level of confidentiality of the requested data, the uniqueness and novelty of the product and cybersecurity.
Data protection
Another critical aspect of the discussion concerned the relationship between the Data Act and the General Data Protection Regulation (GDPR). New wording clarifies that whenever users obtain personal data that is not theirs, the Data Act does not provide the legal basis for processing it.
The data holders would have to ensure their sharing of personal data complies with EU data protection rules, including by anonymising personal data or only transferring personal data related to the user.
Cloud switching
The Data Act is meant to foster competition in the cloud market by reducing barriers to switching from one cloud service to another. In this regard, it mandates the complete withdrawal of data egress fees and switching charges three years after its entry into force.
At the same time, a new paragraph specifies that the EU regulation does not prevent “parties from agreeing on contracts for data processing services of a fixed duration, including termination charges to cover the early termination of said contracts, in accordance with national and Union law”.
Business-to-Government (B2G)
The new data law empowers public bodies to request access to data held by private companies under exceptional circumstances. Notably, to respond to or mitigate a public emergency or if the public authority needs the data for a task in the public interest and cannot get it otherwise.
However, for the production of official statistics, the requirement that the public body could not purchase the relevant data on the market does not apply if the statistical institutes can demonstrate the applicable law does not allow them to do so.
Sectorial legislation
The Data Act is one of the main layers of the European data strategy, which also includes creating sectorial data spaces for sectors like energy and agriculture. A reference to scientific research was added as an example of sectors that might necessitate further requirements.
Review
Two years after the new regulation starts applying, the European Commission must evaluate its effects.
The elements the EU executive will have to consider in its review have been amended to cover the impact on the development of new products and related services, the impact on small and medium-sized SMEs and their capacity to innovate, and the availability of cloud services for European users.
[Edited by Nathalie Weatherald]
