EU lawmakers adopted their version of the Data Act with an overwhelming majority during a plenary vote at the European Parliament in Strasbourg on Tuesday (14 March).

The Data Act is a landmark legislative proposal intended to remove barriers to the circulation of industrial data by regulating the rights and obligations of all the economic actors involved in sharing data from Internet of Things (IoT) products – connected devices capable of collecting and exchanging data.

The European Parliament’s adoption of the text paves the way for interinstitutional negotiations with the EU Council and Commission, the so-called trilogues. The first political meeting is already scheduled for 28 March.

For MEP Damian Boeselager, the Data Act is about “moving from a world today, where data is mostly kept hidden on private servers, to a future in which data is widely shared and further used for innovative business models, more efficient processes and better policy making.”

European Parliament readies position on the Data Act

EURACTIV provides an overview of the main changes EU lawmakers introduced to the new data law ahead of the EU Parliament’s key votes.

Scope

The new data law introduces the principle that users of connected devices have the right to access and share the data they contributed to generating. However, which type of data should be covered by the data-sharing obligations was a highly sensitive topic.

The EU lawmakers settled on the non-personal data the IoT products have collected. That excludes any data that results from the processing and inferring of ‘complex proprietary algorithms’, which for instance, combine metrics from different sensors.

Business-to-Consumers (B2C)

The European Parliament clarified the scenarios where the users involved are customers or businesses. A B2C scenario might be someone who purchased a smart fridge and wants to share the data with an alternative repair service cheaper than the fridge manufacturer.

When the data receiver is a consumer, the organisations controlling the data, the data holder, in short, will not be able to charge the consumer directly or indirectly. In turn, MEPs allowed consumers to sell the data they obtained under the Data Act.

Moreover, EU lawmakers introduced more transparency obligations for the manufacturers that will have to outline the type of data their devices collect.

Business-to-Business (B2B)

However, since the Data Act focuses on industrial data, the most significant part of the legislative proposal is B2B data-sharing, as most connected product users are companies. The companies cannot use the data they receive to develop a competing product but can employ it to inform an alternative service.

Regarding B2B data-sharing, the data holder can request compensation. If the receiving company is an SME, the compensation could not exceed the technical cost of making the data available.

By contrast, large companies will also be charged a profit margin to create an economic incentive for data holders to collect industrial data. Similarly, data holders cannot monetise granular data as the users, but MEPs allow them to sell aggregate data.

“Through our proposals, we managed to put users at the centre of the data economy, by empowering them to get more access and to monetise the data they generated,” liberal MEP Alin Mituta told EURACTIV.

“We believe this will restore the balance in the relationship with the manufacturer and prop up the emergence of a genuine European market for data.”

Business-to-Government (B2G)

The Data Act also empowers public sector bodies to request data from private companies in exceptional circumstances, such as in response or to prevent a public emergency.

The EU lawmakers restricted these provisions to non-personal data and introduced stricter conditions for public authorities to request access to privately-owned data and stronger protections for the data’s economic value after it has been shared.

“We have to find the ways that the public sector can also utilise the data that they really need for the benefit of society whilst keeping the EU’s data protection rules in place,” said progressive lawmaker Miapetra Kumpula-Natri.

Data Act: EU Council insists on trade secret protection in semi-final text

The new compromise on the draft data law, seen by EURACTIV, further refines the protection of trade secrets and clarifies the relationship with data protection rules and the application of the cloud-switching provisions.

Trade secrets

A critical point in B2B data-sharing is to what extent they should be limited by protecting sensitive commercial information, as MEPs strived to balance the respect for the investments of established economic operators and the innovation of emerging competitors.

Large international manufacturers like Airbus obtained several caveats to the B2B data-sharing obligations on the ground of trade secrets being obtained by Chinese rivals or undermining the safety of a product.

In particular, those receiving the data will be liable for the damages caused to the data holder for any unlawful disclosure.

Cloud switching

The Data Act also introduces measures intended to facilitate the possibility for customers to change cloud providers. At the centre of this part of the text is the concept of functional equivalence, the idea that the website or app should maintain the same functionalities in the new environment.

Initially, the rapporteur for this part of the text in the Internal Market and Consumer Protection Committee (IMCO) proposed removing functional equivalence altogether. However, the concept was reintroduced, but the contractual power of the incumbent providers was enhanced significantly.

Functional equivalence for switching cloud services back on EU Parliament’s text

The obligation for cloud providers to maintain an equivalent level of functionality when a customer changes service has resurfaced in the European Parliament’s leading committee discussion.

International data transfers

A controversial provision of the data law is that it prevents cloud services from sharing non-personal EU data with the authorities of a third country. The EU lawmakers amended this part to require cloud providers to locate their data infrastructure in Europe.

Unfair contractual terms

The European Parliament extended the prohibition of unfair contract terms concerning data sharing to all companies, as opposed to the original proposal that only protected SMEs.