Brussels, BELGIUM – Today, the European Parliament adopted its final report on the Data Act, the proposed EU regulation introducing harmonised rules on data-sharing and access obligations. With Member States set to approve their own mandate in a few days, final negotiations between the EU institutions are expected to kick off soon.
One year after the European Commission published its original proposal, the Parliament and national governments now have put forward some helpful amendments to protect companies’ trade secrets and to prevent overly-broad data access requests from public authorities.
Nevertheless, on balance, the proposed framework still remains highly prescriptive. The Data Act would introduce detailed rules instructing companies when and how they should share data, with whom, and under which specific contractual and technical conditions.
The Computer & Communications Industry Association (CCIA Europe) reiterates that both Parliament and Council have failed to address important shortcomings of the draft Data Act so far.
Among other things, users would still be prohibited from exporting their own data to any services of their choice if those are operated by a company that is designated a “gatekeeper” under the Digital Markets Act (DMA). In practice, this not only undermines consumer choice, but also forces companies receiving data-portability requests to break their obligations under the DMA and GDPR.
What is more, the Data Act leaves considerable room for excluding non-EU cloud companies from parts of the European market. Under Article 27, which obliges companies to demonstrate they are immune to foreign extraterritorial law, this would be possible through arbitrary enforcement by national regulators – akin to recent decisions banning web analytics services from outside the EU.
Article 27 is also an open invitation to develop new rules that discriminate against foreign firms, such as the forthcoming, highly-contentious EU certification scheme for cloud services (EUCS).
According to a poll, 40% of European companies consider Article 27 a de-facto ban on all data transfers with their subsidiaries, partners, affiliates, and vendors outside Europe. The remaining 60% expect significant operational and commercial challenges, with an average cost of compliance to the tune of 4% of their annual global turnover, and 5% for data-intensive companies.
The following can be attributed to Alexandre Roure, CCIA Europe’s Public Policy Director:
“Despite modest improvements, we remain concerned with several critical aspects of the Data Act. If these remain unaddressed, the Act will undermine consumer choice, conflict with data protection and competition rules, and present an open invitation for excluding non-EU cloud companies from the EU market.”
“As it stands now, the Data Act risks severing Europe’s digital ties with the world economy. EU lawmakers should beware that they are endorsing rules poised to inhibit data flows and ban the use of foreign cloud services.”
“CCIA Europe hopes that the European Parliament and the Council will now carefully assess and address the proposal’s deficiencies in the final negotiations.”