The EU Data Act proposal and its interaction with competition, privacy, and other recent EU regulations
Data access and data-related services remain a critical focus for businesses, governments, lawmakers and regulators alike. An important piece of the emerging EU regulatory framework for data is the proposed Data Act, which has the declared objective of ensuring fairness in how the value of data is allocated and unlocking the potential of the data economy in the era of cloud computing and the Internet-of Things.
With the European Parliament and Council of Europe both recently adopting their positions on the draft EU Data Act, negotiations to finalise the text of this landmark piece of EU legislation are set to commence. In our recently published paper, we examine the EU Data Act proposal and explore its interaction with EU competition and privacy regimes, as well as other emerging EU digital regulations.
Our overview article below is the first in a series of articles that will spotlight the issues discussed in our paper.
The Data Act in context
'Data monetisation' - the use of data for economic benefit – is an important part of our digital economy. It includes transactions where data itself is the traded asset or even the means of payment. Given its potential to reshape many markets, EU institutions and regulators have turned their attention to how data is collected, processed and accessed. The use of data as an asset in its own right, albeit an intangible one, triggers complex legal and policy issues: on the one hand, data aggregations can give the data holder significant competitive advantages; on the other hand, such data can also be valuable to the individuals or businesses who generated the data, and its improper use or inadequate protection could entail serious risks for them.
With the Data Act proposal, the EU's lawmaking institutions are seeking to make more widely accessible the data generated through use of Internet of Things (IoT) or 'connected' devices and related services, as well as facilitate switching between providers of cloud and other data processing services. Their ultimate goal is to give IoT device users more control over the data they generate, while unlocking the value of that data across all sectors in the EU.
The keys to data reuse: data access, interoperability and sharing …
The proposal has three pillars, all of which rely on the assumption that the pursuit of the Data Act's goals would be prevented by any kind of barrier to the free flow of data within the EU:
- Access to data: The proposal establishes legal obligations to make IoT-generated data available to, among others, consumers and businesses
- Data interoperability and portability: The proposal provides for the development of interoperability standards for data to be reused, and aims to facilitate the exercise of the right to data portability (beyond personal data portability)
- Data sharing and pooling: The proposal establishes a framework for data sharing obligations in B2C, B2B and B2G relationships, e.g., in the form of 'data pools'1or 'data trusts'.2
… and their competition and privacy implications
The Data Act proposal has implications for a number of concerns that could arise in relation to data use and access that have traditionally been dealt with under competition law, including:
- data as a potential driver of market concentration and barriers to entry
- leveraging third-party generated data accumulated in one market for a competitive advantage in another market
- self-preferencing (e.g., a search engine favouring its own products and services)
- restriction of competitors' access to data
- creation of network effects (where a service improves due to the accumulation of users, content and data)
- preventing multi-homing by users across multiple services, and/or switching between services.
The effective use and reuse of data could help boost productivity and lead to the introduction of new and improved products, processes, organisational methods and markets. While this would increase overall welfare, there are concerns that the sharing of information can facilitate practices that have the potential to harm individuals and the market as a whole. Further, the Data Act proposal raises questions in relation to its proposed “functional equivalence” requirements, which may result in impeding innovation by eliminating product differentiation and reducing incentives to innovate.3
As a significant portion of IoT-generated data and data stored in cloud services is personal data, data access, interoperability, portability and sharing under the Data Act proposal also have privacy implications. For example, both the party granting access to data and the party accessing the data under the rights established by the Data Act would have to analyse whether such data includes personal data and, if so, how to ensure that such data access is compatible with the obligations and restrictions of the EU's General Data Protection Regulation (GDPR).
A combined competition and privacy compliance system
Any sharing of data under the Data Act will need to address the intertwined compliance requirements relating to competition laws, privacy laws and other digital regulation which will apply alongside the Data Act.
Even before the Data Act joins this complex legal landscape, the intersecting application of existing laws is raising questions as to how these laws are to be applied together and regulatory jurisdiction regarding their enforcement. Notably:
- The EU Court of Justice has been asked to confirm whether national competition authorities are entitled to assess the compliance of data processing with the GDPR in order to then assess if a competition breach occurred (see Meta Platforms and Others v Bundeskartellamt, C-252/21). The EU Court of Justice decision may pave the way for greater clarity on how the competition and privacy regulators are likely to interact and resolve tensions between the two regulatory spheres going forward.
- Breaches of the obligations under the Data Act would result in significant, GDPR-like fines. However, given the interplay between competition, privacy and data, it remains to be seen whether violations of the Data Act will only be assessed as such, or also considered breaches of other legal regimes in relation to their ability to restrict competition or to hinder the exercise of privacy rights, or both – potentially resulting in additional fines under other legal instruments, such as the GDPR.
The complexity of this interplay will increase with the introduction of the Data Act.
In light of the above, when designing projects, policies and processes aimed at ensuring compliance with the Data Act, businesses should also assess the potential competition and privacy implications. Accountability remains a key overarching principle of the EU technology regulations, meaning that businesses will be expected to be in a position to explain why a particular choice was made. Business falling within the scope of the Data Act may therefore consider creating Data Act-related governance documents referencing privacy, competition and other regulatory compliance documents (e.g. DPIAs, legitimate interest assessments, privacy notices, competition compliance policies) in order to show how compliance in relation to all of the above areas is wholistically pursued.
Read our in-depth review of the EU Data Act proposal, it's interaction with competition, privacy, and other recent EU regulations. This article was originally published on Thomson Reuter's Practical Law. This article is based on the European Commission’s Data Act Proposal dated 23 February 2022. The Data Act will shortly be entering the trilogue process, through which the text will be negotiated by the European Commission, the European Parliament and the Council of the European Union.
Upcoming: our next article will look at how this interplay impacts access to data.
To discuss any of the issues explored in this article, please contact the authors Shruti Hiremath, Andrea Tuninetti Ferrari, or Manel Santilari, or our other expert contacts listed above under 'Others with relevant expertise'
Notes
1. 'Data pool' refers to the aggregation and combination of datasets acquired from different sources. IoT devices may be a useful tool for pooling as they are capable of generating large amounts of data which can be fed into a data pool, hence – by regulating data generated by IoT devices and related services – the Data Act proposal would also indirectly contribute to creating a legal framework for data pools.
2. 'Data trusts' are built around a concept of pooled or shared resources subject to a collective understanding around access or use. Compared to data pools, data trusts introduce an element of collective management of individual rights to data access and use, in the form of a third party, independent from both data holders and data users, who makes decisions on their behalf regarding access to, and use of, the data in the data pool.
3. The Data Act proposal seeks to facilitate switching between data processing services (such as cloud and edge services) through, amongst other things, requiring a minimum level of functionality in the environment of a new data processing service after the switching process. For further details on the concerns that this provision gives rise to, including discrepancies between Article 2(14) and Article 22a(7) of the European Parliament position on this provision, please see Ennis, Sean and Evans, Ben, 'Cloud portability and interoperability under the EU Data Act: dynamism versus equivalence', Working paper, 22 March 2023, available here.