Prifina Comments to the Proposed EU Data Act: What Will Data Access, Interoperability, and Data Ownership Look in the Future?
On February 23, 2022, the EU Commission adopted a Proposal for a Data Act — a landmark document aiming to unlock user-generated data from silos. The Data Act will have significant effects on the IoT sector. In this post, we summarize Prifina’s document submitted to the EU Commission about how to improve the proposed Data Act.
You can read the full text of Prifina’s Comments here.
Here are the key takeaways:
1. The Scope of Data Act
Since the publication of the first proposal of the Data Act, some stakeholders have been questioning whether the EU Commission has the powers and mandate to adopt such a legislative measure — a Regulation that would be directly applicable in all EU Member States. More specifically, some stakeholders argued that, from the economic point of view, no market failure would justify such legislative intervention.
At Prifina, we believe that adopting regulatory instruments promoting access and flow of data in the EU is long overdue. In our comments, we shared our support to the EU Commission: the situation where data is locked-in in the walled gardens of manufacturers of IoT devices and providers of related services needs to be fixed. Moreover, it has become evident that market forces alone would not lead to the opening of the data to third parties during the past years. Instead, data will remain in the hands of data giants and data brokers.
2. Definitions
“Data”. Prifina welcomes a broad definition of “data”. Article 2 describes data as “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording.” Since there are so many layers of data, it would be quite meaningless to offer a more specific definition.
At the same time, we drew attention to the fact that the Data Act actually aims to concentrate on “user-generated” data, and that in practice, it will be necessary to clarify the relationship with other concepts such as “machine-generated” data and “personal data” (as it is interpreted under the GDPR).
At the same time, we drew attention to the fact that the Data Act actually aims to concentrate on “user-generated” data, and that in practice, it will be necessary to clarify the relationship with other concepts such as “machine-generated” data and “personal data” (as it is interpreted under the GDPR).
We also requested the commission to provide a clear definition (or at least an explanation), of what entities fall under the notion of “operators of data spaces”. The reason for such a request is that Article 28of the Data Act mandates the “operators of data spaces” to comply with specific essential requirements to facilitate interoperability of data, data sharing mechanisms and services. Such a definition would be meaningful in defining the scope of interoperability obligations imposed by Article 28.
3. B2B and B2C Data Sharing
3.1. Paramount Significance of Data Access Rights and Data Portability
Prifina especially welcomes the Commission’s ambition to facilitate the flow of user-generated data and try to achieve that vast amounts of data are unlocked from the walled gardens. With Article 35, provisions dealing with data access obligations will be paramount in building the new data economy.
We recognize the importance of ensuring that as much data is currently collected and held by the manufacturers of IoT devices and companies providing related services. Accessing more user-generated and personal data is an essential catalyst for helping individuals get control over their data and get value from it. This will also help third-party developers and brands create new types of applications that will help unlock value from personal and user-generated data.
Still, many data holders challenge the Commission’s push to give users access to the data they generate. We believe that providing more access to data will eventually benefit data holders: thanks to the data access framework introduced by the Data act, the developer community will be able to build new types of applications that data holders are not able to create (either because of the lack of resources or lack of ideas).
However, it is important to make sure that broad data access rights by the users are balanced with the need to protect trade secrets. At Prifina, we recognize that trade secrets and intellectual property rights incentivize investing in cutting-edge technologies.
3.2. Data Transfers
We welcome the Commission’s work in trying to address and clarify the situation concerning cross-border data transfers (Art. 27). We recognize that the current data transfer regime is exceptionally complex and costly for companies that utilize data in their businesses.
At Prifina, we believe that the user-held data model can provide a workable solution to issues that exist in cross-border transfer situations. We have conducted an in-depth study about the benefits of the user-held data model when data has to be transferred to territories outside of the EU.
Here’s a link to our law review paper “The Future of International Data Transfers: Managing New Legal Risk with a ‘User-Held’ Data Model” (coming out in the next issue of the International Journal of Technology Law and Practice).
4. Interoperability
4.1. Balancing Open-Source and Proprietary Models
Prifina welcomes the Commission’s attention to the important topic of interoperability. At Prifina, we recognize that this is one of the most important preconditions for the functioning of the newly emerging data ecosystem. From the conceptual point of view, ideally, the standards determining how data flows from the data source and how raw data is collected and processed should be open-source.
Yet, it is not realistic to expect that such a scenario where all standards for data interoperability are open-source standards could be feasible, and it is important that all the stakeholders in the data ecosystem work together to find the optimal combination between proprietary and open-source solutions.
4.2. The Notion of “Operators of Data Spaces”
Article 28 of the Data Act mandates the “operators of data spaces” to comply with specific essential requirements to facilitate interoperability of data, data sharing mechanisms and services.
Prifina requested the Commission to clarify what organizations and entities could be qualified as “operators of data spaces.” Neither the Data Act nor any other piece of the EU legislation contains a definition of an “operator of a data space.” While the general idea of an “operator of data space” could be alluded to, the lack of a clear definition creates much confusion and uncertainty. In practical terms, we are wondering whether entities such as Gaia-X could be considered an “operator of a data space” according to Article 28(1).
4.3. Who Should Develop Interoperability Standards?
The Data Act stipulates that the Commission (a) can request European standardization organizations to draft harmonized data interoperability standards (Art 28(4)); (b) the Commission “shall” also adopt common specifications where harmonized standards do not exist (Art. 28(5)); (c) the Commission may also take similar measures to those outlined in Article 28 towards adoption of open interoperability specifications (Article 29).
Prifina shared its view that there is a great need to have common standards that could contribute to various aspects of data flow. At Prifina, we are also aware of the (shortage of) effort from the market stakeholders to develop data interoperability standards.
Based on our experience, we caution the Commission against the attempts to superimpose certain technological standards. In reality, such regulatory attempts end up being outdated, and lead to the concentration of power in the hands of several large organizations.
Instead, we proposed the Commission two possible measures for the Commission to consider: (a) creating incentives for various stakeholders in the market to develop open-source interoperability standards and (b) creating sandbox environments for various use-cases where open-source interoperability standards could be introduced and tested.
5. Exclusion of Sui Generis Rights
One of the more far-reaching provisions with regard to users’ access rights is entrenched in Article 35 of the Data Act. It provides that:
Prifina welcomes the adoption of this provision which helps make clear that in situations where users exercise their right to access data, data holders can not argue that the data is proprietary and can not, therefore, be provided to the user. (In legal terms, data holders can not use sui generis database rights under Art. 7 of the Database Directive as an affirmative defence).
In our comments, we clarified that Article 35 of the Data Act does not aim to adjust the scope of application of the Database Directive. Instead, Article 35 should be read as narrowly tailored and applicable only when data users seek to access their own “user-generated data”.
At Prifina, we also recognize that the most complex practical challenge will be to determine the fine balance between (a) the user-generated data that users should be able to access and (b) the data that could (and should) be protected under the data holder’s trade secrets. We suggest that the EU Commission takes a modest approach here and explore the Application of Article 35 on a case-by-case basis.
Such a cautious approach is needed in order to make sure that the regulatory intervention does not take away incentives from IoT device and accompanying services manufacturers to continue investing in their technologies, but is finely balanced with the users’ legal right to get access to (raw) data they generate through the use of IoT devices.
Paths Forward
Prifina invites you to review the full text of Prifina’s Comments here and let us know if you have other insights.
Also, during this eight-week consultation period, 163 comments were submitted to the EU Commission. You can find all of them here.
Connect With Us and Stay in Touch
Prifina is building resources for developers to help create new apps that run on top of user-held data. No back-end is needed. Individual users can connect their data sources to their personal data cloud and get everyday value from their data.
- Follow us on Twitter, Medium, or LinkedIn.
- Listen to our podcast.
- Join our Facebook group Liberty. Equality. Data. where we share notes about Prifina’s progress.
- You can also explore our Github channel and join us at Slack.
