In 2021, the European Commission released its proposal for a “Data Act”, a far-reaching legal regime on access to and use of non-personal data in the EU. The basic premise underlying the Commission’s proposal is that industrial data – 80% of which is not used to date – constitutes untapped potential. Through the Data Act, the Commission aims to overcome the legal, economic and technical obstacles it believes to be responsible for the underuse of data, and to clear the way for increased data use.
As highlighted in our earlier Law-Now, the Data Act proposal focuses on regulating five key areas of access and use of non-personal data in the EU:
- B2C and B2B data sharing: Rules allowing users of connected devices (IoT products and services, virtual assistants) to gain access to data generated by them and to share such data with third parties.
- Data access conditions: Rules on conditions for data access, under the Data Act or other EU legislation, introducing in particular the FRAND standard.
- Prohibition of unfair terms: Rules preventing abuse of contractual imbalances in data sharing contracts with SMEs.
- B2G data sharing: Means for public-sector bodies to access and use data held by the private sector that is necessary for exceptional circumstances, particularly in the case of a public emergency.
- Portability and standard setting: Rules allowing customers to effectively switch between different cloud data-processing services providers and putting in place safeguards against unlawful data transfer.
The Act is currently in the final stages of intensive discussions both at the European Parliament and the Council, representing the EU Member States. Once both institutions have agreed on their final positions, the proposal will enter the final so-called trialogue negotiations between European Parliament, the Council and the Commission.
Impact of proposed Data Act on the Cloud Services sector
In a series of articles over the coming weeks we will review the potential impact of key aspects of the proposed Act on the cloud sector, the service providers that operate within it (“CSPs”) and their customers.
Cloud services stakeholder concerns
When the Commission carried out its public consultation on the EU Data Act proposal, it reported that 449 stakeholders responded to its consultation questionnaire from 32 countries (25 EU Member States, Argentina, Brazil, Canada, Japan, Switzerland, United Kingdom, United States). Businesses constituted the largest share, with 122 business associations and 105 companies/ business organisations. According to the report, 311 stakeholders responded to the questions on improving portability for cloud services. As regards an appropriate legislative approach, roughly 150 (or 52%) of respondents considered that there is a need to establish a right to portability for cloud computing services in EU legislation, while 27% had no opinion and 19% were against establishing such a right.
Arguably this is only a small fraction of the cloud services stakeholder community (considering estimates suggest that CSPs have tens of thousands of customers in the EU), so concerns remain as to how representative or comprehensive the views received were. Overall, one hundred respondents were public authorities and 58 were citizens (56 from the EU and 2 non-EU). An Impact Assessment and legislative briefing were also produced; in the former, only two CSPs supported legislative intervention.
While early engagement with the legislative process was arguably low, the level of attention and engagement following publication of the draft Data Act has increased. Some of the provisions affecting the cloud services industry set out in the draft, and the amendments subsequently proposed to them, including those relating to switching and functional equivalence, have been the cause of serious concerns for many stakeholders, and have been subject to significant debate through the process.
The impact of the EU Data Act on CSPs
When the Data Act becomes law it will have a significant impact CSPs and their customers. In the coming articles, we will look at some of the key themes and significant changes including:
- the requirement of functional equivalence and its potential impact on cloud services;
- provisions related to facilitating customers to change and/or use multiple cloud service providers (and the associated costs);
- possible hindrances to competition and/or innovation and the homogenisation of cloud services; and
- the practical implications of the data access rules and contract requirements.
For more information on the EU Data Act or if you have any questions on how it could affect your business, please reach out to your usual CMS contact.