Six Virtues of the Data Act, or, How I learned to stop worrying and love the Data Act

by ofthewedge

Yet another proposal for an EU digital ‘act’ has just landed and, having worked on it for a year, I cannot be expected to be impartial. So before the world’s brains fully digest its contents, here are seven reasons to believe the Data Act is a Good Thing.

  1. It empowers consumers – The Data Act builds on right to data portability under Art 20 GDPR, which, for all its innovativeness, is full of caveats. Note that the Data Act is about economic rights rather than fundamental rights. You have to be an owner of a connected product to have, under the Data Act, the undisputed right to access data your product generated. But it gives you the right to access and have transferred data from your product, whether it’s personal or not, whatever the legal basis, and it doesn’t depend on the access being ‘technically feasible’ (recital 68 , GDPR). And if, for whatever reason, you can’t port your IoT data under the Data Act, your GDPR Article 20 rights cannot be affected. Safeguards for consumers in the Data Act, like the provisions against profiling and use of dark patterns, are tough and go beyond the basic requirements of the GDPR.
  2. It empowers SMEs– small and micro companies are exempt from the new obligations, but they do get the access to data from connected products to innovate and compete which they have long campaigned for. Equally, while the Data Act opens up access to IoT data, it keeps the door shut to big data aggregators – the ‘gatekeepers’ of the Digital Markets Act. Given their ‘unrivalled ability to acquire data’ (recital 36) – they have no need of further encouragement.
  3. It supports the European Green Deal – connected products have a huge and growing environmental footprint. Making the data available to competing repair and maintenance service providers is essential to reduce waste and for the circularity of products and materials. In this way, the Data Act is of a piece with the forthcoming Digital Product Passport / Sustainable Product Initiative which is close to being unveiled. Also, public bodies combating and trying to adapt to environmental degradation and climate change have not been able to get data they need to prevent and respond to emergencies. The Data Act provides a mechanism for this. It’s a rare act that directly supports both legs of the much vaunted twin green-digital transition.
  4. It puts data to work for all of society, not just the biggest companies. Democratic public bodies accessing data from large companies. Public sector access to private data is going to be hotly debated and for good reason. While there are means for data to be moved lawfully from government to business, there isn’t when most data is controlled by a handful of private tech companies. Hence, the call for a lawful and proportionate means in a democracy for data to be accessible in the public interest. The ‘B2G’ section of the Data Act is therefore carefully tied to public emergencies and exceptional needs, with strict safeguards and data minimisation provisions. It also provides for these bodies to give access to genuine (ie not-for-profit or public interest) scientific research. And again, small and medium are exempt from these data sharing obligations.
  5. It lets you switch between cloud services. Access to data processing infrastructure is essential for all companies to digitise. But businesses typically get locked into cloud services, and only discover hidden charges when they try to get out. The Data Act envisages – among other things – the phasing out of charges, like with roaming in telecoms in the past.
  6. Minimum red-tape – coherent enforcement. Last, Data Act doesn’t impose yet another regulatory body, but it requires the relevant ones – including data protection authorities – to cooperate. If you have a complaint, it’s not on you as a consumer or SME to know which authority you should go to – the agencies have to work together to deal with your problem. This directly responds to the call from, notably, the European Data Protection Supervisor (e.g. here, and here) for ‘institutionalised and structured’ cooperation in the digital economy.

So there you have it: fight me.