Data Act needs a breather

The Data Act proposed in February 2022 is the most significant of the data strategy’s five key proposals for regulating the data economy, comparable in importance to the General Data Protection Regulation (GDPR).

The Act applies to all data – not just personal data – and the horizontal regulation lays down ground rules for every sector that uses data. The Swedish presidency has been very active on advancing the file and unfortunately there’s a significant risk of throwing baby out with the bath water.

Electronic communications service data should be explicitly excluded from the scope of the Data Act

Electronic communications service data is generated by using of telecommunication services. ECS data includes traffic data, location data and communication data. Confidentiality of communications is protected as one of the rights guaranteed in the European Convention on Human Rights, so Data Act should not be applied or interpreted in a way which diminishes or limits the right to privacy or confidentiality of communications. As current text proposals are vague regarding this matter, ECS data should be explicitly excluded from the scope of the Data Act – both in recitals and definitions. Collection and use of ECS data is strictly regulated in other existing regulation.

Regulation must be clear and technically feasible

FiCom members were involved in preparing the joint position of the ETNO and GSMA on the topic. In particular, telecommunications companies considered it important to ensure a more precise definition of the various concepts, such as “product” and “related services”. Furthermore, the regulation should be much clearer on what data is covered by the disclosure obligation and what is meant by users’ “own data”. The data-sharing provisions should also be more effective in addressing the protection of business secrets.

The provisions applying to data processing services must be genuinely feasible. For example, the requirement for up to 30 days’ notice of termination may be challenging and, in some places, even impossible to implement in complex and customised cloud project environments. Contractual parties must have the freedom to reach agreements on notice periods.

In addition, the need to protect personal data must be clarified. The European Commission’s proposal also confuses the rights and obligations of the user and recipient, so the roles should be clarified.

Voluntary cooperation should continue to be the default mode of interaction and the premise when the case concerns the authorities’ rights to access data. The disclosure obligation and the data covered by the disclosure obligation should be regulated much more precisely. In addition, the regulation should be clearer about which situations constitute a state of emergency, as referred to in the proposal. In these cases, the party handing over the data should be indemnified for their costs.

Asko Metsola, Legal Affairs, FiCom