The EU’s data strategy is making progress

The European Commission published the new European data strategy in 2020. Accordingly, the EU will seek to promote the data economy and invest in a way that expands the offering of data and data-based products and services within the single market.

The Digital Services Act (DSA) and Digital Markets Act (DMA), a package of legislation on digital services, represent the first wave of digital regulation. The acts have already been adopted and will take effect in the coming years. The Data Governance Act, the third regulation proposed in 2020, has already entered into force.

As part of the second wave of data regulation, the European Commission issued proposals for the Data Act (DA) and Artificial Intelligence Act (AIA).

Concepts must be precisely defined

The Data Act proposed in February 2022 is the most significant of the data strategy’s five key proposals for regulating the data economy, comparable in importance to the General Data Protection Regulation (GDPR). The Act applies to all data – not just personal data – and aims to promote a data-driven European single market. The horizontal regulation lays down ground rules for every sector that uses data.

The European Parliament Committee on Industry, Research and Energy (ITRE) held a public hearing on the Data Act on 25 October 2022. The Committee is now working on its position on the Act and is likely to vote on it in February 2023. In the European Council, the Czech Presidency will publish its progress report on 6 December 2022, and trilogue negotiations are due to begin under the Swedish Presidency in 2023.

FiCom has not previously issued its opinion on the Data Act, but our members were involved in preparing the joint position of the ETNO and GSMA on the topic. In particular, telecommunications companies considered it important to ensure a more precise definition of the various concepts, such as “product” and “related services”. Furthermore, the regulation should be much clearer on what data is covered by the disclosure obligation and what is meant by users’ “own data”. The data-sharing provisions should also be more effective in addressing the protection of business secrets.

Provisions must be clear and technically feasible

The provisions applying to data processing services must be genuinely feasible. For example, the requirement for up to 30 days’ notice of termination may be challenging and, in some places, even impossible to implement in complex and customised cloud project environments. Contractual parties must have the freedom to reach agreements on notice periods.

In addition, the need to protect personal data must be clarified. The European Commission’s proposal also confuses the rights and obligations of the user and recipient, so the roles should be clarified.

Voluntary cooperation should continue to be the default mode of interaction and the premise when the case concerns the authorities’ rights to access data. The disclosure obligation and the data covered by the disclosure obligation should be regulated much more precisely. In addition, the regulation should be clearer about which situations constitute a state of emergency, as referred to in the proposal. In these cases, the party handing over the data should be indemnified for their costs.