Unlike what happened with the personal data of its citizens, the European Union intends to take advantage of the value of the billions of industrial data that its companies and consumers will generate through all connected objects. The European Commission presented a new proposal for a data law (the “Data Act”), which will strengthen the legislative framework of the Old Continent, following the GDPR and the Governance Data Act. Connected cars, smartwatches, intelligent refrigerators, sensors… The volume of data generated by machines will be enormous in the coming years. However, there is currently a legal ambiguity. Who owns the data produced when using a machine? Is it solely the manufacturer or the user who generates it? And under what conditions can a third party access it?

“Even more control”

By setting a framework of answers to all these questions, Brussels aims to “unlock” access to this promising data market, ensure more fairness in the sharing of value produced, promote innovation and competition. For example, it should allow the driver of a connected vehicle to have the option of using a repair service other than the manufacturer’s.

The text introduces a new obligation for manufacturers (“data holders”): to provide users with free access to the data they generate through the connected product used and allow them to transfer it to a third-party company under “reasonable conditions.” For an SME, the cost of accessing this data should not exceed the technical cost of transferring it. Manufacturers will no longer be able to impose “unfair contractual clauses.” “We want to give consumers and businesses even more control over what can be done with their data, clarifying who can access the data and under what conditions,” says Margrethe Vestager, the Executive Vice President of the Commission.

The text includes exceptions. Thus, large platforms, regulated by another text under review, the Digital Services Act, will not be able to access this data.

A “very horizontal” draft law

This Data Act also clarifies the conditions under which data held by private companies must be made accessible “in the name of the public good.” In some emergency situations, such as the recent health crisis, or when the existence of such data could streamline the administrative management of a state, for example, companies will be required to share their data with public entities. “We have made sure that SMEs are the biggest beneficiaries of this Data Act,” said Margrethe Vestager. They will not be subject to these sharing obligations. The Data Act also aims to remove the technical, contractual, and commercial barriers that currently prevent customers, both private and public, from easily changing cloud providers. As it has done in the past with mobile telecom operators and number portability, Brussels wants it to be easier for companies to change cloud providers without losing their data or the applications they develop. The text therefore defines interoperability standards that providers must apply to enable this interoperability.

Cloud providers will also be required to take measures to better protect data produced in Europe against extraterritorial laws like the U.S. Cloud Act. This may involve implementing certain procedures in case of requests from government authorities or applying technical measures such as encryption.

“This data law proposal is very horizontal. More sector-specific approaches will complement it to take into account specificities,” said Thierry Breton, the European Commissioner for the Internal Market, mentioning mobility, health, agriculture, energy, or finance.

A broader European strategy

This Data Act is part of a broader European strategy to create a more open data market, with conditions set by the European Union. “So far, only a small part of industrial data is used, and the potential for growth and innovation is enormous,” added Thierry Breton. He estimates it will bring an additional €270 billion to €300 billion in gross domestic product (GDP) by 2028.

Adopted on Wednesday by the College of the Commission, the draft law will still need to be negotiated with the 27 Member States and the European Parliament.

This first draft is not very well received by associations of technology companies. They criticize the arrival of new technical and legal constraints, the differentiated treatment of companies, and the overlap of too many European texts on data. “The Data Act will need to be refined. Organizations that hold data should retain full control over their sharing,” says Thomas Boué, Director General of Policy at the BSA, a software publisher association. “Data sharing should not be imposed where there is no market failure,” responded the European employers’ association, BusinessEurope.