Europe proposes rules for fair access to connected device data

The European Union has proposed an interesting addition to its fast updating digital rulebook today: The Data Act slots into an already ambitious digital policy framework with the goal of bringing clarity and fairness around the sharing of (mostly industrial) data generated by connected devices.

It won’t be the last word on this either, as the Commission is working on sector-specific regulations to plug into the Data Act (including one incoming within “weeks” for health data-sharing; and another in the works for connected cars).

But EU lawmakers said today that they intend the Data Act to be around for the long term.

“We wanted to make sure this was a horizontal text because it has to be a long term one, it has to be visible, it has to be clear in the long term,” noted internal market commissioner, Thierry Breton, during a press conference.

The Data Act will address “the legal, economic and technical issues that lead to data being under-used”, the Commission said in a press release on the Proposal for a Regulation on harmonised rules on fair access to and use of data, suggesting the legislation will “unlock the economic and societal potential of data and technologies in line with EU rules and values” by creating “a single market to allow data to flow freely within the EU and across sectors for the benefit of businesses, researchers, public administrations and society at large”.

“In the Data Act, the data we have in mind is typically generated by connected machines or connected devices,” added Commission EVP, Margrethe Vestager, speaking at the press conference. “That could be a smart watch, it could be a car, or eventually even your coffee machine. These devices generate a huge amount of data in what we call the “internet of things”. So do all those sensors that automatically take in information from our environment. A lot of this data is non-personal data, and most of it is currently unused. If used, such data can provide a multitude of possibilities for new products, new services, or they can foster research. But for this to happen, we need to define who has control over such data, and who can use it for what purpose.”

“Our data strategy is all about putting such data into productive use, to the benefit of companies and society. The green transition can only happen if we become more energy efficient – and the use of data will help us. Just imagine how much more efficient we can become if we analyse traffic data in order to improve public transport and anticipate traffic congestion.

“In order to make this possible we address remaining barriers to data sharing. The Data Act defines who can use what data, and under what conditions. We want to ensure greater fairness in the allocation of the value created by data.”

Breton added that the Data Act, much like the Commission’s content-focused Digital Services Act proposal, is “cross-cutting, horizontal in nature, defines the rules” — aka a “basic tool box” — but will also be built upon with more specific rules for certain sectors, such as connected cars. (And via ongoing work to devise “common European data spaces“.)

The Commission has a few different aims for the Data Act — here’s a quick overview:

Firstly, it wants to avoid the sensor-laden Internet of Things (IoT) further concentrating market power in the digital sphere by empowering consumers who own so-called ‘smart’ devices to gain access to data generated by their own usage; and be able to order a manufacturer to provide their data in real-time to third parties of their choosing whose (non-competing) services they wish to take up.

The Commission hopes this will both empower consumers and foster innovation, such as in aftermarket repairs or predictive maintenance. (The law as drafted is intended to avoid SMEs being able to use access to data to reverse engine a rival’s product to launch a direct clone.)

It kicked off an investigation of the IoT sector back in July 2020 — saying at the time that it was concerned about the risks to competition and open markets linked to the data collection capabilities of connected devices.

The Data Act looks to be a key component of the EU’s response to that threat. (And during the press conference the Commission confirmed that tech giants who are deemed to be “gatekeepers” under its Digital Markets Act ex ante competition reform proposal won’t be able to make use of the Data Act to receive third party companies’ data — i.e. to avoid the risk of further entrenching their market power.)

Secondly, the Commission is concerned about abusive contractual terms being imposed on smaller companies by more powerful platforms and market players to, essentially, extract the less powerful company’s most valuable data — so the Data Act will bring in a “fairness test” with the goal of protecting SMEs against unfair contractual terms.

The legislation will stipulate a list of unilaterally imposed contractual clauses that are deemed or presumed to be unfair — such as a clause that states a company can unilaterally interpret the terms of the contract — and those that do not pass the test will be not be binding on SMEs.

The Commission says it will also develop and recommend non-binding model contractual terms, saying these standard clauses will help SMEs negotiate “fairer and balanced data sharing contracts with companies enjoying a significantly stronger bargaining position”.

Some major competition complaints lodged against tech giants in the EU have concerned their access to third party data, such as the investigation into Amazon’s use of merchants data, for example, and those investigations are likely influencing what the Commission is proposing here around contractual terms.

Thirdly, the Data Act takes aim at cloud service lock-in by proposing news rules intended to allow customers to effectively switch between different cloud data-processing services providers — combined with safeguards against unlawful data transfer, per the Commission.

Barriers to switching are a key, long-standing complaint in digital markets — where network effects can be further harnessed by follow-on lock-in tactics that add friction or even hard barriers to porting data, enabling a provider to maintain their earlier grip on market power.

EU lawmakers say they want to make it easier for businesses and consumers that are making use of cloud and edge service providers to be able to move their data and apps — whether a private photo archive or an entire business administration — from one provider to another without incurring any costs.

To do that the Data Act proposes new contractual obligations for cloud providers, and a new standardisation framework for data and cloud interoperability.

Fourthly, the Commission wants the regulation to set clear rules for scenarios when governments/public sector organizations may want to access IoT data — such as in public emergencies.

The coronavirus crisis has clearly concentrated minds on this front where there was an imperative to access commercial mobility data (such as from mobile phones) to help policymakers assess responses to restrictions on people’s movements or otherwise model how the pandemic might spread.

The Data Act is extremely broad — applying to data generated across the EU in all economic sectors.

And while the Commission’s emphasis is on greasing the pipe to encourage the sharing of machine/industrial data, there can be plenty personal data generated by connected devices (just think of a smartwatch or a fitness band, for instance) — albeit, the sharing of any personal data would need to be done in compliance with the EU’s existing data protection framework, GDPR. So there are legal safeguards to shield privacy.

“The Data Act will remove barriers to access data, for both private and public sector bodies, while preserving incentives to invest in data generation by ensuring a balanced control over the data for its creators,” the Commission writes in a Q&A detailing its main goals for the proposal.

“It will unlock the value of data generated by connected objects in Europe, one of the key areas for innovation in the coming decades. It will clarify who can create value from such data and under which conditions. It will ensure fairness in the allocation of data value among the actors in the data economy and in their contracts while respecting the legitimate interests of companies and individuals that invest in data products and services. The new rules will empower consumers and companies by giving them a say on what can be done with the data generated by their connected products.”

An earlier EU proposal setting out a framework to govern and encourage industrial data-sharing, such as by setting the rules for data intermediaries — aka, the Data Governance Act (DGA) — has already been adopted.

The Commission says the Data Act to slots into that framework, helping to generate data flows to intermediaries — which it hopes will, in turn, fire up data-driven innovation across the bloc as part of its overarching goal of driving digital transformation as a strategy to fire economic growth.

Indeed, it says the new rules making more data available for reuse are expected to create €270BN of additional GDP by 2028.

The Commission also argues that better access to more real-time sensor data will be crucial in achieving the bloc’s climate goals and shrinking carbon emissions — to hit its 2050 ‘net zero’ target.

The Data Act proposal still needs the backing of the EU’s co-legislators — before it’s adopted and becomes regional law. But the relatively fast pace of the DGA’s passage suggests the Commission’s data strategy enjoys broad support.

Although it remains to be seen whether the proposal will attract any of the frenzied lobbying that other pieces of EU digital policy have attracted in recent years.

If well implemented the Data Act certainly certainly looks like it could be a boon to both consumers and startups.

(NB: SMEs are — in general — exempt from the new data-sharing obligations, so it looks like pure upside for them since they stand to gain from better access to data. Or, as the recital puts it: “Start-ups, small and medium-sized enterprises and companies from traditional sectors with less-developed digital capabilities struggle to obtain access to relevant data. This Regulation aims to facilitate access to data for these entities, while ensuring that the corresponding obligations are scoped as proportionately as possible to avoid overreach.”)

In a statement welcoming the Commission proposal, BEUC, the European Consumer Organization, described the legislation as “essential” for consumers.

In a statement, Monique Goyens, its director general, added: “The Data Act is an important piece of the jigsaw to make sure data can be accessed fairly across industries while giving users full power to decide what happens to the data they generate. Beyond providing a framework in which data gets accessed and shared, the EU’s Data Act must complement existing data protection, consumer, and competition rules.

“It is essential that consumers decide what happens to the data they generate, when they share it and with whom. Consumers should have a simple-to-exercise data portability right, which extends beyond personal data, so that they can for example take all their data from one service to another if they want to. The EU must also ensure that the Data Act does not end up reinforcing Big Tech data monopolies.”