With Spring in full swing, the EU’s legislators have begun the final stage of negotiations on the Data Act: the EU’s sweeping new law to build a single market for data for the 27 Member States. Businesses must be ready for the possibility that an early agreement is reached before the end of Summer – record-breaking speed for a file as complex as the Data Act.

The European Commission’s proposal for a Data Act is the central piece of the EU’s data strategy. This cross-sectoral legislation will have deep implications for most providers of digital services in the EU, from online platforms and large industrial players to local farmers using new tech to improve crop yields, and especially on manufacturers of IoT products and cloud providers. Once this horizontal framework is adopted, the Commission is likely to develop sector-specific data-sharing rules, for example for the car industry, with specific rules on access to in-vehicle data.

One step closer towards a market for Data

The Data Act aims to bust industrial silos and make data sharing easier across the Single Market. It will affect how IoT manufacturers collect and share data generated by their connected devices across the Single Market in an effort to create an entirely new data market. It will introduce new provisions to enable businesses to switch more easily between cloud operators, and additional safeguards for international data transfers in an effort to boost Europe’s “cloud sovereignty”. It will establish a framework for business-to-government (B2G) data sharing in situations of public emergency (think pandemics, wars, climate catastrophe).

Building on the EU’s new digital platforms market power instrument, the Digital Markets Act (DMA), companies that have been designated as gatekeepers under the DMA are excluded from accessing data shared through the Data Act.

An unsettling pace for business

The speed at which it is progressing raises a question as to whether all the potential consequences, both positive or negative, have been fully considered.

Some industries will benefit from the Data Act. For example, companies using data to develop new or improved products will benefit from the creation of a new data market, and certain cloud providers will benefit from the cloud switching provisions. Others are worried about unintended consequences, from large industrial players concerned about the implications of sweeping data access requests creating risks for their trade secrets and competitiveness, to crypto companies worried about the meaning and impact of the smart contracts provisions.

The Data Act is a complex piece of legislation, both in terms of its technical nature, as well as its potential reach across the economy. As a result, the Data Act is a typical example of the Commission introducing a technical piece of harmonised regulation that ends up becoming a highly politicised and major lobbying battlefront.

State of Play

The EU’s legislators have sped (some would say rushed) through the first reading of the legislation. The regulation has been amended by three committees in the European Parliament and Member States in the Council have finalized their position.

Hot button issues for the trilogues

The Parliament and Council will have to reconcile a number of differences to reach a political agreement before the end of Summer 2023. At this stage, there are eight hot button issues for the trilogues:

• The definition of data holder.
• The types of data in scope.
• The scope of obligations to provide access to data.
• The interplay with GDPR and existing legislation on trade secrets (Database Directive).
• The protection of trade secrets.
• The scope of the provisions on smart contracts.
• Government access to data.
• International transfers of non-personal data.

Next steps

The Parliament and Council had their first “handshake” trilogue on 29 March and detailed negotiations will continue throughout April and May, with the aim of reaching an agreement by 30 June before the end of the Swedish presidency.

The Spanish government will take over the rotating presidency of the Council in July 2023 and, should the Swedes fail to secure a deal, will be responsible for shepherding the Data Act through its final stages, alongside the AI Act and the Cyber Resilience Act. The Spanish are confident at this stage that an agreement will be reached at the start of their presidency.

For a piece of legislation as detailed and complex as the Data Act, this is record speed and a fast-tracked legislative process that risks important detail being passed over in favour of concluding the negotiations before the end of the current mandate and EU elections in May 2024. Everything will depend on the next few weeks of negotiations…

To find out more about how Flint can help you navigate the risks and opportunities of these developments, get in touch.