EU Data Act Deal Limits Consumer Choice and Restricts Data Flows
June 2023 by CCIA Europe
The political agreement on the EU’s new Data Act, struck by European Parliament and EU Council negotiators late last night, might be well-intentioned but risks hampering data-driven innovation, warns the Computer & Communications Industry Association (CCIA Europe).
The Data Act’s overarching goal is to enable both consumers and companies to move certain datasets seamlessly from any connected device, including apps and software used on those devices, to any third-party service they want.
As things stand now, however, the Data Act would actually limit consumer choice. The deal prohibits users from transferring data to connected devices or services of their own choice, if those are operated by companies designated "gatekeepers" under the Digital Markets Act (DMA), such as popular tech firms.
In practice, this means that any company receiving a data portability request would no longer be able to comply with the General Data Protection Regulation (GDPR) if it has to refuse that request on grounds of the Data Act not allowing data to be moved to services operated by a so-called gatekeeper. Similarly, a gatekeeper company may not be able to comply with its own obligation to ensure users’ data portability right under the DMA.
The final deal also lacks actionable safeguards that prevent competitors from free-riding on the data of other device manufacturers and service providers. While companies can refuse to disclose their trade secrets in limited instances, the new rules fail to protect trade secrets when access refusals are contested. This, in turn, will incentivise companies to collect less data and curb data sharing requests that could be potentially abusive.
Finally, the Act’s restrictions on data flows and cloud services risks rendering adequacy decisions and other GDPR-compliant mechanisms for international data transfers null and void. The deal also lays the groundwork for the design and implementation of blunt market exclusion requirements against EU and international cloud providers subject to foreign laws.
The following can be attributed to CCIA Europe’s Public Policy Director, Alexandre Roure:
"The EU’s overall aim of encouraging data value creation can only be commended. Unfortunately, the deal struck on the Data Act does not do enough to enable responsible data sharing by companies, nor does it leave users free to decide how they want to use their exported data."
"Driving Europe’s data economy forward will only be possible with important clarifications for companies on many key aspects of this new law and through balanced enforcement."