Joint position on the proposal for a Data Act 

La proposition de règlement portant sur des règles harmonisées relatives à l’accès et à l’utilisation équitables des données, également connue sous le nom de loi sur les données, a été adoptée le 23 février 2022 par la Commission européenne. Considéré comme un pilier essentiel de la stratégie européenne en matière de données, le « Data Act » est censé apporter une contribution importante à l’objectif de transformation numérique, en harmonisant les règles d’accès aux données pour les entreprises (B2B), les organismes publics (B2G) et les particuliers (B2C) et en renforçant, entre autres, la portabilité du cloud et l’interopérabilité des outils.  

En s’appuyant sur leur expertise respective, la FEDIL et la Chambre de Commerce ont analysé les nouvelles dispositions en profondeur pour en comprendre les enjeux et l’impact sur les acteurs concernés. Si nous partageons le souci de la Commission de poser des bases harmonisées pour le partage des données en Europe, nous avons identifié un certain nombre de points d’achoppement qui se poseront lors de l’implémentation de la proposition et qui sont susceptibles de porter préjudice aux entreprises et à la compétitivité de l’Europe. 

Dans ce qui suit, vous trouverez le résumé des messages clés de la position commune élaborée par la FEDIL et la Chambre de Commerce sur la proposition de règlement. Le document complet pourra être consulté sur notre site internet.

Further to the position papers and declaration statements of their respective European associations1, this document constitutes FEDIL’s and the Luxembourg Chamber of Commerce’s additional contribution to the proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data.

Introduction

On 23 February 2022, the European Commission (hereafter the “Commission”) published its proposal for a Regulation on harmonised rules on fair access to and use of data (also referred to hereafter as the “Data Act”).  

The proposed Data Act is part of the European digital and data strategy launched by the Commission in 2020 in order to build a “Europe fit for the Digital Age”. The Data Act complements other Commission’s initiatives in the digital field amongst which the Data Governance Act (DGA) and the Digital Market Act (DMA). 

The Data Act is a horizontal proposal which provides “basic rules for all sectors”2. Thus, the Data Act “leaves room for vertical legislation to set more detailed rules for the achievement of sector-specific regulatory objectives”. 

The proposed EU Data Act aims to regulate data access and use in order to “ensure fairness in the allocation of value from data among actors in the data economy”3, “open opportunities for data-driven innovation and make data accessible for all”4.

General comments

Although FEDIL – The Voice of Luxembourg’s Industry and the Chamber of Commerce of Luxembourg, together with their members, welcome the Commission’s efforts to harmonise the rules on fair access to and transfer of data within the European Union (EU), the means to accomplish the objectives remain unclear given the multiple layers of EU legislations as well as the forthcoming sectoral legislations. As a result, its implementation becomes technically more complex. 

Furthermore, the Data Act imposes huge constraints on the various stakeholders in terms of process, cost, technique, organisation, administrative and legal formalities to comply with the Data Act within a very short term of 12 months following the date of entry into force. There are many of those provisions that are simply unrealistic and not that easy for businesses to implement. We express our concerns that this is a constraint-based approach without any incentive and collaborative view that might result in the opposite effect than the one intended. 

Moreover, we express our deep concern that forced disclosure of trade secrets cannot be favorable for EU attractiveness. It is essential that the proposed regulation does not set rules that will negatively affect businesses, resulting in the loss of competitive advantage. Our members insist on the necessity to protect intellectual property rights and trade secrets, notably for creative products for which it is important to be mindful on data to be shared. Rules must be proportionate and fit for purpose. Protection of trade secrets is a central concern for Luxembourg’s industry, which is asking for more legal safeguards in this regard while one of the Data Act’s goals is to establish trust in data sharing. The EU should as well consider finding solutions to elements of business confidential data, which does not enjoy protection today.

Key messages

1. Default of clarity in many definitions

   • Definition of “data”
     • Too broad definition of “data” and not consistent with the objective of the proposed regulation to unleash the potential of the data economy.
     • Necessity to clearly define what kind of generated data fall into the scope and which ones do not.
       • Definition of data to be clarified and narrowed.
   • Definition of “product”
     • Too broad definition of “product”.
       • Suggestion of inserting the exclusions of products mentioned in Recital (15) in the article.
   • Definition of “related services”
     • Too broad definition of “related services” resulting in difficulties to identify the frontier between the different related services.
       • Need to clarify the reason for the distinction with other physical products excluded in Recital (15).
   • Definition of “public emergency”
     • Too broad definition which leaves large room for the Member States to qualify what an emergency situation is or is not.
       • The list of examples mentioned in Recital (57) shall be set forth in the regulation and expanded.

2. B2B and B2C provisions

   • Different situations in B2B and B2C context
     • Chapter 2 tackles B2B and B2C data sharing aspects simultaneously, whereas data sharing situations and the parties involved vary from one context to another.
       • B2B and B2C should be treated in two different chapters.
   • Obligation to make data accessible
     • Data accessibility must be provided “by default” by the manufacturer.
       • Represents challenges for businesses and creates an unbalance between more mature and less mature businesses as regards compliance costs.
     • Obligation for manufacturer to provide the “nature” and the “volume” of data to be generated.
       • Nature of data must be clarified as based upon the use of the product.
       • Volume of data should be deleted as very difficult to assess “before concluding a contract”.
   • Right of user to access and use data
     • Requiring the data holder to give access to data generated “without undue delay” leaves room for interpretation between the parties and may lead to abuses.
       • Replace by “within a reasonable period of time agreed between the parties”, which would be more appropriate and adjustable to every situation when implemented in practice.
   • Right to share data with third parties and data obligations of third parties receiving data.
     • Article 6 §2 (c) authorises sub-delegation of data to another third party “when this is necessary to provide the service requested by the user”.
       • User must keep a control over data used by third parties and must authorise sub-delegation.
   • Trade secrets protection
     • The Data Act provides that trade secrets shall be disclosed only if specific measures are taken to preserve their confidentiality, creating a risk for businesses and a significant loss of competitive advantage.
       • Model of non-binding contractual terms to be provided by the EC as in Article 34.
       • Ensure proper enforcement of other regulations regarding IP and patents such as Trade Secrets Directive.
       • More safeguards to be provided for confidential commercial information which differ from trade secrets.
   • Dispute settlement
     • Members States shall certify a Dispute settlement body for some dispute between the data holder and the data recipient in B2B context. However, this kind of non-binding arbitration system does not exist in all Member States such as in Luxembourg. This will therefore incur huge administrative, cost and organisational burden to include and articulate such system in the current country legal landscape. Article 10 leaves many legal questions open and does not provide sufficient guidelines for Member States to set up a harmonised, efficient, fast and inexpensive system, which may also create a ground for fragmenting the practices across Europe.
       • Many clarifications to Article 10 are needed to enable Member States to implement such a body and to articulate it in their country’s legal system.

3. B2G provisions

   • Notion of “exceptional needs”
     • Too broad scope of exceptional needs allowing public sector bodies to request data access.
       • Data access request in exceptional needs situations must not become the normal trend.
   • Compensation
     • No justification of the distinction between making data freely available in case of public emergencies and against reasonable compensation in other exceptional circumstances.
     • Time, technical, and organisational costs remain the same in both public emergencies and other exceptional needs situations.
       • Businesses shall be able to request compensation in cases of public emergency requests for data sharing.

4. Cloud switching

   • Obligation for the Provider of Data Processing Services (PDPS) to remove obstacles to effective switching
     • PDSP shall ensure cloud switching to another data processing service, covering the same service type, which is covered by a different service provider.
     • Notion of “same service type” too vague.
       • Different use cases shall be considered to reflect complexity of cloud switching.
     • Lack of clarity of “obstacles” which could lead to a broad list of potential criteria labeled as such.
       • Responsibility of the switching should be shared between PDPS and customers. A collaboration should be built between the customer and the original and destination PDPS for a swift switching.
   • Contractual terms concerning switching between PDPS
     • 1 month period is unrealistic to operate a “one size-fits-all” switching process and not reflecting the realities of services and elements of the infrastructure to be transferred.
       • (Reasonable) switching timeline should be agreed between the provider and the customer and not determined by the Data Act.
       • Reference shall be made to reversibility elements set forth in existing guidelines from the EBA or the DORA Regulation in order to specify the exit plan.
       • A list of requirements shall be defined in the contract terms and conditions for legal clarity.
   • Withdrawal of switching charges
     • Financial burden rests only on existing provider whereas switching obligations should reflect the variation of complexities and choices involved in the switching process and establish a value accordingly.
       • As a minimum, switching charges should be compensated at cost.