Data Act: a European consensus on non-personal data sharing

At the close of the last day in negotiations, the European Commission, Parliament, and Council passed the definitive draft of the Data Act, on June 27, 2023. The regulation aims to simplify sharing and promotion of non-personal (therefore anonymous) data, which are generated by connected products and online services.

The European Commission considers the Data Act should allow the creation of “new and innovative services, as well as more competitive pricing for customer service.” The Commission calculates it will add 270 Billion EUR to GDP by 2028. European legislators must still make technical corrections to the text but it will be passed definitively during the month of July 2023, and should come into effect 20 months later, in 2025.

“The Data Act will guarantee that industrial data is shared, stored and processed in full compliance with European regulations. It will create a flourishing data economy, one that is innovative and open, but within European standards,” commented the Commissioner for the Internal Market, Thierry Breton.

Indeed, the Data Act grants connected object users “the right to access the data they’ve helped create, to retrieve it or share it with a third party on a contractual basis.” This paves the way for a European data market.

With the consent of users, device manufacturers and service providers can thus share, sell or give data to other organizations such as startups and research centers. Users will also be able to monetize access to the non-personal data.

The final discussions resolved the outstanding differences between interested parties. As the future of data outside the European Union remains unclear, the text’s jurisdiction will be limited to recipients located within the EU. Even though public bodies will be able to access this data, the Data Act’s final version regulates and further limits this access, in order to avoid a loss in data market value.

The most sensitive issue was that of trade secrets: too much flexibility in data sharing could lead to indirect leaks. In May 2023, five German manufacturers, including SAP and Siemens, expressed their concern over the issue and the risk of data leaks to the European Commission.

The Data Act’s final draft thus introduces an “emergency break”, which will allow providers likely to suffer “serious and irreparable economic losses” to refuse access to data tied to business secrets.

The text also makes a data sharing exception if it might compromise the issuing provider’s IT security. Finally, the Data Act will not apply to data processed with complex “proprietary algorithms”.