Data Act

The new EU data law and implications for companies

15 Dec 2022

In February 2022, the EU Commission presented a draft of a new data law, which aims to make more data usable in the EU area. This draft, known as the "Data Act", is intended, among other things, to break new ground for easy switching between cloud providers and also to create the basis for transparent access by entrepreneurs to their data. The Data Act is thus part of a strategy to regulate a digital future in the EU area, which also includes the General Data Protection Regulation (GDPR) that came into force in 2017. But what is the significance of the draft law for companies in Germany and Europe, and what risks and opportunities does it entail?

DATA ACT ENSURES TRANSPARENCY AND TRUST

With the Data Act, the EU Commission has set itself the goal of enabling more clarity and transparency in the legal situation regarding data exchange and data access. The unclear legal situation has so far been the biggest problem when it comes to the obligations to disclose and use personal and corporate data. Here, the Data Act now aims to establish clear guidelines on who may access, share and/or process data and under what conditions. With the current draft law, the EU Commission plans to precisely define the rights and obligations of data owners and providers, which should create more trust and, above all, legal certainty. Companies and consumers are to be given more control over their data infrastructures.

APPLICATION OF THE DATA ACT IN PRACTICE CONTRADICTORY

With its regulations, the Data Act draft is intended to be applicable both to manufacturers of networked products and to providers of digital services and, beyond that, to their users. The Act covers providers and users who exchange data that have a registered office in the EU, but also, for the first time, data processing services that are based outside Europe and offer their services to their customers in the European Union.

However - and this seems somewhat contradictory - the scope refers exclusively to physical products that aggregate data by means of their implemented functions and transmit them via a communications service. However, smartphones and tablet PCs, for example, which are primarily used to display content or transmit content to online services, are excluded from the scope. But in these cases in particular, experience shows that large volumes of data are likely to be generated. In practice, this could mean that a WLAN radio, for example, which generates data about its owner's listening habits, would be covered by the Data Act, whereas a streaming provider would be left out.

IMPLEMENTATION AND IMPACT ON GERMAN COMPANIES

With the introduction of the Data Act, companies are faced with the problem of assessing whether their products and services are covered by the scope of application. For this reason alone, it is advisable to deal with this issue now. It is precisely because of the large number of products with data processing and transmission capabilities and the sometimes only slight differentiability that it will be difficult to assess the applicable scope of application.

One of the core objectives of the Data Act draft is to achieve a meaningful evaluation of data. Here, the draft law provides for a privilege for small and medium-sized enterprises. These are in fact to be exempted from the planned regulation. These companies include those with no more than 49 employees and a maximum annual turnover of ten million euros or a balance sheet total of no more than ten million euros.

It is already foreseeable that the impact of this planned privilege will be immense, because in Germany alone, around 99.4 percent of all companies are small or medium-sized companies according to this definition. Thus, a very large number of companies of this size would be exempt from the regulations of the Data Act, while only larger companies would be required to comply with the law.

For young start-ups, but also for small to medium-sized companies, the Data Act offers a number of new data-based business models. However, this presupposes that these companies offer their users so much added value that they make their otherwise generated data available for new applications. Companies that use services from cloud providers should find it easier to switch to other cloud providers with their corporate data without any problems. Many providers of managed cloud services already make this possible with just a few clicks.

SWITCHING BETWEEN CLOUD PROVIDERS TO BE SIMPLIFIED

Until now, switching from edge, cloud or other data-processing services has usually been difficult due to technical, economic or organizational barriers. Such an undertaking was often made more difficult by restrictive contracts. In addition, many users refrained from switching cloud providers because continuous service availability and access to the data could not be guaranteed during the switch and this was usually also associated with significant adjustments on the company side. This is to be significantly simplified when the Data Act comes into force, in order to promote more competition with the strengthening of the EU data market.

OUTLOOK AND CONCLUSION

The more data that flows between applications, the better companies can adapt their services and products to the needs of their users. If the introduction of the Data Act ensures that cloud solutions can process the data of their users, the chances are good that companies will be able to produce new added value for society in the future. However, this requires the Data Act to come into force as soon as possible, because the industry is already in the starting blocks: according to studies by KPMG and BITKOM Research, eight out of ten companies are already using the cloud.

For the European data economy to keep pace with the leading tech industries around the world, the Data Act must be designed accordingly. At the same time, of course, a high level of data protection must continue to be maintained so that users retain control over their personal data in the future.