By Morten C. Skroejer, Senior Director, Technology Competition Policy
After much wrangling, the Data Act has entered inter-institutional negotiations, so-called trilogues, where the European Union’s co-legislators will attempt to reconcile their competing versions of what the final legislation should look like. From the moment the bill was introduced, we have supported its overall objective, which is to unlock the value of data and foster increased innovation. But we have also been clear that the bill, as originally drafted, raised a number of very serious concerns that would need to be addressed in order to avoid unacceptable and/or unintended consequences.
We want to commend the European Council and the European Parliament for engaging constructively and producing revised proposals that in many ways improve upon the Commission’s original draft. That said, we still have deep concerns about provisions that are unclear, impractical, unfeasible, or plainly discriminatory against U.S. companies. Below, we suggest a number of changes that will help bring the final bill into alignment with its stated objective. They include clarifications of ambiguous or imprecise text, substantive changes, and deletion of provisions that either run counter to the Data Act’s purpose or impose on private companies obligations that are difficult, if not impossible, to meet.
As an initial matter, it is surprising that the co-legislators seem to struggle mightily with how to define the word “data,” as its use and scope vary throughout all three proposals. Given that term’s centrality to the ultimate success of what the EU itself, after all, has called the Data Act, we believe that trilogues, by necessity, must produce a final proposal that provides absolute clarity about what data is covered under the Act.
The same goes for the definition of “product.” The focus of the Commission’s proposal was on devices, and information gleaned from them, having to do with the Internet of Things. By contrast, subsequent proposals from the European Parliament and the Council have broadened this scope to include almost any product that can connect to the internet, including, for example, smartphones. This is deeply concerning because it could lead to, essentially, unconstrained surveillance of anyone, anywhere. That was not the intent behind the Data Act, and we therefore encourage the co-legislators to substantially narrow the types of products that are considered in scope. Relatedly, the definition of what the Act calls a ”related service” should be narrowed and only include those services that are strictly necessary for a product to perform one of its essential functions.
1. Switching between cloud service providers
According to the EU, the overall aim of the Data Act is to do away with barriers that are currently making it harder for consumers and businesses to access and share data. This can take any number of forms, but in the context of cloud computing it means making it easier for customers to move their data from one service provider to another. This is what the Act calls “switching.”
In theory, this goal is laudable. But the Data Act’s many and very detailed requirements for how to effect and manage the switching process leave substantial room for both practical and legal uncertainty for the parties involved. Take Article 26 of the Council’s proposal, which obligates a cloud service provider to “take all measures in their power, including cooperation with the data processing service provider of the destination service, to facilitate that the customer [after switching] enjoys functional equivalence in the use of the destination service.” What is left unexplained, however, is what it would mean for a cloud service provider to “take all measures in their power” to facilitate the departing customer’s desired outcome. Taken literally, it could be interpreted to impose on cloud service providers a list of exceptionally onerous—and potentially impossible—obligations in order to help an existing customer switch to a competing service. Surely, the Council cannot have intended such an absurd outcome, but in order to avoid this type of uncertainty the co-legislators need to explain what they mean by the term “functional equivalence,” given that functional diversity often is used as a key differentiator between competing services.
Among other issues that need clarification is the extent of the cooperation requirement imposed on either, or both, of the service providers involved in the switch. This includes which party is best positioned to assume the risk and cost associated with transferring the data. This question is particularly pertinent, because establishing and maintaining the network space necessary to safely effect the switch comes at a cost that, all things considered, it would seem reasonable for the customer, who is requesting the transfer, to bear. In the original proposal, however, these switching costs would fall on the cloud service provider. The extent of any expenditures beyond those related to the data transfer, and who should bear them, is still being debated. And to give credit where it is due, the Parliament’s proposal contains a number of suggestions in this area that seem quite workable.
By contrast, the Council included in its proposal a provision that, in addition to “switching” transfers, as described above, also would make transfers in multi-cloud environments free of charge. Crucially, it would impose on cloud service providers an obligation that goes well beyond what is required of companies in the EU’s heavily regulated telecoms sector, where service providers can impose charges for network traffic to allow recoupment of cost and continued investment.
2. International data transfers
While data localization in limited circumstances can serve legitimate ends, it can also pose a significant barrier to realizing the full potential of the digital economy. As stated in the second Recital of the Commission’s proposal, “[b]arriers to data sharing prevent an optimal allocation of data to the benefit of society.” As a result, the goal of the Data Act should be to encourage, rather than impede, the free flow of data across borders. And not just within the EU’s own internal market but between its member states and like-minded non-EU countries.
Whether intended or not, the proposals from both the Commission and the Parliament are so unclear on this issue as to cast doubt on their often-professed commitment to a free and open internet. Because of this, we applaud the important clarification in the Council’s proposal that Article 27 only should apply to “[i]nternational governmental access and transfer” and not implicate the type of data transfers that private companies undertake in the normal course of their business.
Even with that important clarification, however, Article 27 still creates uncertainty about the scope of company obligations. First, the Data Act should state explicitly that where a service provider’s systems store both personal and non-personal data, an adequacy finding under existing rules, Standard Contractual Clauses, and/or Transfer Impact Assessments made according to the General Data Protection Regulation (GDPR), would apply equally under the Data Act, thus obviating any duplicative obligations. In practice, cloud service providers do not know the content of their customers’ data and, provided it includes both personal and non-personal data, they would apply Chapter V GDPR provisions by default.
Second, we urge the co-legislators to delete Article 27(3) in toto. As written, it is not clear how a service provider would be in a position to assess whether the legal system of a requesting third country complies with the requirements in the Data Act. This responsibility should rest with the Commission, which is better positioned to make this assessment given its legal know-how and ability, if necessary, to enter into agreements that address relevant concerns.
Lastly, Article 27 would require cloud service providers to provide technical and organizational measures to prevent government access to data, adhering to relevant security reassurance certification schemes and modification of internal corporate policies. This would likely implicate the Data Act in on-going discussions about an EU cloud certification scheme (EUCS), where the inclusion of “immunity to non-EU law requirements” is under consideration. If adopted, these requirements would severely hamper, if not impede, non-EU-based and controlled companies from providing cloud services in the EU.
3. Protections for intellectual property rights and trade secrets
Protection for intellectual property rights and trade secrets afforded businesses under existing law are essential to a well-functioning and thriving economy. Without them, companies would be much less likely to invest and innovate, leaving us all worse off.
Patent and copyright protection preserve creative incentives after public disclosure, provided that the underlying work meets the relevant standards of creativity. Trade secrets—as the name implies—require secrecy. The Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPs) require protection for “undisclosed information,” provided that the information is not generally known to the public, confers an economic benefit on its holder because the information is not publicly known, and has been subject to reasonable steps to keep it secret. Similar standards exist in U.S. law. Critically, however, once the secret is revealed, its protection and the competitive advantage that it provided disappears. That rule recognizes an international consensus that trade secrets are generally not supposed to be disclosed to anyone involuntarily, and even then, not without a compelling regulatory reason (such as food safety or environmental regulation).
The Data Act, on the other hand, would turn this rule on its head by presuming that trade secrets will be disclosed to governments in the EU, as well as business competitors. According to Articles 4(3) and 5(8), trade secrets must be shared as long as “all necessary measures are taken to preserve [their] confidentiality.” But what it means to take “all necessary measures” is unclear. The Data Act’s construct is antithetical to the very nature of trade secret protection, which is agnostic on the secret’s value. The protection exists on the theory that if it is not valuable, a business will not undergo the burden of protecting it in the first instance. In the U.S., for example, “reasonable measures” to protect confidentiality vary with the circumstances: a plumber’s customer list need not have the same measures as the formula for WD-40. And while the Data Act’s proposed language could be read to mean that the EU must apply the highest standards of protection, it means that the most valuable assets of many U.S. companies are presumptively open to EU governments and their EU-based and other competitors.
In its proposal, the Council has added two additional narrowly tailored exceptions (Articles 4(3a) and 5(8a)) that would allow a data holder to refuse access in “exceptional circumstances,” if the holder can “demonstrate that it is highly likely to suffer serious damage” from disclosure. But, again, the onus is on the holder of the trade secret to prove that they are “highly likely” to incur “serious damage” if they comply with an access request. Under what specific circumstances these exceptions would apply, however, remains unclear. And, in any event, if the holder is merely “likely” to “suffer damage,” the information must be disclosed. Such a construct ignores, for example, that many non-patentable process refinements are incremental and cumulative; while one secret may only inflict “non-serious” harm, the disclosure of several secrets in the aggregate could be crippling.
Whatever its policy goals, the Data Act does nothing less than re-write the fundamental assumptions of trade secret protection. As a result, we again encourage the co-legislators to amend the Data Act to say that there is no obligation to share protected information within the meaning of the EU’s own Trade Secrets Directive.
Our previously expressed concerns about the Data Act’s treatment of intellectual property rights also remain. And they are compounded by the uncertainty, as discussed earlier, related to how the Data Act defines the terms “product” and “related service.” Consequently, we urge the co-legislators to amend Article 35 to make it clear that this provision does not, in any way, affect existing copyright protections.
4. “Gatekeeper” exclusion
We remain strongly opposed to Article 5(2). This provision prohibits any company designated as a gatekeeper under the Digital Markets Act (DMA) from being a data recipient while still obligating it to transfer non-personal data upon a customer’s request. This incongruous framework gives rise to at least three concerns. First, it is plainly at odds with one of the main objectives of the Data Act, which, supposedly, is to empower consumers to take control of their data and to transfer it, or not, as they see fit. Second, it limits the ability of consumers to take advantage of competitive offerings from certain companies; in other words, it hurts European consumers and reduces competition. Third, it discriminates against a small group of, mostly, U.S. corporations while leaving companies from non-democratic countries, none of whom qualify as gatekeepers, untouched. It boggles the mind that the EU would seriously intend such an outcome. But here we are.
Recycling the gatekeeper concept from the DMA is also part of a regrettable trend, where the EU increasingly is taking regulatory shortcuts, rather than trying to develop a level playing field where the same rules and standards apply to U.S. companies as well as those from the EU and China. Another recent example is a proposal on the AI Act that would treat AI-based systems from companies designated as “very large online platforms” (VLOPs) under the Digital Services Act more restrictively than EU- and Chinese-based AI systems. These so-called “gatekeeper” and “VLOP” exclusions should be removed from the Data Act, AI Act, and other EU measures.
The Data Act is an ambitious attempt at regulating highly complex issues. The Council and Parliament proposals undoubtedly improve upon the Commission’s original draft, but a lot of work remains to be done. The recommendations outlined here provide additional improvements, and we look forward to continuing our engagement with EU and U.S. policymakers on this important matter.