The European Union has long been a pioneer in tech regulation. In 2020, the EU unveiled its data strategy, designed to unleash the potential of vast amounts of big data and establish guidelines for its sharing, storage, and processing. A pivotal development in this overarching strategy occurred on November 27, 2023, when the Council of the European Union formally adopted the Data Act.
The Data Act is the flagship of the EU data strategy. It aims to regulate who can access, use, and share data generated by connected machines and devices, and addresses the underutilized potential of industrial data in Europe. The Act identifies manufacturers and service providers as “data holders,” enabling both business-to-business (B2B) and business-to-consumer (B2C) entities to access the collected data. However, it mandates data sharing with third parties in the value chain under specific circumstances. It also introduces provisions for public sector access to private sector data in exceptional situations, such as responding to public emergencies, which raises concerns about enterprises’ control over their data.
While the Data Act intends to unlock the untapped potential of industrial data, it has sparked a debate on whether it prioritizes data protection or imposes excessive restrictions on businesses. Requirements for data sharing, coupled with the newly imposed restrictions on cross-border data flows and other components of the EU Data Act, will have severe unintended consequences that will affect various sectors of the economy, like transportation, agriculture, oil and gas, healthcare, technology, pharmaceuticals, and aerospace.
The Unintended Consequences of the EU Data Act
The Data Act employs principles from the General Data Protection Regulation (GDPR), designed to safeguard personal data, and applies them to industrial data. This approach is problematic, especially in light of emerging evidence indicating that the GDPR has hurt innovation among small firms.
The Data Act is seen as potentially detrimental, as it could penalize competition, deter investment and innovation, and effectively operate as a form of government expropriation, forcing companies to share trade secrets and other sensitive information with competitors and EU government entities. Moreover, it poses a significant risk to foreign companies, since it makes them vulnerable to substantial fines from European regulatory authorities and can make it problematic for companies to transfer their industrial data out of Europe.
Furthermore, its impact on device manufacturers and data usage is twofold. First, it hampers manufacturers’ incentives to collect data for innovative purposes by increasing costs. In fact, products must experience a redesign to ensure that any collected data is accessible to the user or transferable to a third party. Consequently, this restrains exclusive profit and likely results in reduced data collection. Second, firms aiming to leverage the Data Act for data acquisition face innovation constraints. The Act restricts data use for competing with manufacturers and allows it only for agreed user purposes, primarily repair and maintenance. While it may enhance competition in these areas, it hinders major innovations requiring free experimentation and large-scale data acquisition. The Act’s consent requirement for data collection also complicates obtaining data at scale compared to bulk negotiations with manufacturers.
As mentioned earlier, the implications of the Act’s constraints on cross-border data transfers are substantial for companies both within and outside Europe. Prohibiting data sharing among companies’ facilities or operations hampers their capacity to innovate and derive insights from their experiences. These restrictions disproportionately impact EU tech firms, as global counterparts are better equipped to segregate EU customer data. The existing limitations on cross-border personal data flows under the GDPR are already proving costly for the EU and its business partners. Yet, the EU has chosen to impose restrictions on such transfers and possibly make them even more stringent.
Cloud computing providers are going to be hit particularly hard. The European Commission wants to enforce data storage in Europe, potentially benefiting local cloud services but at the expense of hindering global infrastructure leverage and scale. This move was aimed at boosting European cloud competitiveness against US giants. In fact, it runs the risk of harming the EU’s data economy by impeding cross-border data trade: it imposes substantial costs on businesses and isolates the EU data economy from global integration.
The growing concerns inside the EU regarding the Data Act
The Data Act faces criticism for potential conflicts with existing laws and concerns about compromising trade secrets, hindering contractual freedom, and preventing data transfer by non-EU companies. The IT industry and cloud service providers, in particular, fear that increased regulation may diminish the profitability of data sharing. Furthermore, the Act’s broad applicability across sectors, from connected devices to major industries, has raised eyebrows among key players such as Siemens, SAP, and Airbus. Their primary apprehension lies in the mandatory data-sharing requirements, especially with competitors, as it could expose sensitive commercial data, potentially leading to the creation of copycat technologies.
Besides, the rushed adoption process and ambiguous definitions in the final text have prompted industry groups, including the European Tech Alliance and Digital Europe, to call for pause and reconsideration. Many argue that the current proposal raises problems in regard to cybersecurity and competitiveness, especially during a period of economic turmoil. The research community is also dissatisfied, and points out that the legislation missed opportunities to provide scientists with more accessible data.
In brief, it is feared that a hastily executed implementation could pose risks to Europe’s competitiveness, innovation capacity, and data security.
The Data Act has potential negative impacts on innovation, investment, market access, legal certainty, and SMEs. While the law aims to address some of the challenges of the data-driven economy, it could stifle innovation and competitiveness in the EU.
The EU must reassess its strategy on data regulation, and move towards a framework that emphasizes contractual freedom, voluntary data sharing, and the principle of non-discrimination. Such an approach would cultivate a more adaptable and market-oriented environment. Additionally, the EU should refrain from enforcing compulsory data sharing among companies or governments and, instead, encourage voluntary frameworks that align with market interests. Lastly, there should be no constraints on cross-border non-personal data flows, as these restrictions would only hinder international trade, investment, and innovation.
Photo by Franck