The Data Act and the pitfalls of data sharing regulation

COVID-19 pandemic has inevitably accelerated the digital transformation of modern societies, which now more and more rely on new technologies and practices to foster growth and improve lives. In this context, the pandemic crisis has also shed light on the role of data as a driver for business and economic innovation. The “data economy” is estimated to have a growing impact on our daily lives: by 2025, the share of data volume is expected to increase globally from 33 zettabytes in 2018, to 175 zettabytes. With industrial data being de facto an economic resource, governments and businesses will be called to efficient and smart usage of such resource; data-driven techniques can serve multiple policy objectives, such as a better-informed policymaking, environmental policies, as well as they can help companies to better perform and develop innovative goods and services. This said, as often happens with economic resources, data may not always be available for each and every individual asking for it. Against this background, data sharing is becoming a crucial element of the data economy, which involves possibly all actors: we talk about three forms of data sharing, between businesses (business-to-business – B2B), between businesses and governments (business-to-governments – B2G) and between businesses and customers (business-to-customer – B2C). 

1. Industrial data sharing

From an industrial perspective, data is the key to develop and innovate new technologies. Artificial intelligence systems, for example, use massive datasets for training and testing. Furthermore, it is estimated that connected objects – the so-called Internet of Things – which process and generates tons of data, will grow from 20% in 2018 to 80% in 2025. 

It is therefore understandable that smooth and effective sharing of data may be a desirable industrial outcome for companies and economic actors in general, governments included. 

Nonetheless, B2B data sharing brings about many complexities from both the perspective of the data owner and the person who receives data. For the latter, access to shared data may be hindered by technical difficulties in processing them. Small and medium enterprises, for example, may not necessarily have the right infrastructure in place to access and effectively process data provided by a big data owner. Technical difficulties often also embed lack of adequate human resources: in the EU, 70% of businesses report a lack of staff with adequate digital skills as an obstacle to investment. On the side of the data owner, outstanding concerns with data sharing are represented by data protection and ownership.For both sides, instead, difficulties in determining the actual value of the data shared or obtained also prevents broader diffusion of sharing practices. 

Against this background, a framework of clear conditions may generate incentives for companies to foster the readiness to share their data with other actors. For European companies in particular, incentives may be generated by: (i) identification of data sharing potential; (ii) identification of business opportunities; (iii) a clear legal framework; (iv) financial benefits; (v) the possibility to serve customers needs; and (vi) other incentives including cybersecurity, and the possibility to benefit scientific research and pursue environmental objectives. While most of these incentives are strictly related the business side of data sharing, the possibility to operate in a well-defined legal and contractual framework is seen by a vast majority of European companies (37%) as a key driver to consider and develop data sharing practices. A sound data sharing legal framework should in particular address licensing rules, attributing ownership on the data that is being shared. 

2. Data sharing regulation

Can the above-mentioned incentives be created by mean of policy and regulation? The European Commission recently put forward a draft framework for the regulation of data sharing, dubbed Data Act. Part of the broader EU’s data strategy, this complex piece of legislation has the declared objective of fostering data sharing between enterprises, between business and customers as well as between businesses and governments. The new data framework, which at the current stage will be amended and negotiated by the European Parliament and the Council of the EU, would assign rights to data users and obligations to data holders and recipients. For this purpose, the Data Act identifies three types of data subjects: (i) the user, who owns, rents or leases a product or receives a service; (ii) the data holder, who has the right or the ability to make certain data available; and (iii) the data recipient, a legal or natural person to whom data holders make data available. 

As regards B2C data sharing, the new rules would require in-scope products and services to allow users’ data access by design and provide information on, i.a., the volume and type of data likely to be generated and the identity of the data holder. Users would have free access to their data and would be entitled to allow or veto data sharing with authorised third-parties. 

Data holders, on their side, will have to abide to a specific set of obligations, e.g. on granting fair, reasonable and non-discriminatory (FRAND) terms of access to data and on refraining from applying exclusivity agreements.

Part of the new legislation (Chapter V) would also regulate conditions for data sharing with governments and public entities (B2G). Under the Data Act, EU Member States’ public sector bodies or any EU institution will be able to request data from private companies under ‘exceptional need’, namely to respond to a public emergency, or where the lack of available data prevents the public sector body from fulfilling its legal obligations. Data must be provided free of charge, while rules for compensation are set out for specific circumstances. The public sector bodies will bear the burden of proof in demonstrating the exceptional need and in explaining the purpose of the request.

While pursuing the objective mentioned by Krotova et al. of creating a legal framework for data sharing, the Data Act – as it stands – may present some gaps from this point of view. The articulation of the proposal, for example, could enter in conflict with the General Data Protection Regulation’s principle of “data minimisation”, according to which a data controller should limit the collection of data to what is directly relevant and necessary to accomplish a specified purpose. 

On the B2G side instead, forcing companies to provide data to governments may also require them to disclose details of their pricing ability – de facto creating a disincentive to data sharing and raising competition issues.

Conclusions

 While pursuing the legitimate objective of favouring data sharing, regulation should not take for granted that data sharing is always a desirable outcome for businesses. A number of factors may indeed raise questions about the added value of data sharing. Publishing data is not enough to generate surplus value, thus data sharing is about the possibility to process and use such data to one’s advantage – which in turn may not always be feasible, at least not for every business actor. It follows that regulatory frameworks mandating data sharing, may disincentivise, rather than foster, the sharing of data.