- The European Commission has initiated the Data Act to stimulate sharing production data generated by connected devices.
- The regulation has raised concerns among companies over obligations to share sensitive information that could be classified as a "trade secret".
- The final adoption of the new legislation is expected by spring, and the time to react - extremely tight.
The EU expects to generate €270 billion in additional GDP by 2028 with a new data regulation aiming to open up the market for production data generated by connected devices. The new regulation will affect all manufacturers of smart devices intended to be embedded in an industrial or consumer computer network (IoT). Producers will need to share data related to diagnostics, power consumption, efficiency, etc.
Thierry Breton, Commissioner for the Internal Market, commented: "Only a fraction of industrial data is used so far, and the potential for growth and innovation is huge. The Data Act will ensure that industrial data is shared, stored and processed under strict compliance with European rules."
The volume of data is constantly increasing, from 33 zettabytes generated in 2018 to 175 zettabytes expected in 2025. Currently, 80% of industrial data is never used. The Commission believes the new rules will make data more available for reuse by governments and businesses, ensure the option to switch to the cloud and guarantee data interoperability across the EU.
The serious concerns of business
At the same time, businesses warn: "if we adopt this legislation in such a hurry, GDPR will seem like a child's game to us" in the face of one of the largest lobbying organizations in Brussels, representing more than 40 national branches and employer organizations - Business Europe. The data referred to in the Commission's proposal also largely affects the trade secrets of enterprises, and with the entry of the new legislation, companies will be obliged to share it with customers, service providers and possibly governments or European institutions. In this context, there are several problems: on the one hand, data legislation in the EU is relatively new and companies are not fully aware of it; in many countries there is no clear definition of a trade secret and who has rights over it, and organizations are not aware of the terminology related to all this.
In fact, only 38% of businesses approve of the EU's draft legislation (as opposed to 91% of public bodies who want such legislative action), according to the Commission's preliminary analysis. The dossier is already going through its legislative procedure and it is several months away from coming into force. Politicians, analysts and companies warn that there is extreme pressure for this to happen too quickly - by spring - which poses huge and hard-to-measure risks for businesses, given that this is legislation comparable in effect to the GDPR, but with a larger volume (and also directly related to the latter).
The legislation in brief
If the Commission's proposal is accepted in its current form by the European Parliament and the Council, then in future manufacturers and designers will have to design their products in a way that makes data easily accessible. Data from smart devices, whether business-to-consumer or business-to-business, generated by a user is to be made available to third parties. For example: when buying a smart washing machine with insurance guaranteed from the manufacturer, the latter will be available to a third party specified by the user.
It is also the duty of the manufacturer to share sensible data that will be necessary for the provision of a third-party service that is requested by the user. The condition is that measures are taken to preserve the confidentiality of the trade secret, and the third parties who receive the data are directly obliged not to use it for a competing product.
Additionally, in the event of a crisis or emergency (which is not well defined in the draft), public sector bodies will be able to oblige the producer to provide access to user-generated data.
The regulation will affect all sectors, most notably manufacturers. However, micro- and small enterprises will be exempted from the obligation thanks to a conservative MEP and rapporteur in the EP on the subject, Pilar del Castillo Vera, who points out the risk of overloading small and medium-sized enterprises "by imposing additional design obligations in relation to the products they design or manufacture or the related services they may provide".
"Trade secrets create the competitiveness of market participants. Those secrets are a function of management decisions, investments, development and innovation that companies have undertaken over the years. This is also related to the level of business risks that companies take. Accordingly, the obligation to provide trade secrets to a number of users and to other companies, would have a chilling effect on investments in Europe in smart products," says Svetlana Stoilova, digital economy advisor at BusinessEurope. "Furthermore, if in Europe company data related to trade secrets can easily be requested by users, it is not clear with what intentions new users or newly created service providers will start requesting this data and where in the world the information will be shared and for what purpose," she adds.
In brief, confidentiality is not guaranteed in the legislation. The question of how a nondisclosure agreement with an individual is enforced also remains open. What would be the technical means to stop a party from sharing a trade secret? Once disclosed, the trade secret's value is lost. Regardless of whether the leaked company wins a lawsuit or receives compensation, the damage is done.
Moreover, a study requested from the commission itself concluded that it is better not to rush into legislation on the subject, but rather to propose soft measures and clarifications on how to preserve trade secret protection in the economy of data. The obligation not to use the obtained data to launch a competing product is also difficult to implement in practice because there is no definition of what a "competing product" would be.
The opinions of the various legislative consultation bodies are also rather disappointing. The Regulatory Scrutiny Board, the Commisssion''s independent body that advises the College of Commissioners, explains that a clear purpose of the new legislation and how it fits into the overall legislative framework is needed.
The opinion of the European Data Protection Board, whose aim is to ensure consistent application of the General Data Protection Regulation and to promote cooperation between EU data protection authorities, contains a criticism of aspects related to the GDPR and in general how the data regulation and GDPR will work together. The lack of well-grounded and defined data sharing policies, especially between business and government, is also problematic.
"Security activity data is related to critical and very sensitive operations and procedures. With access to this data, it would be possible to gain a very deep understanding of the installation and operation of the system or service. This would lead to a very high risk of breaches in security, including cyber security breaches, both for a given customer installation and for the entire security system," Euralarm, which represents the EU fire safety and security industry, revealed. "The criticality of data generated by security systems (such as video surveillance systems) is already recognized by national laws governing personal security and the installation of video surveillance systems. These laws restrict the right to share information related to or generated by the systems. Therefore, the data sharing provisions in the draft Data Regulation are in conflict with these national laws," the organization also believes.
On the other hand, "businesses proactively cooperate with the state when there is a public crisis/state of emergency. This was also obvious during the pandemic," says Svetlana Stoilova. "The lack of specification in the new regulation's requirements for businesses to provide data to the public sector when there is no crisis is also unclear from the point of view of democratic transparency and accountability. It is not well defined why it is necessary to skip the normal legislative procedure. If the public sector believes that given data is necessary for the performance of a service of public importance, what prevents the relevant law from being amended or updated so that there is a clear trace of when and how this data can be requested by the public sector body in question?" she adds.
"Finally, access to clean operational data/metadata does not provide any benefit to the end user, nor does it allow for smoother switching of providers. Therefore, there is no benefit in allowing/imposing any requirements on how the data should be accessible or managed," commented Euralarm.
When will it take effect?
At the moment, the legislative proposal from the Commission is going through several committees in the European Parliament in parallel, and there is political pressure for a quick decision. According to the Brussels publication Euractiv, the Czech presidency of the European Council is actively seeking compromises on the most problematic texts, and the goal is to reach a political agreement by spring. This means the new rules will enter into force from 2024 (after the one-year adaptation period has passed).
The Czechs' Presidency proposals touch on the scope of the law, the sharing of data from IoT devices and the resolution of disputes. Furthermore, in order to make the project easier to adopt, it is proposed that public access to data be limited to a few European institutions rather than governments. It is envisaged that device manufacturers will be required to install interfaces on connected devices for easy data export within one year of the entry into force of the regulation.
Businesses can still react at short notice through their MEPs or governments (in the Council) to change critical points in the new data legislation while still preparing for it to take effect.