France Digitale calls for a Data Act that matches its ambitions

Paris, August 2022

 

On February 23, 2022 the European Commission presented its proposal for a Data Act, which, as part of the European Data Strategy, complements the Data Governance Act.

France Digitale welcomes a text that establishes horizontal rules for data sharing among companies, users and governments, including for the switching between cloud service providers. However, we draw the regulators’ attention to the lack of clarity of certain provisions as well as their overlap with other pieces of European legislation, which may make the implementation of the Data Act difficult.

 

For a Data Act that matches its ambitions, France Digitale recommends to:

A. Narrow down the scope of the proposal: the Data Act should only apply to raw data generated by a clearly defined category of “products”; the relation between products and “terminal equipment” under the  e-Privacy Directive should be better specified.

 

B. Ensure consistency with the GDPR: the Data Act should allow for profiling and for the sharing of data by third parties with other third parties if: (1) one of the legal bases of the GDPR applies (2) privacy-enhancing technologies like pseudonymization are used.

 

C. Reinforce protection against unfair contractual clauses: the Data Act should protect all types of companies, and not just SMEs, from unfair contractual obligations; model contractual terms should follow Fair, Reasonable Non-Discriminatory (FRAND) principles.

 

D. Adjust B2G data sharing obligations: startups should only be obliged to share data, and especially trade secrets, with the public sector in a restricted set of “exceptional circumstances”, for very specific purposes and only with clearly detailed  safeguards. Public sector bodies should ask for startups’ consent before sharing data with third parties like statistical offices.

 

E. Set short and clear deadlines for provisions related to cloud providers: the timeframe to remove switching charges should be reduced from 36 to 18 months, while the establishment of a monitoring body should take no longer than 6 months.

 

F. Allow for the free-flow of non-personal data across borders except when concrete risks to fundamental rights, national security, or the trade secrets are identified. Moreover, competent authorities should provide a “reasonable interpretation” of data access requests by third-country governments.

 

G. Encourage experimentation and collaboration: the EU should engage with open source communities to develop open interoperability standards and introduce sandboxes for the operators of Common European Data Spaces.

 

H. Ensure compensation for data sharing with third parties: The sui generis right protecting derived datasets should not be suspended.

 

Contact our team for more infos: [email protected]