Clifford Chance
The EU Data Act proposal: data access
The EU's proposed Data Act is intended to unlock the potential of the data economy in the era of cloud computing and the Internet of Things (IoT) (see our previous article: The EU Data Act proposal and its interaction with competition, privacy, and other recent EU regulations). The Data Act proposal seeks to achieve this through three pillars: (1) access to data, (2) interoperability and portability of data and (3) data sharing and pooling. We devote this second post to the first pillar: access to data.
Access to data
One of the major policy concerns with regard to data generated by IoT products or related services is that such data is not always easily accessible to users. This results in users being unable to obtain data necessary to make use of providers of relevant services, such as repairs; Access to data by users and or user-authorised third parties can be crucial to helping businesses launch innovative, and possibly more efficient and convenient, services related to an IoT product.
The Data Act proposal establishes legal obligations to make IoT-generated data available to the following actors in certain circumstances:
- Users of IoT products or related services, by making the data directly accessible to the user or made available to the user upon request;
- Third parties (excluding undertakings that provide core platform services that have been designated as a gatekeeper), if requested by the user; and
- Public sector bodies and European Union (EU) institutions, agencies or bodies, on the basis of an exceptional need to use the data requested (e.g. respond to, prevent or recovery from a public emergency).
Competition: rights to, and enforcement of, access to data
Large firms with many users, particularly online platforms and intermediation services, data aggregators, social network providers and search engines have come under scrutiny for allegedly collecting vast amounts of data from their users, raising potential concerns around their ability to use such data to place competing firms (without the same access to data or customers) at a competitive disadvantage. In relation to dominant undertakings, such concerns have led to allegations of leveraging or self-preferencing, typically when such undertakings are vertically integrated across two markets. Such concerns were identified by the European Commission in its impact assessment of the Digital Markets Act (DMA), ex-ante regulation in part inspired by European competition law. Allegations along these lines have also been identified in recent European Commission investigations, such as AT.40670 Google - AdTech and Data-related practices, as well as its IoT sector enquiry. That being said, self-preferencing is still a relatively novel theory of harm, and by no means necessarily detrimental to consumer welfare, which is important to consider when assessing how competition law and policy approaches data-related practices that purport to give rise to such concerns.
How competition law has attempted to remedy such concerns by enforcing data access
Traditionally, European competition law has sought to remedy concerns around barriers to entry and leveraging that can arise from the accumulation of, and access to, data under the framework in Article 102 of the Treaty on the Functioning of the European Union (TFEU) (which prohibits abusive behaviour by companies holding a dominant position on any given market) and the “essential facilities” doctrine (according to which refusal by a dominant company to grant assess to an essential facility that it controls constitutes an abuse of a dominant position if the refusal has significant restrictive effects on competition). The related line of case law and Article 102 guidance have set a very high threshold for when dominant firms must share their property with competitors, in light of the risks around stifling innovation and reducing incentives to invest, thereby reducing competition in the long-run. However, the application of Article 102 in the context of “digital markets” in addressing the potential data-related concerns noted above has been questioned and debated. The perceived shortcomings of existing competition law to remedy data related concerns have led to the DMA imposing new obligations on “gatekeepers”[1] requiring them to give competitors and end users access to different types of data, as well as restricting how “gatekeepers” can collect and use data from across their “core platform services”.[2]
Impact of the Data Act proposal on competition
The DMA only subjects “gatekeepers” to its data access requirements, and existing competition laws do not typically mandate data sharing between companies outside of the essential facilities framework. The Data Act has been proposed as a way of promoting competition in aftermarkets for IoT products by giving users (and their representatives) the ability to request that the data generated by their use of a product or related service be shared with a third party for purposes determined by the users, albeit the Data Act proposal prevents the sharing of data with companies designated as "gatekeepers" under the DMA.[3] It remains to be seen whether such data access rights will in practice result in an increase in competition in the aftermarkets for IoT products given certain hurdles. For example, the scope of data that can be shared, if limited to raw data, may not be sufficient to promote competition as that may require access to aggregated data. Further, Article 5 of the Data Act proposal requires that third parties get access to users' IoT data under fair, reasonable, and non-discriminatory (FRAND) terms. This gives rise to the possibility of disputes in relation to the FRAND terms. Furthermore, the restriction on the sharing of IoT data with "gatekeepers" is not aligned with the goal of promoting competition in aftermarkets where "gatekeepers" could also be (potential) competitors.
Finally, it is worth noting Article 88 of the Data Act proposal which clarifies that the Data Act is not intended to affect the application of the rules of competition, including Article 101 TFEU, which prohibits agreements that have an anti-competitive object or effect in the EU. This might give rise to the need for complex antitrust risk assessments for companies where the sharing of information is required under the Data Act proposal, but where such sharing has the potential to result in an anti-competitive exchange of information between competitors.
Impact of the Data Act proposal on privacy
As the term "data" in the Data Act proposal comprises both personal and non-personal data, the provisions dealing with access to data in the Data Act proposal will have an obvious interplay with EU privacy law: making data available amounts to "processing" data under the General Data Protection Regulation (GDPR).
Therefore, even if the provisions of the Data Act proposal are in line with the GDPR, transferors of data (i.e. those who grant access) and transferees (i.e. those to whom access is granted) will have to analyse whether the data being accessed includes personal data – an assessment which is not always straightforward. If personal data is involved, the parties will need to assess which obligations and principles need to be complied with in order to make their respective processing of such personal data compatible with the GDPR. In particular, data controllers will need to pay special attention to the legal bases for the processing (especially if personal data is provided to third parties other than the data subject), information obligations, implementation of technical and organisational measures to secure the transfer of the personal data, and compliance with additional requirements for any restricted transfers outside the European Economic Area.
Special attention should be paid to those cases where the user (i.e. the individual who requests access under the Data Act proposal) is not the data subject. In this scenario, the right to privacy of the data subject could be at risk, as another individual (the user, or even a third party appointed by the user) could gain access to the data subject's personal data. The Data Act proposal already foresees these scenarios and states that the personal data generated by the use of the product or related service will only be made available to a user or a third party who is not the data subject if a legal basis for processing that data exists. Although the Data Act proposal does not specify which legal basis would apply, the most likely legal basis to be applicable would be the data subject's consent, or in some cases it may be possible to rely on the existence of a legitimate interest pursued by the data controller or a third party (for example, the user who requests access or the third party to whom access will be granted at the user's request).
Conclusion
In terms of competition, while the Data Act proposal is intended to promote competition in the aftermarkets by enabling the sharing of IoT data, its achievement of these aims will not be straightforward and will depend on a proper balance being struck between the Data Act, existing competition laws and the desire to regulate "gatekeepers" under the DMA.
From a privacy angle, actors will need to carefully apply the GDPR when complying with the Data Act: first of all, to detect whether the data includes personal data and, if so, to secondly ensure compliance with the provisions of the GDPR so as to make access under the Data Act "GDPR compliant" (it should not be assumed that access requests under the Data Act can be granted without adopting additional measures from a privacy perspective).
Read our in-depth review of the data access provisions included in the EU Data Act proposal, its interaction with competition, privacy, and other recent EU regulations. The full article is available here and was originally published on Thomson Reuter's Practical Law.
This article is based on the European Commission’s Data Act Proposal dated 23 February 2022. The Data Act will shortly be entering the trialogue process, through which the text will be negotiated by the European Commission, the European Parliament and the Council of the European Union.
Upcoming: our next article will look at how the interplay between competition and privacy impacts interoperability and portability.
Notes
[1] Companies which, under the DMA, are viewed as having "considerable economic power" and "feature an ability to connect many business users with many end users through their services". To be designated as a gatekeeper, an undertaking providing certain defined core platform services (CPS) must have the ability to have a significant impact on the EU internal market, provide a CPS that is an important gateway for business users to reach end users, and enjoy an entrenched and durable market position, or it is foreseeable that it will enjoy such a position in the near future. For further information on the DMA and the criteria to be met to be designated as a "gatekeeper", please see "The Digital Markets Act: A new era for the digital sector in the EU"
[2] For further information on the obligation of "gatekeepers", please see "The Digital Markets Act: A new era for the digital sector in the EU"
[3] Article 5(2), Data Act proposal.