Statement
EU Data Act Proposal
Transparency register number: 1771817758-48
Federation of German Industries (BDI)
13 May 2022 01.2019
BDI statement on the EU Data Act Proposal
Table of contents Preliminary remarks .................................................................................. 3 Chapter I: General Provisions.................................................................. 5 1.1.
Relationship to the GDPR ............................................................ 5
1.2.
Definitions .................................................................................... 7
Chapter II: Business to consumer and business to business data sharing........................................................................................................ 10 2.1 Access-by-design .............................................................................. 11 2.2 The "triangular relationship" of data holder, user and data recipient 12 2.3.
Trade secret protection ............................................................... 13
2.4.
Contractual use of non-personal data pursuant to Art. 4 (6) DA-E 14
Chapter III: Obligations of data holders legally obliged to make data available ..................................................................................................... 15 Chapter IV: Unfair terms related to data access to and use between enterprises ................................................................................................. 15 Chapter V: Making data available to public sector bodies and Union institutions, bodies, agencies, or bodies based on grounds on exceptional need........................................................................................ 16 Chapter VI: Switching between data processing services .................. 17 Chapter VII: International context non -personal data safeguards... 18 Chapter VIII: Interoperability ............................................................... 19 Chapter IX: Implementation and enforcement.................................... 20 Chapter X: Sui generis right under Directive 1996/9/EC ................... 20 Chapter XI: Final Provisions .................................................................. 20 About BDI.................................................................................................. 21
www.bdi.eu
Page 2 from 21
BDI statement on the EU Data Act Proposal
Preliminary remarks The BDI supports the intention of the EU Commission to promote the use and fair sharing of data. The fact that many companies still have some catching up to do in the economic use of data is shown by a representative study commissioned by the BDI entitled "Data Economy in Germany"1 . Of the approximately 500 companies surveyed, only a total of 28 percent could be classified as "digital" with regard to their own data management. 23 percent of the companies surveyed stated that they regularly search for new data sources and possible uses as part of a strategic process. 45 percent of the companies do not use data at all to optimise products or business models. Mirroring this, only twelve percent of the companies surveyed are willing to share their own data with third parties. The Data Act offers the opportunity to shape a data economy guided by European values. However, it is to be feared that the Data Act will be associated with considerable additional effort, costs and legal uncertainties for many companies, and that they will have less incentive to invest in their own IoT products and services as a result. With the present proposal for a regulation on harmonised rules for fair access to and use of data (Data Act), the European Commission is choosing an extremely complex set of horizontal rules that would fundamentally change the "rules of the game" of the European data economy. As already noted in our submissions in the run-up to the legislative proposal2 , the need for such a broad intervention in the basic principles of the data economy in still young markets is not sufficiently apparent to us. In its most recent progress report, the EU Commission itself points to a very heterogeneous development in the individual industries and sectors, regarding the EU data spaces.3 In this respect, a more sector- and application-specific approach seems to be much more effective in advancing the data economy in Europe. The draft misses the opportunity to remove some major obstacles to the economic use of data - for example, the demarcation from the scope of the General Data Protection Regulation (GDPR). Instead, all IoT fields of application are subject to considerable additional requirements, interference in private autonomy and specifications for product design, without it being clear whether this will lead to the desired positive effect for the European „Datenwirtschaft in Deutschland - Wo stehen die Unternehmen in der Datennutzung und was sind ihre größten Hemmnisse?", IW study commissioned by the BDI, February 2021, available at: https://bdi.eu/media/publikationen/?publicationtype=Studien#/publikation/news/datenwirts chaft-in-deutschland/. 2 BDI statement of 03.09.2021 in the context of the public consultation on the EU Data Act. 3 Commission Staff Working Document on Common European Data Spaces, SWD (2022) 45 final. 1
Federation Of German Industries
German Lobbyregister Number R000534 Address Breite Straße 29 10178 Berlin Postal address 11053 Berlin Germany Contact Dr Michael Dose T: 030 2028 1560 F: 030 2028 2560 E-mail: m.dose@bdi.eu Internet www.bdi.eu
www.bdi.eu
Page 3 from 21
BDI statement on the EU Data Act Proposal
data economy, or whether there are even negative effects to fear, e.g. if companies deliberately do not collect data in the future. The role of the EU Commission should be limited to adopting measures that would promote data exchange in industrial sectors and lead to a data ecosystem in which, for example, voluntary model contract terms recommended by the EU Commission play an important role. In parallel, existing instruments, especially EU competition law, can also be used to correct the imbalance that has arisen in the affected sectors or markets, in the event of a structural market failure. It is also important to ensure the greatest possible coherence of the Data Act with other European regulatory activities. This concerns, for example, the Digital Markets Act, the Digital Services Act, the Data Governance Act and the AI Act. The Data Act must refrain from a general and undifferentiated obligation to provide B2B machine data from operators or equipment suppliers of industrial plants. Data sharing in the B2B context should be based primarily on freedom of contract and market incentives. In the submitted legislative proposal, we note in several places that the protection of sensitive information, including trade secrets, is not sufficiently ensured. Such sensitive information must generally be exempted from the obligation to share data and mechanisms to protect against competitive disadvantages must be anchored, as the safeguards provided by the Data Act (conclusion of NDAs, prohibition of the development of competing products, purpose limitation of data use) are not sufficient to meet the need for protection of the data (inferences about algorithms, source codes, recipes). To this end, a revision of central definitions in Chapter I in an industrysuitable sense is essential. In the following chapters, we will comment on the individual aspects of the EU Commission's legislative proposal.
www.bdi.eu
Page 4 from 21
BDI statement on the EU Data Act Proposal
Chapter I: General Provisions 1.1.
Relationship to the GDPR
With its broad understanding of "data", personal and non-personal data are equally covered by the requirements of the Data Act. The legislative proposal fails to provide necessary clarifications and harmonisation with the General Data Protection Regulation EU 2016/679 (GDPR). This is a missed opportunity to address one of the key practical obstacles companies face in the data economy. In a study commissioned by the BDI and conducted by the IW Cologne "Data Economy in Germany", 85 percent of companies cited "grey areas under data protection law" as a key obstacle to greater economic use of data.4 It is to be feared that the Data Act in its present form will further strengthen these obstacles. For a legally compliant and practicable data economy that meets the requirements and obligations of the Data Act on the one hand and those of the GDPR on the other, practicable criteria are needed to legally distinguish between personal and non-personal data. This is because, according to Chapter II of the Data Act, the data holder’s access obligations can also concern personal data and, in this respect, also data that does not relate to the user but to third parties. It is clear from Articles 4 and 5 of the Data Act that users' access and disclosure claims may also include user-generated data relating to persons other than the user. Although the Data Act requires justification under the GDPR in each case, it requires the data holder to verify this. If the data holder cannot make user-generated data relating to persons other than the user accessible to the user in a data protection-compliant manner or pass it on to a third party at the request of the user, the data holder must refuse access or disclosure under the GDPR. For data holder, this results in the need to check and determine for each data whether it is a personal or non-personal data. Since in industrial practice, the factual demarcation between personal data and non-personal data (for example in the case of "mixed data sets") is associated with great legal uncertainty, there is a risk, in view of Chapter II of the Data Act, that the "data holder" may unknowingly provide a third party with access to personal data that does not concern the user without such access being legitimised by the GDPR; on the other hand, if data is misclassified as personal data and the data holder is subsequently denied access on data protection grounds, there is a risk of a breach of the Data Act's obligations to grant access. In the event of a breach, both the Data Act and the GDPR can impose severe sanctions on the data holder or data controller. For "data holder" who are also “data controller” under the GDPR, „Datenwirtschaft in Deutschland - Wo stehen die Unternehmen in der Datennutzung und was sind ihre größten Hemmnisse?", IW study commissioned by the BDI, Februa ry 2021, available at: https://bdi.eu/media/publikationen/?publicationtype=Studien#/publikation/news/datenwirts chaft-in-deutschland/. 4
www.bdi.eu
Page 5 from 21
BDI statement on the EU Data Act Proposal
this discrepancy means that it would be necessary to make a binding decision for each individual data to determine whether a personal reference exists in order to be able to fulfil the obligations under the Data Act and the GDPR. Such a definitive determination of each data is practically impossible in view of the existing legal uncertainty as to when a data (still) constitutes a personal reference. This also applies in particular against the background of the existing uncertainties as to how personal data can be anonymised and not just pseudonymised; pseudonymised data is also subject to the GDPR as personal data, whereas anonymised data is exempt from the GDPR. Moreover, a definitive classification of data as non-personal or personal data, even if it were possible, would require an immense amount of personnel and time, which is practically unaffordable, especially for SMEs. Furthermore, with regard to the verifiability of such a classification in terms of the verifiability of compliance with the requirements of the Data Act on the one hand and the GDPR on the other, a multitude of unresolved, but indispensable questions would arise in practice, e.g.: ▪
Would there be claims on the part of users for a step-by-step approach, according to which classification and subsequent disclosure can be demanded first, in order to then be able to derive further claims from the Data Act if necessary?
▪
Will an extension of information and consent forms be necessary for "data holder" or “data controller” under the GDPR?
▪
How should information about compliance with the requirements of the GDPR and the Data Act be provided (for example, in patient education)?
Without practicable criteria for the unambiguous and legally secure classification of data as personal or non-personal, it should be clarified in the Data Act that the data access claim of the "user" from Chapter II does not establish a legal claim to request the personal data of other data subjects. This is because the current wording of Art. 4 (5) or Art. 5 (6) of the Data Act provides that it is up to the data controller (data holder) to assess under the GDPR to grant the user access to the personal data of other data subjects. In such cases, the exact mechanism between portability rights under Art. 20 GDPR on the one hand, and portability rights under Art. 4 and 5 DA-E is not yet sufficiently clarified. This also applies to rights of access in situations where the rights of third parties as data subjects are affected. In addition, companies need reliable and practical guidance on the application and interpretation of the GDPR. This applies, for example, to guidance regarding the requirements for data protection-compliant anonymisation of personal data. For German industry, there is no question that the regulations standardised in the GDPR, and the freedoms protected by fundamental rights, especially the right to informational self-determination of the individual, are
www.bdi.eu
Page 6 from 21
BDI statement on the EU Data Act Proposal
important cornerstones for the high level of data protection that Europe can boast in international comparisons. For this reason, many industrial companies have a great interest in working with anonymised data to a much greater extent. With regard to the legislative requirements, it must be stated that the GDPR does not contain any concrete requirements for the anonymisation of personal data and the Data Act will further exacerbate the already existing uncertainties in practice. Due to the resulting legal uncertainty and the lack of uniform standards, companies often refrain from participating in this project at present. In the IW Cologne study "Data Economy in Germany", 73 per cent of companies cited "a lack of standards for the anonymisation of personal data" as an obstacle to greater economic use of data.5 In order to be able to use the economic potential of anonymised data and, at the same time maintain the high European level of data protection, the BDI believes that legally secure and , at the same time practicable requirements, for example via the possibility of codes of conduct in accordance with Article 40 of the GDPR, are of central importance for data protection-compliant anonymisation of personal data. Corresponding guidelines should be developed in close consultation and cooperation with industry and build on best practices.6 1.2.
Definitions
A fundamental problem of the Commission's proposal is that key terms are either not defined at all, or are defined with little clarity. In this respect, the Data Act-E leaves considerable room for interpretation regarding the scope of application and the practical reach of many regulations, which leads to great uncertainty in practical application. From an industrial perspective, the definitions in Art. 2 DA-E harbour the risk of leading to more legal uncertainty and thus less value creation. Therefore, the central definitions should not only be mentioned in passing in the recitals, but should be specified directly in Art. 2 DA-E. Art. 2 (1) DA-E "Data": The definition of "data" is conceivably broad and very imprecise in view of the numerous specifications - especially with regard to the data provision obligation in Chapter II. After all, the data obtained in machines and then files generated are by no means homogeneous. Data originating from industrial machines may differ in terms of processing (raw vs. analysed or processed data), disclosure of trade secrets and knowhow, and the commercial and technical feasibility of making them available.
5
Datenwirtschaft in Deutschland - Wo stehen die Unternehmen in der Datennutzung und was sind ihre größten Hemmnisse?", IW study commissioned by the BDI, February 2021, available at: https://bdi.eu/media/publikationen/?publicationtype=Studien#/publikation/news/datenwirts chaft-in-deutschland/. 6 Cf. BDI guideline "Anonymisation of personal data", 2020, available at: https://english.bdi.eu/publication/news/anonymization -of-personal-data/.
www.bdi.eu
Page 7 from 21
BDI statement on the EU Data Act Proposal
It is also unclear when the threshold of "information derived or inferred from this data" (recital 14), which is not subject to the Data Act, exists. The present definition will lead to great uncertainty in application practice as to which (non-)personal data are covered by the data access claims of Chapter II. In order for the positive effect intended by the EU Commission for a fair data allocation to occur at all, such a differentiation must not be left to the companies themselves. In order to ensure practicability and legal certainty for all actors, the Data Act must provide for a differentiated treatment of "data", taking into account the type of data, as well as the feasibility and side effects of its provision (e.g. in files or databases). It must be clearly determined whether only raw data is covered and only data actually used by the "data holder" for its own business transactions is affected and no volatile data is included in the definition. In addition, it must be ensured that no (warranty and/or liability) claims arise due to its nature (data "as it is"). Art. 2 (2 and 3) DA-E "product" and "related service": It remains unclear which components (e.g. sensors) and functions of a physical asset fall under the definition of a product, especially in view of the accompanying recitals 14 and 15. In industrial applications, individual components cannot collect data spontaneously, but only on the basis of their special and individually tailored configuration by the respective user or the engineering provider commissioned by him. However, it follows from recital 15 precisely that products that collect relevant data only on the basis of human input, do not fall within the scope of the Data Act. Against this background, it would therefore be desirable that (1) the additional requirement of "human input" be included in the product definition and (2) industrial applications (such as industrial controls as well as industrial PCs) be included in the examples of Recital 15 for the sake of clarification. Especially industrial components can only fulfil their functions on the basis of certain human input configurations of the user. In addition, it would be desirable to clarify whether the individual component must already be able to fulfil the technical requirements independently due to its design, or whether it is sufficient that the technical requirements are fulfilled in interaction with other independent modules. For example, an industrial controller does not establish its own network connection by default, but can only do so if the user connects an additional network module. Furthermore, it is unclear whose perspective should be decisive in the assessment of the individual requirements of Art. 2 (2) DA-E. Clarification is necessary here because this would have a direct impact on Chapter II and any obligation to provide data. Furthermore, the definition of "related service" in Art. 2 (3) DA-E urgently needs to be clarified. Given that the focus of the article is on product manufacturers as well as their services offered with the products, only physical products as well as their core functions should also be covered by it. Otherwise, virtually any kind of "related services" provided by any market participant would fall under the
www.bdi.eu
Page 8 from 21
BDI statement on the EU Data Act Proposal
scope. Data services that use data of a product but are not directly linked or sold with the product should thus be excluded from the scope. The legislative proposal lacks a definition of "competing product". This is mentioned in recital 35 and is of great importance for the economy/fair competition, as Art. 6 (2 e) DA-E contains specifications in this regard. In the absence of a definition, it remains unclear whether "competing product" only refers to products in the sense of Art. 2 (2) DA-E, i.e. only physical and movable objects, or whether the understanding of the term also covers "connected services", i.e. software and data-driven services, beyond Art. 2 (2) DA-E. The prohibition on using data obtained from the data holder for the development of a competing product should apply not only to products, but also to related services and virtual assistants. There is no obvious reason to limit the scope of such a prohibition in Art. 6 (2 e) DA-E to products, while the data can also be obtained by connected services and virtual assistants. An understanding based on Art. 2 (2) DA-E entails the risk that competitors could benefit indirectly by developing (software-driven) products/services on the basis of the extracted data, which would then in turn compete directly with the original product/service. Art. 2 (5 and 6) DA-E "user" and "data holder": The legislative proposal gives the impression of a very simplified, dichotomous, and not practical understanding of the relationships between producers and customers in many areas of industry. The draft does not take into account that in multilateral and -directional value creation networks, the "user" of a physical asset is also and in many industries even as a rule - the "data holder". As far as the DA-E states in its introduction that "the manufacturer or designer of a product or related service typically has exclusive control over the use of data generated by the use of a product or related service" (cf. p. 13 of the DA-E), this cannot claim validity for the industrial sector in all cases. The equation "manufacturer = data holder" does not reflect the industrial reality in many cases. Against this background, the terms "user" and "data holder" must be clarified in accordance with industrial practice. There is also a need for clarification to the effect that the "user" is defined in accordance with recital 18 via a corresponding contractual relationship. This is not expressed clearly enough according to Art. 2 (5) DA-E by the wording "or receives a service", but should rather be replaced by "or makes use of a contractual service". In order to ensure legal certainty, it should also be made clear that there can be several "users". Clarifications are also necessary with regard to the definition of "data holder". The definition of data holder appears to be at least partially circular, as the DA-E itself defines the term "data holder" as "the right or obligation, in accordance with this Regulation (...) to make available certain data" (cf. Art. 2 (6) DA-E). Thus, it currently remains unclear whether the "data holder" is the one who produces the product (which in many cases does not reflect the industrial practice) or rather the one who holds the control over the data -
www.bdi.eu
Page 9 from 21
BDI statement on the EU Data Act Proposal
and thus the actual possibilities of influence. We therefore argue for a specification of the data holder as the one who has de facto control over the data and point out that in many industrial use cases this role is simultaneously filled by the user of the component in question. With regard to the vehicle market, for example, the question arises as to who is to be regarded as the "data holder" in the case of so-called "third-party apps" that are offered as part of the "vehicle" product and generate data. Art. 2 (13) DA-E: The term "service type" is of central importance for the delimitation of the scope of application of the regulations provided for in Chapter VI. However, the definition leaves too much room for interpretation, as the term "service model" on which it is based is not specified more precisely and there is also no uniform definition of "service model" in the IT sector. The DA-E refrains from defining the terms "manufacturer" or "service provider", although manufacturers and service providers are to be equally covered by the scope of application of the Data Act, cf. Art. 1 (2 a) DA-E. Chapter II: Business to consumer and business to business data sharing As the EU Commission itself rightly emphasises in recital 28, the tension between the legitimate interests of the "data holder" and the "user" or "data recipient" must be equally taken into account in statutory data access regulations. Any legislative intervention must take into account that nonpersonal industrial data is based on prior investment in the collection, storage, structuring and (pre-)processing of the data and has an economic value. The development and implementation of networked industrial plants requires high investment and is know-how-intensive. An Industry 4.0 solution is composed of sensors, actuators, connectivity, data concepts and often customised service offerings. Data are not free goods and markets must provide sufficient incentives for investments in connected machines and databased services. The regulatory framework must protect these investments. In many industrial B2B use cases, the "data holder" can be classified as an SME. The technical and legal obligation to make data available will place a significant burden on such companies - especially those that produce in small quantities and cannot benefit from economies of scale. It is therefore to be welcomed that micro and small enterprises are to be exempted from the obligations of Chapter II. The legislative proposal chooses a broad, horizontal approach without sufficiently taking into account the different requirements and needs of different sectors in the B2B and B2C relationship. The "one-size fits all" approach proposed in the Data Act does not do justice to these heterogeneous market relationships. For example, (pre-) contractual information and
www.bdi.eu
Page 10 from 21
BDI statement on the EU Data Act Proposal
transparency obligations are also extended to the B2B context, without any particular need for regulation becoming apparent. At the same time, the Data Act contains many considerations for the transfer of data without sufficiently ensuring that the data is passed on to the authorised user. The transfer requires further technical specifications, which should not be left unregulated in order to ensure the quality and the security of the data. At the same time, the Data Act should take into account the special features of certain areas and, for example, for medical devices, observe certain delimitations resulting from the Medical Device Regulation (MDR). With regard to the product design requirements and the data access and transmission rules, it is unclear to what extent these requirements extend to products already on the market. Due to the enormous costs of any subsequent modification of products, it must be made clear that Chapter II only applies to new products. 2.1 Access-by-design In order for the Data Act to lead to more data-driven value creation, legal uncertainties resulting from additional product requirements according to the "access-by-design" principle pursuant to Art. 3 DA-E must be prevented. According to Art. 3 (1) DA-E, manufacturers must design their products in such a way that access to the data generated by the use of the product can be made possible by default. For SMEs in particular, this results in considerable requirements for the manufacturer, which concern not only the product, but also transparency and information obligations, for example about the type and scope of data collection. These considerable interventions in the product design may only apply to new products and must be taken into account via corresponding lead times for the production and development of the corresponding products, especially since such interventions may require renewed product certification with a process period of at least one year. Such interventions in the product design could, moreover, endanger the functionalities of the products quite considerably. If, for example, an industrial steering system has to be designed in such a way that it had to grant data access from within itself - and not via additional modules - special characteristics of a steering system (deterministics, equidistance) could suffer. Precisely because industrial controls must focus entirely on their function at the I/O level, they are deliberately equipped exclusively with minimum functions that are necessary for commissioning the control. For this reason, access should be limited to only those data that are actually being transmitted: For example, there is sometimes data that is generated during use, but - at least so far - remains in the product and is not utilised because there is no meaningful application scenario for it at this point in time. If all data generated by the use of the asset were affected by the Data Act, this would create an unintended incentive to generate as little data as possible. If this data were also covered by the mandatory access option, manufacturers
www.bdi.eu
Page 11 from 21
BDI statement on the EU Data Act Proposal
would be forced to incorporate corresponding interfaces, etc. (investments) or to change the product technically in such a way that data use would never come into consideration, even if an application scenario arose in the future. This is especially true for battery-powered low-power IoT products, whose very limited energy budget must last for several years (typically five to ten years). Data transmissions outside the specified use case can drastically shorten the lifetime of these products. In addition, data-based innovative addons that require prior investment for data generation would be prevented. This would be diametrically opposed to the Data Act's goal of promoting data-based value creation. There is still a need for clarification to the effect that the data generated during their use should be simple, secure and directly accessible to the user by default ("data access by design" or "by default") and thus be brought into line with both the data security requirements from Articles 25 and 32 of the GDPR and the product regulations pushed by the EU Commission, such as the Radio Equipment Directive (RED) and technical standardisation for more data and cyber security. 2.2 The "triangular relationship" of data holder, user and data recipient With regard to data access and data portability rights of IoT product data in Chapter II of the Data Act, the EU Commission chooses a model with the "data holder", the "user" and the "third party" that does not adequately reflect complex industrial value chains. The EU Commission's highly simplified assumption of value chains chosen here prevents the Data Act from unleashing its full potential of data-driven value creation. In Industry 4.0, a large number of actors (machine manufacturers, software and component providers, and customers) work together and share data for mutual benefit. Particularly in combination with the very vague definitions in Chapter I, the Data Act leaves many questions open as to how the approach chosen here is supposed to function in this industrial context. For example, the approach focuses one-sidedly on the role of the asset user or operator and does not take into account the role of the component provider or seems to subsume this under the asset provider or supplier, who also has an interest in the usage data of their component, which they do not usually have in industrial practice. This is an example of the misguided basic assumption of the Data Act that in the industrial sector the manufacturer of a product is to be qualified as the data holder. On the contrary, the (component) manufacturer is usually cut off from using the data generated by its components, both technically and due to contractual provisions. Chapter II suggests (also taking into account the introductory Explanatory Memorandum) that the IoT asset provider is in fact to be regarded as the "data holder". However, in many cases this understanding misses the point of industrial practice, because here the "user", i.e. the customer who uses the product, usually also possesses the usage data.
www.bdi.eu
Page 12 from 21
BDI statement on the EU Data Act Proposal
It also remains unclear how far-reaching the obligation to provide "the data generated by the use of a product or related service" mentioned in Art. 4 (1) DA-E is to be understood. For example, in cases where AI algorithms are trained with the user's data, must the results also be released to the user? This would devalue the performance of the algorithm developer under copyright or possibly patent law. It is still unclear whether the obligation to provide the data leads to an obligation to collect corresponding data, even if this is not collected in the standard configuration. 2.3.
Trade secret protection
Trust between different actors is the basis for achieving data-based value creation. Industrial data sharing in the B2B context is very sensitive with regard to the protection of trade secrets, as well as the business aspects, which is why a specific approach should be sought to avoid legal uncertainties. A central interest for the "data holder" lies in the protection of their trade secrets. However, in contrast to the relationship with the GDPR, Chapter II addresses the relationship with the applicable trade secret protection by removing such data from the data holder's sphere of influence via the data access claims. In order to counteract the negative consequences to be feared for the willingness to innovate and invest in the generation and processing of data, the BDI calls for the protection of sensitive information, including trade secrets, to be generally exempted from the obligation to exchange data or at least to be accompanied by the right of the disclosing party, which is limited to trade secrets, to demand significantly more extensive security measures (e.g. of a technical nature), which may, however, prevent the free use of the data by the user. Such an exception would also eliminate the threatening inconsistencies with regard to Chapter III (Article 8(6) DA-E). While Art. 8 (6) DA-E generally exempts the disclosure of trade secrets from the principle of the right to access data, Chapter II deviates from this. Particularly in view of possible further sectoral data access regulations, a uniform definition of the principle of trade secret protection and its concrete scope is needed here. According to the conception of Art. 4 (3) and Art. 5 (8) DA-E, "data holder" will in future be obliged to pass on such data to the "user" or third parties commissioned by the user. In this respect, the trade secret leaves the sphere of influence of the data holder and the latter must agree on appropriate protective measures with the "user" or "data recipient". In order to prevent misuse, the draft Data Act does provide for numerous restrictions on use for re-users, such as the ban on using the data for other purposes or for the development of competing products. However, how compliance is to be monitored, proven and enforced remains completely open, as the manufacturers lack sufficient control options. The distribution of the burden of proof also remains unclear. It is completely far-fetched that SMEs, for example, could even begin to exercise any agreed audit rights within the framework of the customer relationship. This is especially true if the data
www.bdi.eu
Page 13 from 21
BDI statement on the EU Data Act Proposal
enters international value chains. It also remains unclear to what extent such safeguards can be imposed unilaterally. For example, it remains open what the consequences are if "users" or "data recipients" of the data do not agree to the confidentiality obligation or data use agreement submitted by the "data holder" or only agree to it with (unacceptable) amendments. Since the principle of data provision even applies to competitors, taking into account the anti-trust regulations according to Art. 101, 102 TFEU, clear regulations are necessary to protect data holder in order to avoid inhibiting effects on the willingness to innovate and invest. This includes that the data holder can demand compensation from the user or third parties if the data provided has been misused - e.g. for the development of a competing product. The right to the mere deletion of the data is not sufficient here. Otherwise, there is a risk that the Data Act will undermine its goal of promoting investment in data-generating products. It is also unclear how contract research is to be assessed in the context of the Data Act. For German industry, contract research represents an important building block and should therefore be treated like research in one's own company in order to ensure effective protection of trade secrets. 2.4.
Contractual use of non-personal data pursuant to Art. 4 (6) DA-E
With regard to the framework conditions of the contractual arrangement according to Art. 4 (6) DA-E for non-personal data, it is unclear what effects a termination of such a contract between "data holder" and "user" would have. For example, if the IoT product is resold by the user to a third party, a new contractual agreement pursuant to Art. 4 (6) DA-E is required. Especially in industrial B2B relationships, the "user" can have a strong negotiating position and demand different terms of use from the "data holder". Therefore, it needs to be clarified that the data once provided to the data holder can remain with the data holder. In addition, for IoT products and connected services with an assumed lifespan of fifteen years, it is impossible to foresee the data use to be expected in the product life cycle at the time of purchase or to leave it unchanged. Subsequent adjustments to the data use agreement must therefore be possible. In addition, the data use agreements must be allowed to be sufficiently abstract to allow software updates "over-the-air", which generate new data points but serve the agreed purposes, to be carried out without contractual adjustments. Otherwise, principles of modern, innovative, incremental product development would be hindered by administrative burdens.
www.bdi.eu
Page 14 from 21
BDI statement on the EU Data Act Proposal
Chapter III: Obligations of data holders legally obliged to make data available Horizontal modalities, under which conditions companies legally obliged to provide data have to do so, seem to make sense in order to ensure a coherent framework for possible sector-specific data access claims. The restriction of the claim for reasonable compensation of costs against SMEs to the direct costs means a massive disadvantage for large companies, which in case of doubt see themselves exposed to a large number of claims for surrender without receiving sufficient compensation for their costs. It seems particularly problematic that such a restriction also occurs in constellations in which SMEs themselves act as "data holder". In this context, it is not evident why no profit can be made in a contractual data access provision between SMEs. Such a provision would go beyond the telos of Art. 9 (2) DA-E. It would also be desirable to explicitly clarify how Chapter III relates to existing (in part sector-specific) Community law that lays down regulations for the remuneration of data access (such as the PSI Directive or the Passenger Rights Regulation). Art. 40 (1) DA-E is not sufficiently clear in this respect. Chapter IV: Unfair terms related to data access to and use between enterprises In order to leverage the great innovation potential of the European data economy, it must be possible to share data voluntarily. Under the principle of freedom of contract, companies must be free to decide, within the limits of the law, with whom and under what conditions they share non-personal data they have collected themselves, whether through contractual agreements, private sector data partnerships, or a voluntary open data approach. Across the industry, there are many good examples of data-driven business models that have emerged based on entrepreneurship and freedom of contract for the mutual benefit of all stakeholders. With the Data Act, the EU Commission is significantly interfering with contractual freedom and entrepreneurial freedom. From the BDI's point of view, this should be rejected above all because, even in industrial sectors dominated by small and medium-sized enterprises, no general structural imbalances have so far been identified that impede the exchange of industrial data between a manufacturer and its customer. In principle, the best way to shape data usage provisions in the industrial B2B sector is through customised contractual arrangements between the parties involved. In this respect, companies can decide privately and autonomously to what extent and under what conditions they share their data with each other.
www.bdi.eu
Page 15 from 21
BDI statement on the EU Data Act Proposal
With the introduction of a special civil law for data contracts, it is to be feared that data relationships between industry partners that already function well in practice will be jeopardised and that the Data Act will in this respect lead to legal uncertainties and irritations between the business partners. It is unclear whether the provisions of contract law will also affect existing contracts. The Data Act should therefore refrain from interfering with the - mostly wellfunctioning - business relationships in complex industrial data value chains and leave enough room for tailor-made solutions. If there are imbalances or gaps, these should be addressed through EU competition law or sectorspecific legislation. On the individual clauses: The general clause of Art. 13 (2) DA-E leads to considerable legal uncertainties. It remains unclear which criteria are to be used to determine good commercial practice in data access and use ("good commercial practice") or to determine a significant deviation ("grossly deviates") and who determines these criteria. Art. 13 (3 a) DA-E determines the unfairness of a clause which limits liability to intent and gross negligence or excludes liability altogether. At the same time, the clause does not determine what the reference point of liability is. Chapter V: Making data available to public sector bodies and Union institutions, bodies, agencies, or bodies based on grounds on exceptional need In the area of B2G data sharing, the BDI does not have sufficient evidence of the extent to which the previous voluntary cooperations make the nowenvisaged access obligations for data "in the public interest" necessary. A structural (market) failure that would justify legislative intervention in the form of an access obligation is still not discernible here.7 Not least, the COVID 19 pandemic has made it clear that a large number of companies from a wide range of sectors are already cooperating very unselfishly and successfully with public authorities. The legislative proposal also lacks an explicit and precise scope of application in Art. 15 DA-E, in which a mandatory B2G data exchange would be required due to an "exceptional necessity". The definitions of a "public 7
This was also confirmed, for example, by the European Commission itself in its communication from 2018 (SWD (2018) 125), which issues corresponding guidance in the B2B, B2G area: "A broad stakeholder dialogue was conducted on the basis of that Communication. It concluded that the issue at stake did not justify horizontal legislative intervention at this stage and that guidance would be more appropriate."
www.bdi.eu
Page 16 from 21
BDI statement on the EU Data Act Proposal
emergency" and the in Art. 15 (a and b) DA-E and in particular a "specific task in the public interest expressly provided for by law" in Art. 15 (c) DA-E are very broad and do not provide companies with the necessary legal certainty in which constellations a data provision obligation is envisaged. The same applies to the protection of business secrets pursuant to Art. 17 (2 c) DA-E, especially against the background of a possible transfer of data to public research organisations pursuant to Art. 21 DA-E. There is an urgent need for clarification here in order to ensure a uniform understanding throughout the Union for the large number of public bodies entitled to such protection. In addition, it must be ensured that data provided by companies must be deleted again after the end of a "public emergency". With a view to Art. 15 (c) DA-E, it also appears unclear which concrete requirements are placed on the public bodies in advance of a statutory demand on the companies. Particularly in the case of company-specific data, the criteria under which a futile data provision request is to be made on "the market at market prices" are not sufficiently calculable. In addition to the scope of application, it is imperative for companies to specify the data protection and (non-)technical requirements for security precautions for information security in the course of data provision with the public body. In order to be able to guarantee the protection of informational self-determination and data security on the part of the company, appropriate data provision periods must also be ensured in accordance with Art. 17 (1 e) DA-E. Finally, data protection-adequate pseudonymisation and anonymisation of personal data already leads to a considerable amount of time and effort, which must not only be taken into account in the time limits, but must also be recompensed through appropriate compensation. Finally, B2G data sharing obligations must be designed to be both legally secure and practicable. This applies first of all with regard to personal data in the form of legally secure and, at the same time, practicable guidance on the sufficient anonymisation and pseudonymisation of personal data. Analogous to the discussions in the ongoing procedure on the Data Governance Act, it is completely unclear in application practice which technical measures are required for sufficient anonymisation of personal data. Furthermore, corresponding obligations should only be addressed to data holders, so that data processors are not forced to pass on customer data to public authorities, contrary to their contractual obligations. Chapter VI: Switching between data processing services In addition to a high degree of flexibility and scalability, cloud services offer their customers a high degree of user-friendliness. However, the ease of use can go hand in hand with the fact that customers' applications are deeply integrated into the provider-specific (proprietary) ecosystem of the respective
www.bdi.eu
Page 17 from 21
BDI statement on the EU Data Act Proposal
cloud service provider. This can lead to significant barriers to switching providers in certain cases. With a view to such constellations, the BDI welcomes the EU Commission's aim of making it easier for users to switch providers and thus increase the openness of the cloud market. However, the measures that are to be implemented on the part of the providers of corresponding services to achieve this goal show a high level of intervention in their entirety, which furthermore do not sufficiently take into account the technical complexity of cloud solutions in practice, as well as the heterogeneity of the services offered on the market. For example, data processing services - even if they fulfil the same function - are usually realised in different ways: for example with regard to data formats, data semantics or hardware architectures. The Commission's draft also does not sufficiently take into account the fact that - depending on the application context - the amount of data generated can be far too large to be continuously stored by a service provider with reasonable effort and to be kept ready for a possible later porting process. Another example is the design of termination periods, which requires differentiation between highly standardised cloud services (with general terms and conditions as the contractual basis) and complex customised solutions based on an individual project contract. Overall, the requirements of Chapter VI should be designed in such a way that they can be implemented realistically and with reasonable economic effort by market participants of all company sizes. Against this background, the BDI is in favour of more balanced regulations, taking into account existing approaches that have been developed by market participants in the context of self-regulation. The adoption of impracticable requirements, on the other hand, would entail the risk that certain cloud services would no longer be offered in Europe due to commercially unjustifiable expenses and that innovations in this area would be inhibited. It is also important to ensure the greatest possible coherence of the Data Act with other European regulatory activities. This concerns, for example, the Digital Markets Act, which also contains requirements relating to switching between digital services and the portability of data. These overlapping requirements result in open questions that must be clarified in the further legislative process. Chapter VII: International context non-personal data safeguards The Data Act draft provides for "safeguards for non-personal data in the international environment" in Chapter VII, which attempt to mirror the claims of the GDPR. This imposes a level of protection on industrial data that
www.bdi.eu
Page 18 from 21
BDI statement on the EU Data Act Proposal
is normally only required to protect personal data and thus fundamental rights. International data flows are of critical importance to industry. The European Commission's approach in Chapter VII of the Data Act represents a targeted approach aimed at a specific case of cross-border data transfers resulting from an access request by a non-EU authority to non-personal data. However, it remains unclear how often non-personal data is actually the target of requests, especially if one assumes that in most cases personal data is also involved . As cloud service providers are obliged to screen potential requests, there must be clear guidelines against which such an assessment must be made. This is the only way to ensure that there is no disadvantage for international data flows and no disproportionate bureaucratic burden for companies. In addition, it would avoid the unresolved issues of third country transfers of personal data arising from the Schrems II ruling being transferred to the area of non-personal data. We therefore welcome that the EU Commission has included provisions in Art. 27 DA-E to provide additional guidelines for the review process. For these to be effective, they should be developed and made available on the basis of consultations with industry, before the Data Act becomes legally applicable. More clarity is also needed on the requirement to take "all appropriate technical, legal and organisational measures" to prevent unlawful access or transfer of data outside the EU. Recital 78 lists a number of measures, including encryption of data. However, the exact nature of the safeguards that need to be implemented should be further defined and take into account existing standards and frameworks being developed by industry initiatives such as Gaia-X. Chapter VIII: Interoperability The above regulations for improving interoperability must take sufficient account of existing standards as well as ongoing industry initiatives. In the context of Industry 4.0 applications, a number of interoperability standards have already been developed, or are under development. An example of this is the world language of production developed in the area of mechanical and plant engineering on the basis of OPC UA technology. Such standardisation processes must remain industry-driven, bottom-up and pragmatic in the future. The Data Act should necessarily build on these developments and use existing, proven and industry-driven standards for operational capability. Smart contracts require close interlocking between the companies involved so that there is automatically trust and the will to cooperate. Regulatory requirements for general IT security standards and other established technical standards for the development and use of software/applications are already
www.bdi.eu
Page 19 from 21
BDI statement on the EU Data Act Proposal
comprehensively regulated today. In this respect, the "EU declaration of conformity" and a review of smart contracts provided for in Art. 30 DA-E is not only superfluous, but also causes high administrative hurdles. Furthermore, especially in the area of blockchain, distributed ledger technologies and other innovations associated with digital contracts are inhibited. Chapter IX: Implementation and enforcement The decentralised enforcement provided for in Art. 31 et seq. DA-E foresees decentralised enforcement by Member State authorities, which entails the risk of fragmented application of the regulation in the EU Member States, as well as different local or regional standards for access to data. There is a danger that further bureaucracy will be created, the effectiveness of which is completely unclear. Chapter X: Sui generis right under Directive 1996/9/EC The restriction of the sui generis database protection right under Art. 7 of Directive 1996/9/EC provided for in Art. 35 DA-E is accompanied by considerable impairments of the incentives to invest, since the entire database - regardless of how much data is covered by the data access claim under Art. 4 or 5 DA-E - will remain unprotected in future. Such a far-reaching restriction appears neither necessary, nor appropriate to ensure the declared goal of safeguarding the rights under Art. 4 and Art. 5 DA-E. Instead, the suigeneris database protection right should only be limited to the data to be provided accordingly under the Data Act. Chapter XI: Final Provisions In view of the scope and depth of the new obligations imposed on data holders, and in particular on manufacturers, the transitional period before the application of this Regulation should be significantly longer than the twelve months proposed in Art. 42 DA-E. A transition period of 36 months seems appropriate here. Moreover, the period for the planned evaluation of the Data Act of up to five years for the analysis of SME-specific effects should be shortened.
www.bdi.eu
Page 20 from 21
BDI statement on the EU Data Act Proposal
About BDI The Federation of German Industries (BDI) communicates German industries’ interests to the political authorities concerned. She offers strong support for companies in global competition. The BDI has access to a widespread network both within Germany and Europe, to all the important markets and to international organizations. The BDI accompanies the capturing of international markets politically. Also, she offers information and politico-economic guidance on all issues relevant to industries. The BDI is the leading organization of German industries and related service providers. She represents 40 inter-trade organizations and more than 100.000 companies with their approximately 8 million employees. Membership is optional. 15 federal representations are advocating industries’ interests on a regional level. Imprint Federation of German Industries (BDI) Breite Straße 29, 10178 Berlin www.bdi.eu T: +49 30 2028-0 German Lobbyregister Number: R000534 Transparency register number: 1771817758-48
Editor Dr. Michael Dose Senior Manager Digitalisierung und Innovation T: +49 30 2028 1560 m.dose@bdi.eu
BDI document number: D 1541
www.bdi.eu
Page 21 from 21
