BDI statement on the EU Data Act Proposal
is normally only required to protect personal data and thus fundamental rights. International data flows are of critical importance to industry. The European Commission's approach in Chapter VII of the Data Act represents a targeted approach aimed at a specific case of cross-border data transfers resulting from an access request by a non-EU authority to non-personal data. However, it remains unclear how often non-personal data is actually the target of requests, especially if one assumes that in most cases personal data is also involved . As cloud service providers are obliged to screen potential requests, there must be clear guidelines against which such an assessment must be made. This is the only way to ensure that there is no disadvantage for international data flows and no disproportionate bureaucratic burden for companies. In addition, it would avoid the unresolved issues of third country transfers of personal data arising from the Schrems II ruling being transferred to the area of non-personal data. We therefore welcome that the EU Commission has included provisions in Art. 27 DA-E to provide additional guidelines for the review process. For these to be effective, they should be developed and made available on the basis of consultations with industry, before the Data Act becomes legally applicable. More clarity is also needed on the requirement to take "all appropriate technical, legal and organisational measures" to prevent unlawful access or transfer of data outside the EU. Recital 78 lists a number of measures, including encryption of data. However, the exact nature of the safeguards that need to be implemented should be further defined and take into account existing standards and frameworks being developed by industry initiatives such as Gaia-X. Chapter VIII: Interoperability The above regulations for improving interoperability must take sufficient account of existing standards as well as ongoing industry initiatives. In the context of Industry 4.0 applications, a number of interoperability standards have already been developed, or are under development. An example of this is the world language of production developed in the area of mechanical and plant engineering on the basis of OPC UA technology. Such standardisation processes must remain industry-driven, bottom-up and pragmatic in the future. The Data Act should necessarily build on these developments and use existing, proven and industry-driven standards for operational capability. Smart contracts require close interlocking between the companies involved so that there is automatically trust and the will to cooperate. Regulatory requirements for general IT security standards and other established technical standards for the development and use of software/applications are already
www.bdi.eu
Page 19 from 21
