Webinar of the Living-in.EU Legal subgroup - The Data Act proposal and its impact on European cities (29/04/2022)

As part of a set of measures for a European data strategy that aims at making the EU a leader in a data-driven society, the Commission’s proposal for a Data Act provides a framework to support access and (re-)use of data. The webinar, organised by Eurocities in the framework of the Living-in.EU Legal & Ethic subgroup, aimed to shed light on the impact of the Data Act proposal on European cities.

The webinar started with a presentation by the European Commission. Maria Rosaria Coduti, Policy Officer, Data Policy and Innovation at DG CONNECT provided information on the policy and legal context of the Data Act, the second major legislative initiative announced in the European strategy for data in February 2020. EU’s data strategy combines a cross-sector legislative framework to foster access to and (re)use of data and the rollout of common European data spaces in various sectors of the economy and domains of public interest. The idea behind the Data Act is that data can flow between sectors and countries, respecting European values with clear rules on data access and use. The Data Act was designed to remove obstacles for consumers, companies, and governments in accessing and using data by clarifying who can use what data and under which conditions. The proposal should ensure fairness in the allocation of data value in the data economy by regulating economic rights on data. EU’s Data Act strengthens the right of portability that was already established under Article 20 of the GDPR by extending this right also to non-personal data, making sure that Europe can harness the value of the huge amounts of industrial data that are produced every day.

With the proposal, the Commission also aims at clarifying access and data usage rights on data generated by Internet of Things (IoT) objects.  It proposes mechanisms to manage access, use and property rights of co-generated data by individuals and businesses using connected products. Concerning Business-to-Government (B2G) data sharing, the Data Act provides rules on how requests for data should be made and the conditions under which the mechanism can be activated – a public body will have to demonstrate that a request for data is justified based on exceptional need while meeting several additional conditions to be admissible.

Federica Bordelot, Eurocities’ Senior Policy Advisor, presented the organisation’s perspective in line with the concerns of its members. On B2G data sharing, local governments positively value all the important steps that have been made to start regulating the access, the sharing, and the use of privately-held data. To have access to private data in case on exceptional need, including in case of emergencies, is of the utmost importance. However, limiting the scope of B2G data sharing to exceptional need reduces the potential for local governments to exploit the full benefits of data for society. Municipalities will still have to negotiate every data set they need for public service delivery, improvement of public services, law enforcement, etc. There’s a clear need for the broadening of the scope of the B2G data sharing and to define set of categories – other than public emergency – of private data that must be shared in a timely and constant matter with city authorities, while also clarifying the ‘reasonable margin’ for compensation. Furthermore, Bordelot argued that the proposal should include provisions for standardised information to validate the data shared (owner, time of the data collected, distance, etc) with local authorities.

Bordelot went on to state that the proposal contains several concepts that lack a clear definition, such as the “public interest” to justify the need for public authorities to have access to data. Additionally, she referenced the term “Data holder” used in the Data Act, which does not align with the definition introduced in the Data Governance Act (DGA), Moreover, it is unclear how the terms “Data recipient” (Data Act) and “Data user” (DGA) relate to one another, and article 28 in the Data Act mentions “Operators of data spaces” but provides no clear definition for them.

Finalising her contribution with a remark on IoT data access, Bordelot raised concern about the lack of clarity on compensation arrangements provided in articles 4 and 5 and article 9 of the proposal. There’s a need for further clarification on the relation between the data user (free of charge) and the data recipients (subject to charges), and how compensation is calculated.

Dirk Blauhut, Jayan Areekadan and Gloria Volkmann from the Department of Digitalisation in the city of Cologne continued the webinar to present their view on the impact of the Data Act. Although Cologne considers the proposal for a Data Act a great start and a move into the right direction, they mentioned that the proposal needs work. Mandatory data access should be regulated having the public interest in mind, but in the city’s opinion, there’s been too much room for interpretation and vagueness in the restricted reuse of data for public emergencies. Considering examples of local administrations’ willingness to acquire business data in return for financial compensation, Cologne said to believe that the provisions for “exceptional need” must be further and more clearly addressed. This means expanding the scope beyond exceptional cases and emergencies and providing procedural clarification on the process. Volkmann continued to highlight potential democratic challenges for local administrations considering article 19 of the proposal. The destruction of data after being used to inform public decisions would be problematic for future public scrutiny and conflicts with traditional transparency and accountability principles.

In a brief contribution, Pau Balcells, Program Manager at Barcelona’s City Data office, welcomed the possibility of data sharing - paying for access and not the data in itself is a brave decision. However, he noted that there are doubts concerning B2G data sharing: The Data Act mentions a compensation for businesses giving access to their data based on incurred costs plus a reasonable margin. Balcells believes that once the data set has been prepared for sharing and an API has been set up, the solution is in place and reusable by other cities requesting the same data at no added (or negligible) costs for the business. In this form, the Data Act proposal allows an additional financial barrier to emerge for European cities to reuse existing solutions to access data held by businesses. Balcells finished by recalling that several states have declared a public emergency due to climate change and that it is currently not clear if this emergency can be used as the basis for public administrations to make data requests under the Data Act.

Taking the floor, Luca Bolognini, President of the Italian Institute for Privacy and Data, noted the lack of clarity on some of the definitions used in the Data Act. Specifically, he mentioned the concepts of ‘user’ and ‘public body’ and proposed to align it with other European legislation and policies, such as the Data Governance Act. Also, there would be a need to better specify the interplay with other EU acts, particularly with the GDPR – especially where the Data Act considers IoT data, as it blurs the line between personal and non-personal data. Bolognini also called for further clarification of situations related to the “exceptional need to use data” and the proposal’s specific article discussing the situations in which “the lack of available data prevents the public sector body or Union institution, agency or body from fulfilling a specific task in the public interest that has been explicitly provided by law”. He said to believe the article to be too vague, offering data holders an undesirable ground to resist sharing their data.

Bolognini went on to make a case to include in the proposal specific safeguards for small public entities and small municipalities against unfair contractual clauses and to make mentions of Public-Private Partnerships or “Community contracts” that have a potential for future implementation of IoT solutions in public spaces. However, according to Bolognini, possibly the biggest issue for the proposal in its current form is the potential for regulatory risk under 27 different frameworks managed by the individual member states.

Over 30 participants engaged in a discussion on the issues debated during the event followed by a quick Q&A with Coduti addressing some of the participant’s concerns. Further debate will be needed to effectively include and reflect cities’ interests in the Data Act. 

Watch the video from the webinar here

And you can find the slides from Eurocitites, CNECT, Italian Institute for Privacy and Data and Cologne that were used during the event here.