Initial Comments to the Data Act

Technology Industries of Finland has more than 1,600 members in various fields of technology, of which roughly 1,500 are SME companies. We have been actively advancing data usage within our member companies and developing balanced and practical models for data usage and sharing.

Commission proposes new practices for public sector access to business data. GDPR is quite rightly taken into account – legal basis for transfer of the data should be crystal clear as should be businesses’ responsibility over transferred (personal) data. The first option should be to have APIs in place for continuous data transfers. Public sector should be bound by ask only once principle and have processes in place to deploy data already transferred by businesses. It is important that law on B2G access is predictable and causes no unproportionate burden for companies. Here, ask only once -principle would help.

As to fairness of data access on business-to-business relations, we emphasise that though this is an issue that has been discussed a lot, data practices in a great number of companies are still at nascent stage. Industry has developed model clauses (most recently Orgalim Legal on Industrial Data) and arrangements for interoperability and standards are developing. An important pre-requisite for data access is trust between the companies and as starting point it is good to let companies choose who they want to trust. It may not be easy to find a general measure for ‘fairness’ in data agreements as practices are still developing. As a general approach, hard law may be too blunt an instrument at this stage. However, it might be possible to identify some key datasets having considerable market effect and to which access is a pre-requisite for entering the market, it might be reasonable to use regulation to grant access to such datasets on e.g. FRAND basis. There are good examples of data access on mobility side but forced access must be based on careful case-by-case analysis.

We would like to remind that the division of data to personal and non-personal categories will not work in practice – the scope of personal data is so wide, that in industrial context many very technical datasets can be linked back to an individual, due to work shift data that employers are required to keep. This underlines the necessity to develop solid data practices (especially privacy enhancing technologies) for processing and transferring data on a manner that respects privacy and keeps data usable.

Data does not need new forms of protection in IPR regime, and it is a good to review current database directive – it was created for quite a different data landscape and discussions on limits and scope of copyright and sui generis protection are needed to maintain balance of the system.

We do see value in establishing pro-competition data portability rules for cloud computing, if necessary, to create trust. Third country officials’ access to data is an issue that causes serious burden for companies. This is a topic that lies at the heart of European data capabilities and it requires thorough analysis and clear legislative solution. Companies’ obligations should be crystal clear. Notification and transparency on access requests by third country officials is a balanced and reasonable requirement.

Smart contracts are essentially trust services, so we would see them in same regulation as other trust services. In this context, smart contracts would be one of the trust services to be used when digitalising business models. Usually, smart contracts would need a secure and trustworthy trigger to initiate the automated contract. Underlying data systems should be mature enough (structured, standardised) to have a meaningful lot for smart contracts.

More information:
Director, EU Regulation, Mr. Jussi Mäkinen 

Read also: AI Act – Focus on the Process and Predictability