A Critical Analysis of the EU Data Act Proposal To what extend does the EU Data Act’s Interplay with the General Data Protection Regulation impact its objective of facilitating access to data?
Abstract
In the EU, a number of regulatory initiatives have attempted to set out regulations that
confer upon individuals an extent of control over data. The General Data Protection
Regulation (‘GDPR’),9 despite being a data protection regime, grants data subjects
control rights over their personal data by way of the right to data portability (‘RtDP’).10
However, the RtDP as a tool for data access and sharing is first, limited in scope and
secondly, has proven to be underused because of its inadequate technical considerations.11 A more recent regulatory initiative is a proposal for a Regulation on
harmonised rules on fair access to and use of data (the ‘Data Act’ or the ‘Proposal’)12.
The Data Act was proposed by the EU Commission on 23 February 2022 as part of
the “European strategy for data”13 with the aim of ensuring “fairness in the allocation
of value from data among actors in the data economy and to foster access to and use
of data”.14 The Data Act’s Explanatory Memorandum furthermore puts forward a set
of specific objectives. Amongst these specific set of objectives is to facilitate “access
to and the use of data by consumers and businesses while preserving incentives to
invest in ways of generating value through data...”.15 The proposal also indicates that
it will achieve broader EU policy goals by ensuring all sectors are “in a position to
innovate and compete”.16
The Data Act is envisaged to reach its objectives through a set of measures that are
to apply horizontally to all sectors.17 Amongst these measures are the rules on data
sharing in the contexts of business to consumer (B2C) and business to business (B2B)
set out in Chapter II of the Data Act (‘Access Rules’). These rules apply to data -
irrespective of whether personal or non-personal data – and without prejudice to
existing access regimes, including sector-specific regulations. 18 Importantly, the
GDPR – and its RtDP - will also remain applicable horizontally to all sectors.19
Insofar as the the future regulatory framework entails the Data Act to operate
alongside the GDPR, there will be an inevitable interplay between the two regimes.
On the one hand, this interplay may occur in practice in the context of mixed datasets.
Insofar as the Data Act applies to non-personal data, mixed datasets will entail an
interplay with the GDPR rules which - in principle - apply to personal data. This
potential interplay will raise issues where mixed datasets cannot be disentangled.20
Furthermore, the Data Act adopts a selective approach whereby it essentially
acknowledges personal and non-personal data as two distinct categories. As a regime
that acknowledges a distinction between these two categories of data by subjecting
each category to a different set of standards, the Data Act will similarly raise concerns
where datasets are mixed.
The second point of interplay between the two regimes occurs in the context of access
to data by third parties. In this regard, the Data Act explicitly mentions that it will not
“hinder, prevent or interfere with the exercise of the rights of the data subject under
[the GDPR] and, in particular, with the [RtDP] under Article 20 of [the GDPR].”21 To
transpose the heavily criticized and largely underused RtDP into the context of the Data Act raises questions as to the overall effectiveness of the regulatory framework
for data access and sharing.22
Therefore, the purpose of this dissertation is to assess the potential outcomes of the
future regulatory framework where the Data Act will be in force along with the GDPR.
It will not discuss data protection concerns presented by the Data Act, but rather focus,
in particular, on whether this potential interplay will affect the objectives of facilitating
data access and reuse. Firstly, Section 1 of this dissertation will assess whether the
overlapping applicability of both regimes to personal data adequately takes into
consideration potential practical complexities. It will particularly focus on the issue of
mixed data sets, which are - as will be argued - common in practice, and will also take
account of the “dynamic”23 nature of personal data. Secondly, Section 2 will seek to
set out the the potential consequences of the envisaged complementarity between the
Access Rules, on one hand, and the RtDP, on the other. It will attempt to do so by
delineating the scope of each right, taking into account the types of data covered by
each right, the grounds for processing required pursuant to each right, and finally, the
interoperability measures set out by each of the two regimes.
Description
Keywords
Data Law, Data, Technology Law
Citation
OSCOLA