The Data Act: An opportunity to unleash startup potential?
The Data Act is a legislative proposal from the European Commission which aims to regulate non-personal or industrial data within the European Union. It consists of the following three main strands: data relations between industrial actors, cloud data infrastructure and international data transfers. If done correctly, it has the potential to help foster startup growth within the data economy. In fact, the European Commission expects the new data rules to generate 270 extra billions of revenue by 2028.
A key goal of the regulation is to make non-personal data more widely shared between businesses. To do so, it establishes certain mandatory data sharing requirements for data processors and that concern B2B relations, but also B2C and B2G. This is good news for startups, as it will allow them to better harness the potential of data to produce economic value and respond to consumer demands. As we have said previously, an entrepreneur often is an idea and the right dataset away from a startup!
As the Data Act is still in the making, we are starting a series of blog posts on concepts of the Data Act that will be key to ensuring a thriving startup ecosystem. These concern the clarification of key concepts, the definition of the Data Act’s relationship with other legislations (such as GDPR), establishing alternatives to mandatory data disclosure measures and supporting global data flows. In this blog we will be focusing on global non-personal data flows and the impact that the Data Act could have on the digital economy and startups.
How could the Data Act affect non-personal data flows?
Article 27 of the current Data Act proposal establishes the obligation for providers of data processing services (category in which many startups fall) to take all reasonable measures to prevent international transfer or governmental access to non-personal data where such transfer or access would create a conflict with Union law or the national law of the relevant Member State. This could be laying the foundation for an adequacy framework concerning non-personal data transfers that could make it more difficult for business and research ventures to transfer non-personal data.
A key challenge regarding a potential adequacy framework is that the concept of non-personal data is not defined outside of the European Union, nor is it likely to be defined in the near future, unlike personal data, for which there is a clear understanding that it should be protected on ethical and fundamental rights grounds. This lack of a globally accepted definition hampers Article’s 27 applications in practice.
But what is the European Commission seeking by limiting international non-personal data transfers? It seems like the European Commission wants this data to stay within the EU so it can be processed by EU industrial actors to create new European products and champions. Such an idea is at odds with current international trade conventions, which makes it challenging to envisage how it could be actually implemented.
What does this mean for startups?
Just as GDPR limited international personal data transfers to countries without the same level of privacy protection as the EU, European or national laws could limit the transfer of non-personal data to third countries. This additional layer of legal requirements would send a clear (and not so positive) message to startups to move their business or research ventures outside of the EU. Moreover, it would also create an uneven playing field by benefiting big and established players in the market, who have significantly more resources to spend on compliance and storing data within the European Union.
As an example, an American executive order has been recently published to start the process for the approval of the so-called “Privacy Shield 2.0,” which is meant to facilitate personal data transfers across the Atlantic while ensuring the right to privacy of European citizens after its predecessor was struck down by the European courts. As we stated in a previous blogpost, the first Privacy Shield was predominantly used by startups and smaller actors, who benefitted from a simple and easy to comply with set of rules applicable to personal data transfers. In contrast, non-personal data do not require analogous agreements at the moment. But they could become necessary if Article 27 of the Data Act laid the groundwork for making non-personal data transfers more difficult.
Data transfers are the bread and butter of the startup ecosystem, and ensuring that the process to carry them out is straightforward and clear will allow startups to be competitive, create jobs and continue answering consumers’ demands.