How startups will be affected by a potential extension of scope of Article 27 of the Data Act to data holders?
We are closely following the discussions on the European Commission’s proposal on the Data Act and its impact on the startup ecosystem. Startup communities are particularly concerned about recent discussions on the extension of the scope of Article 27 from “data processing services” to “data holders”. International data transfers are a key element of innovation and essential for a flourishing global startup ecosystem.
At AFS we understand that international data transfers themselves are not the main concern in Article 27 of the Data Act. Rather, the focus is on unlawful governmental access in third countries. This is supported by the wording in the Data Act’s Recitals and EDPB and the EDPS Joint Opinion, and should be clarified throughout the text of Article 27 of the Data Act.
Furthermore, we are concerned that extending the scope of Article 27 of the Data Act to data holders, would mandate startups acting as data holders to perform complex impact assessments for transferring or granting access to non-personal/industrial data, similar to the ones that they have to apply to personal data under the GDPR and the Schrems II decision. This could result in further complexity and extensive compliance burden for startups acting as data holders and would have a significant impact on innovation and startup growth.
Instead of putting the legal onus on startups to undertake complex legal assessments, policy makers should create a framework that encourages taking benefit of the global data economy. For example, by following the example set by the Free Flow of non-personal data Regulation or facilitating the adoption of Mutual Legal Assistance Treaties with third countries the EU can be a pioneer for a globally interconnected digital economy while respecting the financial and technical realities of startups.