The EU Data Act will greatly impact the way companies manage data. It contains ambitious rules on data sharing between businesses and with governments, as well as provisions on cloud switching that have prompted feedback from diverse industries. Many questions remain as to how the framework will work in practice.
As legislators finalize the legislative text, Article 27 requires more attention. The provisions regarding third country governments’ access to non-personal data and international transfers in Article 27 have remained largely unchanged in the texts of the European Parliament and the Council of the EU. Article 27(1) would require cloud service providers to actively take “all reasonable technical, legal, and organisational measures” in order to prevent international transfers or governmental access to non-personal data that could create a conflict with EU or Member State laws. According to the Commission’s Impact Assessment,1 this measure should prevent unlawful access to commercially sensitive information of non-personal nature that is not covered by the EU data protection framework of the GDPR.
Since the beginning of the legislative debate, industry has questioned this approach. In fact, due to the broad definition of ‘conflict of law’ and the lack of derogations to these transfer restrictions - like the ones set out in the GDPR - this provision could create greater impediments to companies’ ability to transfer non-personal data than those that the GDPR imposes on personal data.
Underpinning a $7.1 trillion economic relation and 16 million jobs on both sides of the Atlantic, transfers towards the United States are especially relevant here. Since the European Court of Justice invalidated the EU-US Privacy Shield in 2020, businesses of all sizes from different sectors have suffered from significant legal uncertainty. While the recently published draft Data Privacy Framework, once adopted, will restore legal certainty for transatlantic transfers of personal data, the EU Data Act risks further complicating the legal landscape.
Most businesses process mixed data sets with personal and non-personal data, and currently apply the safeguards of the GDPR to all transfers. It begs the question: how will enforcement of the Data Act interact with this framework? Would it create a parallel, and more restrictive, regime for the transfer of non-personal data outside of the EU? As also referenced by the EDPB and EDPS joint opinion on the Data Act,2 it is crucial to ensure consistency between the Data Act and the GDPR and clarify that the article addresses governmental access, rather than commercial transfers.
It is also important to consider the proportionality of such an approach. While the GDPR creates safeguards for transfers of personal data to third countries due to potential risks to fundamental rights, non-personal data do not create the same risks. At the same time, government access requests to non-personal data are extremely infrequent. It is therefore not clear what the rationale of the measure is from a risk-based perspective. It is important to note that, both at an international and European level, several instruments already exist to ensure the protection of certain rights in various contexts. For example, intellectual property rights and trade secrets are protected through international agreements such as the TRIPS agreement or the Berne Convention. Other international texts deal with law enforcement access to data. The Data Act would not add value compared to these existing instruments, and it would create additional complexity to international data flows.
Access to data is crucial for economic actors and beneficial to consumers around the world. It spurs innovation and is especially important to SMEs, allowing them to reach consumers and access new markets. The flow of data across borders should be encouraged -- not restricted -- to support the global competitiveness of businesses in Europe. While the concerns related to unlawful governmental access are legitimate, it is crucial that any measures taken to address these concerns are proportionate, clear, and risk-based.