Data act: safeguarding consumer rights in the trilogue

In February 2022, the European Commission published the proposal for the Data Act. Its goal is to promote the availability of data while respecting fundamental European values. The Data Act is intended to regulate the conditions under which companies or consumers can obtain data generated by their connected devices and make them available to other parties. In March 2023, both the European Parliament and the Council of the European Union agreed on their respective positions and entered the informal trilogue negotiations.

Although both institutions have improved the European Commission's proposal, it is still doubtful that the Data Act's goals can be reached. The rules are very complex, particularly in relation to other European and national laws, but they are at the same time quite general due to the Data Act’s broad scope. This makes it difficult to apply them practically. Several political objectives, like improving algorithm training, may remain unattainable due to the Data Act's user-centric focus. Moreover, the Council and Parliament grant data holders even more options to prevent data access, for example by referring to the trade secrets clause.

The proposed Data Act aims to regulate the use of data – personal as well as non-personal – generated by connected devices. Although the Commission's proposal provides that the application of European data protection law remains unaffected, it is necessary to define its relationship more precisely. The Council clarifies in the recitals that the Data Act does not create a new legal basis to provide access to personal data to a third party and that it does not create new rights for data holders. However, the legal articles do not reflect these recitals, which needs to be corrected in the trilogues. It is also important to establish that data protection legislation should prevail over the Data Act in case of conflicting provisions, as proposed by the Parliament.

However, the Data act fails to differentiate adequately between personal and non-personal data, leading to ambiguity in interpretation. It also creates new possibilities for personal data processing without adequate protection for data subjects. In particular, policy-makers would create a high risk by including smartphones in the scope of the act. Smartphones generate a vast amount of data that could threaten the privacy and confidential communication of its users. Consumers should not be responsible to make a risk assessment of their communication. vzbv calls on the Council and Parliament to reconsider their positions and exclude highly sensitive devices, such as smartphones, from the scope.

Furthermore, it is problematic that the Data Act does not limit the purposes for which data recipients may process personal data. At least, the Parliament stipulates that personal data should only be processed for purposes specified by the data subject, while the Council restricts profiling to cases where it is objectively necessary for delivering the service. Both proposals should be adopted to ensure better protection of users.

The European Commission aims to ensure fair distribution of value created from data by providing easier access and use of data for consumers and companies through the Data Act. However, economists express concern that the Act may strengthen the position of data holders, who can easily secure rights to non-personal data through contractual agreements with users. Therefore, consumers need effective protection against harmful practices by companies, and the Data Act should complement existing consumer protection laws. The Parliament should follow the Council's position in preventing clauses that restrict users' access rights and exclude their rights.

Users should also have the freedom to decide how their data may be used. Therefore, data holders should not make the use of products or services dependent on processing unnecessary data. Furthermore, the Data Act should align with the Digital Markets Act to prevent the use of deceptive designs (“dark patterns”) by data holders and data recipients.

The Parliament also proposes that users have the exclusive right to sell non-personal data generated by their individual products, while data holders can use the data to improve connected products, develop new products, and provide data to third parties in aggregated form or to fulfil contractual obligations to the user. The Council should endorse these proposals.