The European Data Act — Curse or Guiding Principle for AI and IoT in Europe?

Published in

CONTACT Research

7 min readSep 14, 2023

The European Data Act, combined with the Data Governance Act, is set to be the backbone of the European Data Strategy, aiming to refine and foster the exchange and utilization of corporate data throughout the economic value chain. This strategic move intends to empower data sharing not only between businesses (B2B) but also between businesses and consumers (B2C), as well as businesses and public authorities (B2G). The European Data Act seeks to catalyze potential opportunities, transform the digital landscape, and bring about a fundamental paradigm shift in comprehending and leveraging data. However, while the Data Act proposes various measures to facilitate data sharing, it also raises concerns about potential bureaucratic hurdles. In this blog, we will explore the fundamental contents of the Data Act and discuss its potential impact.

“This is a significant milestone in the journey towards a single market for data. The Data Act will optimize data use by improving data accessibility for individuals and businesses. This is very good news for our digital transformation.”

Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age — 28/06/2023

Fundamental Contents of the Data Act

Access to Connected Device Data:

The Data Act aims to enable users of connected devices to access data generated by these devices, which is often exclusively held by manufacturers. Users would be able to share such data with third parties to provide aftermarket or innovative data-driven services. Manufacturers would be incentivized to continue investing in high-quality data generation by covering their transfer-related costs and excluding the use of shared data in direct competition with their products.

Balancing Negotiation Power for SMEs:

The Data Act seeks to prevent the abuse of contractual imbalances in data-sharing contracts, thereby rebalancing negotiation power for small and medium-sized enterprises (SMEs). It aims to shield SMEs from unfair contractual terms imposed by parties with significantly stronger bargaining positions. Additionally, the European Commission plans to develop model contractual terms to assist such companies in drafting and negotiating fair data-sharing contracts.

Public Sector Access to Private Sector Data:

The Data Act introduces measures that allow public sector bodies to access and use data held by the private sector in exceptional circumstances, such as public emergencies or the implementation of legal mandates. These measures aim to ensure quick and secure data insights while minimizing the burden on businesses.

Switching Between Cloud Service Providers:

The Data Act proposes new rules allowing customers to effectively switch between cloud data-processing service providers. Safeguards would be implemented to protect against unlawful data transfers.

To whom does the Data Act apply?

The Data Act applies to various stakeholders, including:

Product manufacturers and providers of connected services like in IoT Businesses
Users of products and services like AI Services
Data holders provide data to recipients within the European Union.
Public institutions, bodies, and agencies of the European Union.
Providers of data-driven services for customers within the European Union.
Providers of software for data-driven services.

An Example of the Data Act in Action

The Data Act can be applied in various scenarios, such as the utilization and access to data generated by connected devices and machines, including the Internet of Things (IoT) and Industrial Internet of Things (IIoT), or the training of AI services. For example, it could allow machine data collected from a machine operator to be shared with an IIoT service provider, provided the operator consents. The Act also enables public authorities to access specific data in emergencies or critical situations, such as health crises or natural disasters. Additionally, it supports the use of industrial data for Industrial AI applications.

To give a vivid example: In the future, car owners should be able to request their personal and car-related data from the manufacturer and pass it on immediately and free of charge to third parties, e.g. to an independent repair service or AI service developer. In addition, data holders must make data available to data recipients in a “fair, reasonable and non-discriminatory” and “transparent” manner. The regulation strengthens the right of users to switch between data processing service providers.

Gaia-X: Building the Data Spaces for Tomorrow’s Ecosystem

Through Gaia-X, stakeholders from the corporate world, academia, and government are collaboratively shaping the future of Europe’s data infrastructure on a global scale, adhering to the strictest principles of digital sovereignty while fostering innovation. The use of Data Spaces is intended to facilitate the exchange of data through automatic contract mechanisms and standardized exchange messaging to facilitate data distribution. Within this transparent and inclusive digital environment, the aim is to securely offer, aggregate, disseminate, and utilize data and services. In the journey to realize Gaia-X’s vision, several exceptional research projects like ESCOM, Flex4Res, and PilotLin-X stand out for their contributions to its development.

Is the Data Act a curse or boon for European Companies offering Data-Driven Services?

While the Data Act aims to promote data sharing, concerns remain about potential bureaucratic hurdles, costs, and restricted data-sharing practices. Industrial companies, in particular, are often cautious about sharing sensitive data, such as customer data or data with intellectual property. Data sharing typically occurs when the benefits from the offered service are substantial, making it difficult for companies to overlook such services.

When considering highly data-intensive developments like AI applications, many European companies lag behind US hyperscalers by a significant margin. These hyperscalers have already introduced services that collect massive amounts of user data in the private domain. In the industrial context, they have positioned themselves well for data collection through cloud services and built data-driven services offering real industrial value. It remains questionable whether it will be possible to force globally operating companies to pass on data through a European initiative. Especially when political resistance is already forming in the US.

To enable Data-Driven Services in industrial settings, it’s crucial to collect specialized data, as it is not readily available in the public domain. Consequently, that data must originate from somewhere within the organizations. The extent to which the Data Act will enable precisely this necessary transfer between data producers in the company and European providers of data-driven services also remains unclear.

Ultimately, it remains difficult for organizations to prevent their employees from using hyperscaler services or to prevent the unauthorized disclosure of data, especially when the benefits of these services are significant.

Creating a real value proposition and tangible benefits is perhaps the most effective incentive for individuals or organizations to share their data. It remains to be seen whether the Data Act will create a decentralized data economy or merely result in bureaucratic burdens.

Conclusion

The Data Act aims to refine and foster data sharing across the economic value chain. While it proposes measures to enable data sharing and rebalance negotiation power, concerns remain about potential bureaucratic hurdles. Building trust, providing tangible benefits, and offering real value through data-driven services are crucial factors in incentivizing individuals and organizations to share their data willingly.

European Data Spaces represent an interesting alternative for companies to use data-driven services from European companies. My assessment is that US services cannot be replaced in the foreseeable future. For business leaders, it remains an individual decision to what extent they rely on which model. It can’t hurt to have an edge in both worlds.

In any case, companies will need to closely review their products, data processing protocols, and corporate policies to ensure they are fully compliant. This will likely require changes to existing data management systems, updates to contractual agreements, and the deployment of enhanced data protection safeguards. With the new regulations facilitating data access, maintaining ironclad security becomes even more important. Companies must comply with the latest EU IT security laws and the newly updated General Product Safety Regulation, and prepare for the upcoming Product Liability Directive. The goal is to protect data from unauthorized activities such as access, use, disclosure, disruption, modification, or destruction — whether these threats come from within the organization or from external factors. Key security measures include encryption techniques, robust access control systems, and secure methods for data transmission.

The Data Act has successfully passed the trilogue and is now in the final stages of formal approval. While this marks a significant milestone, there are still numerous uncertainties surrounding the act. Its true impact and efficacy will become fully discernible as it moves from paper to practice. Stay tuned!

References

[1] https://www.bmwk.de/Redaktion/EN/Dossier/gaia-x.html
[2] https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3491
[3] https://digital-strategy.ec.europa.eu/en/policies/european-approach-artificial-intelligence
[4] https://digital-strategy.ec.europa.eu/en/policies/data-act
[5] https://digital-strategy.ec.europa.eu/en/library/data-act-proposal-regulation-harmonised-rules-fair-access-and-use-data
[6] Council of the European Union; Interinstitutional File 2022/0047(COD); Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair assess tot and use of data (Data Act) — Analysis of the final compromise text in view to agreement
[7] https://www.csis.org/analysis/eu-data-act-long-arm-european-tech-regulation-continues

About CONTACT Research. CONTACT Research is a dynamic research group dedicated to collaborating with innovative minds from the fields of science and industry. Our primary mission is to develop cutting-edge solutions for the engineering and manufacturing challenges of the future. We undertake projects that encompass applied research, as well as technology and method innovation. An independent corporate unit within the CONTACT Software Group, we foster an environment where innovation thrives.