On Wednesday 25 January, the Swedish Presidency of the EU Council of the European Union submitted a new version of the compromise text on the future data legislation (‘Data Act’) to the Member States (see EUROPE 13099/3). The text will be discussed in the EU Council’s Working Party on Telecommunications on Tuesday 31 January.
Firstly - and this is one of the most complex aspects - the compromise document returns to the issue of trade secrets. On this point, the text now specifies that it is up to the users or third parties concerned to take “technical and organisational” measures to protect the data when the originating organisation identifies that the data contains trade secrets. This organisation would be entitled to claim compensation if these rules are not respected.
The new compromise text also revisits the provisions on obligations for SMEs. The latter were initially exempted from the obligation to grant access to their data to public service actors. In the new version of the text, SMEs would have to comply with these obligations in cases of an emergency situation, such as a health crisis.
The Swedish Presidency of the EU Council also returned to the issue of scope. In this respect, the focus was on “the functionality of the data rather than the products”, in order to direct the text towards the pre-processed data generated by the components embedded in the connected products.
Thus, the text specifies that the definition of data generated by a product or an associated service has been reviewed. Data generated for the purpose of displaying content and data recorded through applications that are not strictly related to the product concerned are excluded from the scope.
In addition, several Member States had, in previous consultations, stressed the need to clarify the relationship between the future ‘Data Act’ and the General Data Protection Regulation (GDPR). Several provisions have been introduced to this effect, including the fact that the competent national authorities should be informed directly when a public sector entity wishes to access personal data.
Finally, in addition to briefly addressing the issue of switching ‘cloud’ service providers - a point on which further discussions are needed - the Swedish compromise text also addresses the issue of international data transfer.
While there are provisions for certain limits and rules for transfers to third countries, the text also specifies that ‘cloud’ services will have to publish the physical location of their digital infrastructure and the measures in place to prevent foreign governments from accessing non-personal EU data on their site. (Original version in French by Thomas Mangin)