MyData Global is a non-profit organisation that helps people and organisations to benefit from personal data in a human-centric way. To create a fair, sustainable, and prosperous digital society for all.
MyData Global operates a self-regulatory process for data intermediary services focusing on human-centric personal data. Since 2020, 41 organisations providing data intermediary services from 15 countries were awarded the status of MyData operators. MyData Global is partner in the Data Spaces Support Centre project.
MyData Global is supportive of the Data Act proposal as a whole. And even in a good proposal, there is always room for some improvements, and here are our top picks to make the Data Act live up to its potential to create more human-centric, fair, sustainable, and prosperous digital societies for Europe and beyond:
1# Aligning the definitions with the GDPR and the DGA
2# Data intermediaries and APIs
3# Operators within data spaces
4# Technology neutrality of data sharing contracts
Amendments
1# Aligning the definitions with the GDPR and the DGA
The terminology of data holder and data recipient should be aligned with the GDPR and the DGA to create precise language across the key regulations covering data transactions. In the DGA, there is a ‘data holder’, which was after the joint opinion of the European Data Protection Authorities made separate from ‘data subject’. The Data Act only has the data holder (no data subject), and the wording is slightly different from what is in the DGA.
We propose to include references to the GDPR definitions of ‘personal data’, ‘non-personal data’ and ‘data subject’ and to amend the definition of ‘data holder’ to make reference to the DGA. Another alignment is needed on the terminology regarding the ‘data users’ or ‘data recipients’. The DGA has ‘data user’, and the Data Act has ‘recipient’. We propose to amend the Data Act to use ‘data user’ with reference to the DGA and include ‘data intermediation service’ from the DGA.
→ See Amendments 1, 2, 3, 4, 5, 6, 7, 8, 10
2# Data intermediaries and APIs
The data intermediaries defined in the DGA are not referenced in the articles of the Data Act (but there is one mention of them in recital 35 and recital 87). It is essential to ensure that data holders also fulfil the data requests when those requests come via notified data intermediaries acting on behalf of the user.
Article 5 of the Data Act refers to “a party acting on behalf of a user”, which can be interpreted to cover also data intermediaries. It would be best to explicitly include the reference to data intermediaries to make the distinction between:
a) data intermediaries conveying the data request on behalf of a user, but not using the data
b) data recipients conveying the data request on behalf of a user, and also being the data recipient
Another essential improvement in Article 5 would be to make a clear requirement for providing the data via well-formed APIs. One of the key implementation and usefulness challenges of the data portability clause in the GDPR (Art 20) is that it does not set precise requirements for providing the data to be ported via APIs. It is essential to the success of the Data Act that this challenge of the GDPR is directly and decisively tackled by the explicit requirement of APIs.
→ See Amendments 10, 12
3# Operators within data spaces
The commission proposal of the Data Act sets essential interoperability requirements for the operators of data spaces in Article 28. Still, the term ‘operator of data spaces’ was not defined, and it is unclear who would need to comply. Under the Czech Republic presidency, the Council proposed an additional definition of ‘operators within data spaces’ to Article 2. and the corresponding changes to Article 28, section 5 of the explanatory memorandum and recital 85.
The change from ‘operators of data spaces’ → ‘operators within data spaces’ is generally good. It recognises that in real-life data spaces, there may not be one operator that could be held liable for all essential interoperability requirements. The new definition should be accompanied by the definition of ‘common European data space’ as it appears in the DGA.
However, the council proposal can be understood that all participants (operators within data spaces) should comply with all essential requirements. This is not a feasible requirement, and it should be clarified so that the operators within data spaces are each expected to comply with requirements applicable to the services offered by them (this may be implicit but should be made explicit).
It is better to take as the starting point that all participants are liable for their own activity. There may be situations where an apparent problem (lack of interoperability) exists, but it is not trivially addressable to any particular operator within data spaces. These emergent issues could be tackled with some form of collective responsibility. However, collective responsibilities quickly become obstacles to the implementation and growth of data spaces (organisations may avoid joining data spaces if that would mean becoming liable for some unclear collective responsibilities).
We propose that the operators within a particular data space shall agree on the rules by which the accountabilities regarding the interoperability requirements are defined between the operators. Such lightweight legal liabilities deriving from the Data Act would boost the development of robust internal governance for the Common European Data Spaces. Internal governance structures such as the rule books would answer the question of how in practice, the liabilities are handled in real-life data spaces.
→ See Amendments 9, 11, 13, 15
4# Technology neutrality of data sharing contracts
Article 28 requires the operators of data spaces to “enable the interoperability of smart contracts within their services”, and Article 30 sets requirements regarding smart contracts for data sharing.
The definition of smart contract in the Data Act is technical and specific: “‘smart contract’ means a computer program stored in an electronic ledger system wherein the outcome of the execution of the program is recorded on the electronic ledger.”
It is a valid aim to improve smart contracts’ interoperability and tame the ills of bad distributed ledger implementations. However, there are also functional non-ledger-based technologies for data sharing contracts, which would benefit from interoperability and minimum requirements.
Article 30 only refers to data sharing in the title of the article. Beyond that the requirement seem to be general for smart contracts. We propose to remove the references to ‘smart contracts’ and use ‘contracts for data sharing’ instead. We do not see the necessity for Article 30.
→ See Amendment 14
Amendments
| Amendment 1 | |
| Article 2 – parag. 1 – point 1 a (new) | (1a) ‘personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; |
| Amendment 2 | |
| Article 2 – parag. 1 – point 1 b (new) | (1b) ‘non-personal data’ means data other than personal data; |
| Amendment 3 | |
| Article 2 – parag. 1 – point 1 c (new) | (1c) ‘data subject’ means data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679; |
| Amendment 4 | |
| Article 2 – parag. 1 – point 5 | (5) ‘user’ means a natural or legal person, including a data subject, that owns, rents or leases a product or receives a services; |
| Amendment 5 | |
| Article 2 – parag. 1 – point 6 | (6) ‘data holder’ means data holder as referred to in Article 2, point (8), of Regulation (EU) 2022/868 |
| Amendment 6 | |
| Article 2 – parag. 1 – point 7 | (7) ‘data user’ means data user as referred to in Article 2, point (9), of Regulation (EU) 2022/868 |
| Amendment 7 | |
| Article 2 – parag. 1 – point 16 | |
| Amendment 8 | |
| Article 2 – parag. 1 – point 17 | |
| Amendment 9 | |
| Article 2 – parag. 1 – point 20 a (new) | (20a) ‘common European data spaces’ mean purpose- or sector-specific or cross-sectoral interoperable frameworks of common standards and practices to share or jointly process data for, inter alia, development of new products and services, scientific research or civil society initiatives. |
| Amendment 10 | |
| Article 2 – parag. 1 – point 20 b (new) | (20b) ‘data intermediation service’ means data intermediation service as referred to in Article 2, point (8), of Regulation (EU) 2022/868; |
| Amendment 11 | |
| Article 2 – parag. 1 – point 20 c (new) | (20c) ‘operators within data spaces’ mean legal persons, such as data holders, data users, and data intermediation service providers, that facilitate or engage in data sharing within and across the common European data spaces; |
| Amendment 12 | |
| Article 5 – parag. 1 | 1. Upon request by a user –directly, via a data intermediation service, or via the intended data user– |
| Amendment 13 | |
| Article 28 – parag. 1 | 1. Operators within |
| Amendment 14 | |
| Article 28 – parag. 1 – point d | (d) the means to enable the interoperability of |
| Amendment 15 | |
| Article 28 – parag. 3 (new) | The operators within a particular data space shall agree on the rules by which the accountabilities regarding these requirements are defined between the operators. |