Cluj IT Cluster position on EU Data Act
CLUJI IT CLUSTER, Romania
DATA INTELLIGENCE WORKING GROUP
CONSULTATION ON THE UE DATA ACT, UNDER THE UMBRELLA OF THE EUROPEAN DIGITAL SME ALLIANCE
The new European Union legislative proposal for a Data Act focuses on business-to-government data sharing, business-to-business data sharing, and the IPR framework with a view to further enhance data access and use. As this topic is highly relevant for SMEs active in the data economy, Cluj IT Cluster has joined the European Digital SME Alliance in developing a position paper on the Data Act in response to the European Commission consultation.
CLUJ IT FEEDBACK TO SELECTED TOPICS – LIMITATIONS OF DATA ACT APPLICABILITY TO SME ORGANIZATIONS
In regards with the following assertions from the Digital SME Alliance position paper:
- DIGITAL SME Alliance explicitly welcomes the SME-friendly angle of this proposal. In the course of the legislative proposal, policymakers need to ensure that none of the obligations raised by this legal act are extended to SMEs
- The European Commission has to ensure that the aftersales market remains open and competitive, and that relevant security-provisions imposed via standards do not de-facto allow OEMs to limit access to SMEs. One way to ensure this is the introduction of simplified cybersecurity schemes which are tailored to SMEs, and which SMEs could therefore more easily implement, and which would guarantee the same level of conformity in terms of security requirements
we consider these as being able to create a loophole that allows the big companies to circumvent the provisions of the Data Act by outsourcing the data and process of interest towards SME organizations. This may also undermine the universal and coherent application of the Data Act in accordance with the expectations from the EU Commission.
While data sharing can be controlled, the same needs to happen with the machine learning models trained using such data. Public entities that have access to large volumes of data must be regulated in terms of usage of models trained using data that is not accessible by other commercial companies. Therefore, MLOps mechanisms need to be in place to ensure the traceability of the data used in training ML models.
CLUJ IT FEEDBACK ON PROHIBITION OF BIOMETRIC MASS SURVEILLANCE
We welcome the proposals in regards to:
- Prohibition of the development and use of tools regarding biometric mass surveillance, as a means to gain competitive market advantage, due to their deleterious effects on individual rights and freedoms
- Prohibition of the development and use of tools regarding predictive policing systems, due to the significant potential of such capabilities to erode the democratic process in the internal market and abroad.
We consider these proposals to be very relevant for a digital market, in the context of protecting the individual human
rights and the rule of law.
REGARDING PROTECTION OF DATA GENERATED BY THE USERS
We welcome the perspective mentioned in the regulation preamble (paragraphs 31 – 33) stating the following:
- Data generated by the use of a product or related service should only be made available to a third party at the request of the user (…);
- Access to any data stored in and accessed from terminal equipment is subject to Directive 2002/58/EC and requires the consent of the subscriber or user within the meaning of that Directive (…);
- In order to prevent the exploitation of users, third parties to whom data has been made available upon request of the user should only process the data for the purposes agreed with the user and share it with another third party only if this is necessary to provide the service requested by the user (…).
Even if this perspective may impose additional constraints to SMEs (such as additional compliance efforts and potentially degrade the feasibility of some business models), the benefits to the European citizens (privacy, consent, control …) will
far outweigh the effects of these constraints.
We believe that it will have the same positive effects as the GDPR legislation has.
REGARDING THE EXCEPTIONAL NEED TO USE DATA
We are concerned that the provisions of Article 15, paragraph c) may create conditions for abuse and harmful market disruption.
The provision c-1 is effectively enabling a public sector body or Union institution to enforce preferential/arbitrary rates in transactions with private market. If the public sector body/EU institution cannot purchase the data at market rates because these rates are too expensive, then this provision allows the public sector body/EU institution to enforce an arbitrary rate on any data holder (even if the rate may be reasonable).
This is not possible for a private sector actor that has to purchase the data at the price set/negotiated with the data holder. This creates an imbalance in the competitiveness since, if a public body is in competition with a private sector actor, then the public body (assuming that we are discussing about a public interest task) has the ability to have a better cost control (since it can enforce unilateral/preferential costs). In the end, this creates a disincentive for private sector to invest in the EU businesses focused on processing high value/high interest data.
Furthermore, the provision c-2 may allow a public sector body or Union institution to disrupt the market by providing data to other data holders or enterprises at a preferential cost. Again, this leads to a significant risk and disincentive for the private sector to invest in creating high value/high interest data.
Our partners from Legal Accelerators, specialized in legal technology, legal innovation & connected domains, have provided additional feedback in regards with Article 15:
The provision is in many regards imprecise; since it:
1. Would generate disputes;
2. Would undermine the uniform application of regulation at the European level.
Additionally, there are several additional shortcomings related to this provision:
- It is not sufficiently precise as regards the concept of „public emergency” (Article 2(10)); the definition also appears as too broad. Correlated with the fact that in case of public emergency the data should be made available to public bodies free of any charge, this appears as highly disproportionate; moreover, it contradicts the constitutional principles regarding of protection of property (the expropriation for general interest purposes being legal only in exchange of a fair compensation);
- It is not sufficiently clear in regards to the categories of data that should be made available; no safeguards are imposed in regards to the protection of rights of data subject after the transfer;
- Not sufficiently precise as regards the identification of the laws that may impose specific tasks in the public interest (GDPR? fiscal laws? criminal laws? others?);
- Not enough precise as the tasks to be considered or the public entities concerned;
- Not sufficiently clear as regards the impossibility of the public entity to obtain the data on the market (what proofs can/should be presented to that effect, when and to who? absolute impossibility or relative one would be adequate? what reasons for that impossibility? refusal to be delivered/inexistence of that data? it is highly debatable whether a high market price for those data, price that the public entity is not opened to pay, may justify the application of the text).
The provision should not be the instrument allowing to the public entities to act in fully discretionary manner and to benefit – without adequate consideration – of the activities and work of data holders. It should be more precise and provide sufficient safeguards in order for the data holders to be able to predict reasonably what are or may be their obligations. Since the data is obtained after efforts of collection/transformation, they are an asset for the data holders; any limitations regarding their corresponding rights should be clear, precise and respond to the constitutional standards.
REGARDING THE TRACEABILITY OF TRANSACTED DATA
The General Data Protection Regulation (GDPR) is a binding law in the European Union Member.
In this regard, traceability of transacted data must be ensured on the whole transaction chain, together with the compliance of GDPR.
Personal data should be protected, by design, avoiding the correlation of data from different edge devices, especially in the presence of traceability mechanisms.
The Cluj IT DATA TASKFORCE has been activated for the purpose of elaborating the current document, reflecting the CLUJ IT Cluster contribution to the European Digital SME Alliance position paper on the Data Act to respond to the European Commission consultation on the Data Act.
The Data Taskforce is part of the Cluj IT Data Intelligence Working Group, which aims to improve the community environment by harnessing the power of Big Data and Artificial Intelligence.
We appreciate the significant contribution of the following experts to the Cluj IT Data Taskforce: