EU Proposes Tougher Data Transfer Rules With Data Act

Controlling Data

European Commission publishes draft legislation with Data Act, that will govern the rules for data transfers in the years ahead

Major cloud and data processing tech giant have some reading to do, after the European Commission (EC) published its draft Data Act.

The Data Act announced on Wednesday sets out the EU framework governing the rules, rights and obligations for companies transferring European personal data to offshore (mostly US) servers and data centres.

The arrival of the proposed rules comes after Meta earlier this month warned if it was not allowed to transfer, store and process European user data on US-based servers, it could shut down Facebook and Instagram in Europe.

Image credit: European Commission
Image credit: European Commission

Tightened transfer rules

The new rules proposed in the Data Act govern “who can use and access data generated in the EU across all economic sectors.”

The Data Act includes measures to allow users of connected devices to gain access to data generated by them, which is often exclusively harvested by manufacturers; and to share such data with third parties to provide aftermarket or other data-driven innovative services.

Secondly it includes measures to rebalance negotiation power for SMEs by preventing abuse of contractual imbalances in data sharing contracts.

Thirdly it will allow public sector bodies to access and use data held by the private sector, during floods or other emergency situations for example.

Essentially the draft Data Act will oblige Amazon, Microsoft, Meta and other big name providers of cloud and data processing services to set up safeguards to prevent non-EU governments gaining illegal access to EU data.

“We want to give consumers and companies even more control over what can be done with their data, clarifying who can access data and on what terms,” said Margrethe Vestager, executive VP for a Europe fit for the Digital Age.

EU competition commissioner Margrethe Vestager.  European Commission
Margrethe Vestager.  European Commission

“This is a key Digital Principle that will contribute to creating a solid and fair data-driven economy and guide the Digital transformation by 2030,” Vestager said.

“Today is an important step in unlocking a wealth of industrial data in Europe, benefiting businesses, consumers, public services and society as a whole,” noted Thierry Breton, commissioner for internal market.

“So far, only a small part of industrial data is used and the potential for growth and innovation is enormous,” said Breton. “The Data Act will ensure that industrial data is shared, stored and processed in full respect of European rules. It will form the cornerstone of a strong, innovative and sovereign European digital economy.”

The Data Act will need to be approved by EU governments and lawmakers before it can become law.

Troubled transfers

The issue of transferring European user data to American servers has long been a bug bear for the European Commission and privacy campaigners.

Data used to be transferred to the US under the Safe Habour agreement, but the European Court of Justice in 2015 suspended the original Safe Harbour agreement.

It was suspended in the wake of the Edward Snowden revelations about the scale of US and its NSA agency spying on friends and allies.

The Privacy Shield (or Safe Harbour 2.0) was then drafted, but the United States and the European Union were forced to change it after an initial agreement submitted in February 2016 was rejected by European Watchdogs for not being robust enough.

The two sides then agreed to stricter rules for American companies holding information on Europeans and clearer limits on US surveillance. And this reworked Privacy Shield agreement was then approved by EU member states and adopted in July 2016.

The European Commission’s Privacy Shield data framework replaced the EU-US Safe Harbour deal which had been in place since 2000, but right from the start it proved controversial with ongoing concerns about US spying.

The Privacy Shield had been designed to help firms on both sides of the Atlantic to move the personal data of European citizens to the United States without breaking strict EU data transfer rules.

Then in July 2020 the European Court of Justice struck down the transatlantic data transfer deal.