EU Data Act: a second generation of consumer data legislation takes shape
The EU Data Act is part of a second generation of data legislation which aims to empower consumers with their data. It sounds very promising, but will it do enough to help consumers get value from their data?
The EU Data Act is aimed not only at preventing harm to consumers but even more at unlocking the structural challenges within digital markets populated by companies holding large amounts of valuable, consumer-generated data. It contains proposals to allow users of cloud services and connected IoT devices like fridges, wearables and smart meters to get additional value from the data they have generated more easily, ensure healthy competition and consumer-proof innovation.
Increasing data mobility will help prevent vendor lock-in for users, who would be more able to switch suppliers. It could also support consumers, within safeguards, to access and share their data with third parties who can then deliver innovative services back to them. For example:
A consumer with a collection of smart home devices might be able to collate and share that data with a third party app that could notify them of how much energy they are using and how to reduce it.
If they knew they had access to their connected device’s data, consumers could shop around for the best repair option, without being forced to pay a premium to use the product retailer.
This concept of data empowerment and mobility is central to Euroconsumers idea set out in the ‘My data is mine’ manifesto, which presents a vision of a flourishing data economy with consumers and citizens in the driving seat. Consumers that are fully in charge of their data, able to decide freely with whom to share or not, can push markets towards delivering to them in a better way, providing the goods and services they really need.
Second generation data empowerment legislation across the world
It is not just Europe who has ambitions to make consumer-proof innovation a reality. In the UK and US, various proposals have been made to put consumers in charge of their data and help steer markets towards better goods and services.
In the UK, a consultation on a new data direction for the UK set out how it would extend people’s rights to data portability – which are currently limited by a lack of obligations on timely sharing and detailed formatting of data. They use the concept of ‘data mobility’ to describe how people could much more easily direct the sharing and reuse of their data between multiple providers, as opposed to just transferring it from one service to another.
The banking sector has already been part of such mobility schemes under the ‘Smart Data’ scheme which brought Open Banking to the UK. A next phase could be to mandate other sectors to participate in smart data schemes to open up portability and mobility.
Meanwhile in the US, the ‘Augmenting Compatibility and Competition by Enabling Service Switching’ (or ACCESS Act) is travelling through Congress. The bill requires large platforms usually in a monopoly position to provide tools for consumers to automate the extraction of their data (with related privacy safeguards).
Taking the example of social media, a person could take their data on friends, connections, customers etc to a new platform – just as someone can switch their land line phone operator without losing their network of contacts.
Data Act could make data portability a reality
Of course, the principles of easy access and portability have been around for a long time but a few different factors have made it difficult to put into practice. Portability provisions in the GDPR for example, were predominantly designed to enable a data subject to request data from the data controller – although there were rights to transmit data from one controller to another where technically feasible.
Inevitably there has been a reluctance from the controllers of big data to share the value more widely. There are also information, security and consent concerns around how consumers might transfer data safely and in full knowledge, and where responsibility may fall if things go wrong.
The Data Act proposals go beyond regular, bilateral transfers to a three party flow, where consumers, data holders and third parties are part of a system of data that moves more freely to meet consumers’ goals. The type of data is also broader and access is not a one off, but rather, a continuous channel of available data in real time.
Risks must be addressed in Data Act for innovation to flourish
Enabling access and sharing of data between different parties is very promising, but it also raises several tricky challenges. If not properly addressed, the current Data Act text could leave consumers exposed and not able to make the most of the empowerment opportunity. On a practical level, the formats for data and for technical interoperability need to be better established to make sure consumers have useable rights they can immediately and easily put into practice.
Some other challenges relate to the definitions of key terms. For example, a narrow definition of data excludes inferred data which in the case of a consumer IoT device, means that only the ‘raw’ data collected by sensors is eligible for extraction. So none of the internal processing which might help, say with a repair would be eligible thus limiting the usefulness of the new access obligations.
Other parts of the Act could have the unintentional impact of actually tightening the large tech providers’ hold on data. For example, the third parties who might make use of data at a consumers’ request must follow stricter rules than data holders do on things like dark patterns.
The Act also seeks to meet some consumer protection requirements through information provision. This approach has often led to complex, opaque and often unfair terms on consumers, therefore much more thought must go into delivering truly safe and fair protection by design so that the burden is not merely put on consumers’ shoulders.
Finally, because data holders have become such a major part of digital service infrastructure, they will inevitably be central to the interactions between consumers, themselves and third parties. This cements the assumption that they are in fact, the de facto controllers of data in the digital economy even when that data is generated by people. It also results in them having full sight of all parts of the interactions from requests to share, to what is shared etc, which gives them yet more advantageous insight into consumer behaviour.
Consumers want more value from their data
A Euroconsumers survey of over 7,000 smart device owners earlier this year found that consumers don’t often get the value they expect from these new technologies. To stay actively engaged with the connected capabilities of home IoT, there needs to be a step up in data generated services.
So the Data Act marks a major step in providing the value and innovation that consumers want from their data and could help to generate a competitive marketplace for consumer-centered data services.
Opening up consumers’ data flows on their terms to third parties could go a long way to bringing the data revolution into people’s homes with genuinely helpful services.
Given consumers’ desire for innovation on their terms, the Data Act, if delivered with the right focus on protection, information and empowerment will show what can be achieved when they can truly say that ‘my data is mine’.