Two years after the European Commission released an omnibus Data Strategy, it has proposed the Data Act, the last major component of its legislative plans to reshape Europe’s digital economy. The Data Act is intended to stimulate the re-use of data generated by the burgeoning number of connected or ‘smart’ products and services that transmit information back to manufacturers and service providers. The Act would grant economic rights to owners and users of these products and services, and it also would establish mechanisms to facilitate data reuse. It would apply primarily in the business-to-business context.
Most of the data covered by the Data Act is considered ‘non-personal’, in that it relates to industrial products and services rather than to individuals, although it is not uncommonly mixed with personal data as well. A recent economic study found that commercially sensitive non-personal data is the most common type of data to be shared across borders, ahead of personal data.
Why are Transfer Safeguards for Non-Personal Data Necessary?
The Commission believes that international transfers of non-personal data require a counterpart regulatory structure to what exists for personal data under the General Data Protection Regulation (GDPR). In both cases, it sees a common external threat — extraterritorial foreign laws. The impact assessment for the Data Act identifies two U.S. signals intelligence authorities, Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, as well as China’s 2017 National Intelligence Law. The Commission also cites the US CLOUD Act, which allows U.S. law enforcement to demand information held abroad by cloud service providers subject to U.S. jurisdiction.
The nature of the threat posed by these foreign laws differs for personal and non-personal data, however. The analysis of foreign surveillance laws required for personal data by the Schrems II judgment of the Court of Justice of the European Union, and elaborated in subsequent European Data Protection Board (EDPB) recommendations, aims at preventing compromise of the EU’s fundamental rights to privacy and protection of personal data when international transfer is contemplated.
The Data Act, by contrast, focuses on commercially sensitive industrial data protected by European intellectual property and trade secret laws. Cloud service providers often host such data, just as they do personal data, but EU companies “report reluctance to use cloud services due to concerns of unlawful or unauthorized access that may lead to IP theft [or] industrial espionage.” This reflects a “trust problem”, and “the trustworthiness of cloud services equals the trustworthiness of the data economy,” the impact assessment notes.
The United States government has consistently denied deploying its foreign intelligence surveillance apparatus to benefit U.S. companies. “U.S. government commitments and public policy…expressly prohibit the collection of information for the purpose of obtaining a commercial advantage,” a 2020 White Paper asserts. Nonetheless, the Data Act proposal proceeds on the premise that it, along with China, does so.
The Tangled Net of EU Data Transfer Regimes
The Commission’s approach to international transfers of commercially sensitive data such as trade secrets or other intellectual property originated with the Data Governance Act (DGA), a separate EU regulation to facilitate the reuse of government-held data that was agreed legislatively late last year. Article 30 of the DGA requires providers of data intermediation services to “take all reasonable technical, legal and organizational measures, including contractual arrangements” to avoid conflicts between EU or member state law and foreign governmental access law. The reference to ‘technical, legal and organizational’ safeguards is drawn from the EDPB recommendations for personal data transfers.
In addition to taking these safeguard measures, a data intermediary under the DGA may honor only those unilateral foreign access requests that it deems to be reasoned, proportionate and specific, as well as subject to review by a third country court or tribunal that would balance the competing domestic and foreign interests. Data intermediaries must undertake the required analysis on a case-by-case basis.
Article 27 of the proposed Data Act adopts the identical approach taken in Article 30 of the DGA, with one potentially significant addition. Under Article 27(3), a service provider may ask a relevant EU or member state authority to assist in determining whether it may positively respond to a foreign access request relating to commercially sensitive data or implicating national security interests. The Commission would be charged with developing guidelines for this purpose, with the assistance of the European Data Innovation Board, a new EU-level body to be established under the DGA.
Article 27(3) of the Data Act thus acknowledges that assessing whether safeguard measures are sufficient to allow transfer of non-personal data, consistent with European intellectual property and trade secret laws, can be a complex corporate decision deserving of government assistance. This feature of Article 27, if it survives the legislative process, would be welcome news for companies currently struggling with the comparably resource-intensive transfer risk assessments they are obliged to conduct under the GDPR, which often range into unfamiliar areas of foreign law far from their commercial expertise (indeed, these issues are often so complex that a leading privacy scholar has called for EU authorities to resort to outside academic experts for assistance). However, a similar provision in the Commission’s version of the Data Governance Act was deleted during the legislative process, so its eventual survival in the final version of Data Act is far from certain.
The varying data transfer regimes established by the GDPR, DGA and proposed Data Act may interact with each another. A foreign government authority conceivably could seek non-personal data because, combined with personal data, it yields law enforcement or national security value. Moreover, a service provider receiving a foreign government access request could discover that it holds responsive personal and non-personal data for a customer, and thus must conduct separate analyses under more than one of these varying transfer regimes.
The cloud provider may, moreover, be answerable to different regulatory authorities depending on the type of data involved. GDPR enforcement falls to data protection authorities, but member states may designate other national enforcement authorities for purposes of the Data Act. Germany, for example, could choose its competition authority (Bundeskartellamt), while France could turn to its data protection authority (CNIL), as two commentators have pointed out.
As a result, a company could face scrutiny of its handling of a foreign government access request raising conflict of law issues from multiple enforcement authorities with varying expertise. Although Article 31(3) (f) of the proposed Data Act encourages coordination among member state designated authorities, this provision seems insufficient to reconcile their potentially differing perspectives on international transfers and access requests involving both personal and non-personal data.
The asserted aim of the Data Act’s proposed international transfer regime for non-personal data is to avoid conflicts between European intellectual property and trade secret laws and foreign governmental access law. The Commission does not offer concrete examples of when this has occurred, instead citing only European companies’ perceived concerns about IP theft or industrial espionage. Non-European cloud service providers, upon whom the burdens of imposing case-by-case safeguards would fall most heavily, may suspect a sovereign or protectionist EU agenda.
Abstract conflict of law analyses have real-world trade consequences. A survey reported that transfers of personal data from the EU to the United States declined by about one-quarter since the invalidation of the Privacy Shield framework. Technology industry groups already fear that requiring legal safeguards for international flows of non-personal data likewise would lead EU companies – as many as 40% of them, according to the previously-noted economic study – to localize data within EU territory. International transfers of health records containing non-personal data also would fall under this new regulatory regime, according to a leaked draft of the Commission’s forthcoming European Health Data Space regulation.
The U.S. Trade Representative’s 2022 National Trade Estimate report regards EU controls on international transfer of personal data as a barrier to digital trade because they encourage data localization in Europe. Similarly, international trade lawyers already have begun to speculate whether the Data Act’s proposed provision on transfer of non-personal data is consistent with the World Trade Organization’s Global Agreement on Trade in Services (GATS). The EU has committed under the GATS to ensure that cross-border providers of data processing services enjoy access to its market, and to afford them national treatment as well. Burdens imposed on international transfers of non-personal data from EU territory conceivably could violate one or both guarantees. Governments enjoy some discretion to regulate to protect personal data and essential security interests, or for other specified public policy reasons. The GATS exception for protection of personal data does not appear facially to extend to non-personal data, however.
The U.S-EU Trade and Technology Council (TTC) established last year, and in particular its Working Group 10 on global trade challenges, seems well-suited to take up, in a less adversarial way, the EU’s planned controls on transatlantic transfers of non-personal data. Doing so would be consistent with the TTC’s mission statement “to work together to maintain competitive, free, and fair transatlantic commerce in new and emerging technologies, by avoiding new and unnecessary barriers to trade in these technologies….” Since the Data Act is at an early stage of legislative consideration, with the European Parliament and the Council just beginning to develop their own positions, early consultation with the United States could help avoid transatlantic conflict of the kind that has persisted for years over personal data transfers.
These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.