State of play on the EU Data Act


This fall, one of the most prominent policy proposals to be discussed on the EU political agenda will be the Data Act. With the legislative proposal of the Data Act, the European Commission aims to foster a fruitful environment for the data economy, including ensuring a data market that is fair and competitive, facilitating opportunities for data-driven innovation, as well as making data more accessible to all. 

Ecommerce Europe understands the Data Act as an important step for realising the potential that a data-driven economy has for Europe. With this proposal, the EU aims to create greater legal certainty for both businesses and citizens generating data. Ecommerce Europe firmly believes that the European data-driven economy should be incentivised by best practices from the industry, and not impeded by a strict regulatory framework hindering innovation. Therefore, Ecommerce Europe closely monitors the legislative developments on the Data Act to ensure that the regulation preserves economic incentives for all market operators, takes into account sector-specific characteristics, and considers vital principles such as feasibility, privacy, cyber security, intellectual property and the protection of trade secrets. 

European Parliament draft report underway 

The ITRE Committee leads the Data Act negotiations in the European Parliament and Rapporteur Pilar del Castillo Vera (EPP, Spain) has announced that the draft report is about to be handed over to the translation services and thus can be expected to be published soon. Accordingly, the draft report will address one of those elements of the Commission’s legislative proposal, which so far has been subject to the most backlash, namely Chapter V. Chapter V of the Data Act proposal lays down obligations for businesses to share data with governments in situations of “exceptional need.” With her draft report, Rapporteur del Castillo Vera seeks to clarify this point further by distinguishing between situations of so-called public emergencies, in which businesses will not be entitled to compensation for sharing their data, and situations of exceptional need, which on the other hand might entitle businesses to compensation. 

Article 27 of the legislative proposal is also expected to be addressed in the ITRE draft report. Building on already existing GDPR-rules, Article 27 concerns international transfers of and access to non-personal data. According to the original proposal, transfers of non-personal data to third countries must only take place if the third country in question can provide sufficient rule of law guarantees. Yet, this may lead to a number of concerns for businesses e.g., regarding how to differentiate between personal and non-personal data as these become increasingly inseparable, how cloud service providers are expected to handle requests by governments of third countries, as well as how to interpret and assess the rule of law guarantees provided by third countries.  

New developments in the Council 

Within the Council, the Czech Presidency recently presented a new partial compromise text on the Data Act, in which it addresses key aspects of cloud switching, interoperability requirements and enforcement cooperation at EU level. On cloud switching, the initial draft implies a transition period of 30 calendar days for switching between cloud service providers. With the compromise text, the Czech Presidency, however, introduces the possibility of cloud service providers to request a period of extension under exceptional circumstances rooted in technical unfeasibility. This further links to another aspect added by the Czech Presidency, notably that the outgoing cloud service provider shall be obliged to facilitate functional equivalence during the transfer, also in cooperation with the destination service provider, and must ensure a high level of cyber security during the transfer process as well. Regarding the aspect of interoperability, the Czech Presidency’s text stresses that the essential requirements on interoperability only apply to organisations that are part of certain data spaces (sectorial data spaces with governance rules specific to health, energy, and agriculture sectors). Furthermore, we have learned from the Presidency’s compromise text that the government and enforcement architecture of the Data Act will follow the principle of country of establishment. In cases where organisations do not have legal representation in the EU, all Member States would have jurisdiction. 

If you have any questions or wish to know more about this topic, please contact us at