Last month, the Czech Presidency proposed the first compromise text to the Data Act—a legislative proposal about non-personal data that serves as the latest addition to the European Commission’s greater European Union (EU) data strategy. The compromise text held much-needed components and clarifications missing from the original Data Act. But the Czech presidency did not amend the compromise text enough to minimize compliance burdens for all, not just some, Internet of Things (IoT) companies. To improve the Data Act, the European Commission should amend the proposal to treat all IoT companies equally by removing size-based carve-outs and minimizing compliance burdens and barriers to entry.
Introduced in February of 2022, the Data Act addresses rules around who can access non-personal data—data without personally identifiable information and that cannot be traced to an identifiable person—generated on connected devices. The proposal clarifies the current patchwork of member state rules on non-personal data to ensure that the internal EU data market has one consistent framework to follow. The Data Act also imposes specific obligations on businesses to collect and share IoT data with other businesses, consumers, and the public sector. In July of 2022, the Czech Presidency began circulating a compromise text that, among other things, expanded upon the original proposal’s exemptions for small and medium-sized enterprises (SMEs) to broaden exemptions for medium-sized enterprises. By widening these carveouts for SMEs, the compromise text would not treat all IoT companies equally, distort the EU’s data market, and create a compliance burden that will hurt EU SMEs in the global data economy.
As it stands, the Data Act carves out SMEs—businesses that employ fewer than 250 employees and do not exceed an annual turnover of €50 million or a balance sheet of €43 million as defined by the EU Enterprize Size and Commission Recommendation—from parts of the legislation to give them lower barriers to entry. Articles 7 and 16 of the Data Act exempt SMEs from business-to-consumer, business-to-business, and business-to-government data sharing regulations in Chapters Two and Five. Regulating businesses based on size fails to account for a business’s growth, loss, and desire to scale up, and unfairly penalizes larger firms even though they tend to have higher productivity, better wages, and more innovation. Companies that desire to scale up will focus from the beginning on how to comply with the entirety of the Data Act’s data-sharing standards—defeating the very purpose of the Data Act’s carve-outs of these SMEs.
In fact, exempting SMEs from Chapters Two and Five ignores just how burdensome these regulations are for data-driven innovation for IoT companies of all sizes. These carve-outs basically acknowledge that these provisions in the Data Act will harm the EU data economy and stifle innovation but still give a stamp of approval that it’s okay to burden larger firms. Chapter Two discusses how businesses have an “obligation to make data generated by connected devices accessible” free of charge, without delay, and, if possible, in real-time to consumers and other businesses beginning from the design phase of a product or service. Chapter Five establishes similar guidelines for businesses to share data free of charge with public sector bodies if there is an exceptional need or in times of public emergency. These regulations compel companies to think from product conception and design about how easily accessible their data is upon request, even if it comes at the expense of product quality or innovative features. And for businesses with existing products and services, the regulations with Chapters Two and Five could force them to reengineer entire portions of their back-end, product design, manufacturing, and service functionality to ensure compliance with the Data Act’s data-sharing standards.
Burdensome regulations like these have proven time and time again to hamstring innovation for SMEs of all sizes. When surveyed, only 34 percent of the European SMEs had data-sharing in their strategy, and many cited the complexity of legislation as a significant hurdle to using data-driven innovation. Another survey showed that regardless of size, European SMEs would continue to focus resources on compliance when faced with new regulations. Because of these impending burdensome regulations, many SMEs could struggle to scale up as they redirect resources towards compliance that could have driven further innovative solutions.
Despite the broadened exemptions proposed within the Czech compromise text of the Data Act, the carve-outs will not prevent SMEs from facing the prospect of these burdensome regulations in the future. Scaling up under the Data Act’s restrictions could push burgeoning companies to focus less on innovation and more on compliance from the very beginning—at a product or service’s conception and design phase. The carve-outs reflect an acknowledgment that the burdensome provisions in the Data Act will harm the EU data economy and reduce innovation as well as a stamp of approval that it’s okay to burden larger firms. In this sense, the Data Act’s compliance burden will make it harder for the EU SMEs and all its data-driven businesses to compete internationally. International competitors from high-tech markets like the United Kingdom, the United States, and India will be able to focus on research and development without the burden of future or present compliance regulations unless they choose to enter the EU’s data market. At the same time, EU companies would likely lag in comparison. Because EU companies will have to face the budgetary constraints of Data Act compliance and other regulatory requirements beforehand, EU companies could become increasingly less competitive and less innovative in the global data economy.
Instead of exempting SMEs broadly from the compliance burden of the Data Act, the European Commission should alleviate the regulatory hurdles all businesses may face when entering or operating in the EU’s data market. Rather than carving out SMEs in a short-term solution, the Commission should focus on a long-term solution that removes all carve-outs based on arbitrary size distinctions and maximizes incentives to share data and drive innovative products into the EU market. Step One should be to remove Articles 7 and 16, where the Data Act exempts SMEs from entire chapters of the legislative proposal. Step Two should significantly amend Chapters Two and Five, the regulations that heighten the compliance burden from which SMEs were previously exempt, to reduce or even remove the regulatory hurdles IoT businesses may face when entering or operating in the EU’s data market.
By further reducing the burdensome regulations proposed for business-to-consumer, business-to-business, and business-to-government data sharing, the Commission could ensure that IoT businesses can comply with the Data Act without facing capacity constraints, stifled innovation, or failure to launch Internet-connected devices.