Last month, the Czech Presidency of the Council of the European Union proposed another compromise text to the Data Act—the EU’s proposed legislative framework targeting the use of data from connected devices—to better safeguard private sector data when public authorities demand access to it.
In the original text, the Data Act contained a controversial provision that authorized public authorities to require businesses to share privately held data but did not specify how the public sector would safeguard the data or set real limits on when governments could demand access to privately held data for “exceptional need” and other emergency circumstances. The newly revised compromise text, however, clarifies how government institutions must safeguard shared data, creates specific requirements for how the public sector can treat the data, and clarifies under what emergency and exceptional situations public institutions can demand access to data.
The proposed changes are a step in the right direction, and the European Union should revise the Data Act to better safeguard data the private sector must share with the government.
The Data Act is a big step forward toward the further use of data from connected devices for important public uses. Business-to-government (B2G) data sharing of mobility and location data can support public health strategies and humanitarian aid in times of military conflicts and pandemics. B2G health data sharing can fuel crowdsourced medical advancements, and B2G environmental data sharing can help institutions plan for natural disasters exacerbated by climate change. The Internet of Things (IoT) generates a vast array of data that can be critical evidence in the EU’s discussions of sustainability, transportation systems, education, tourist inflows, and more.
Unfortunately, the original draft of the Data Act mandates IoT businesses make their data available to the public sector and government institutions in cases of “exceptional need” but leaves what constitutes “exceptional need” up to government discretion on a scenario-by-scenario basis. The Data Act acknowledges that public use of data has benefits, but insufficiently addresses the potentially generous interpretation or abuse of data sharing obligations, such as the risk of revealing or making more vulnerable commercially sensitive information, and fails to establish safeguards to counter these risks.
For example, Article 15 attempts to clarify that the “exceptional need to use data” applies when needed to respond, prevent, or assist in the recovery from a public emergency or to finish a task done in the public interest that cannot obtain the necessary data from alternative means. But this definition still does not limit the potential government abuse because it lacks clear definitions of what data businesses must share, for how long, or how the public sector will safeguard the data from institutional misuse or bad actors. Or consider Article 19 which states that public institutions must safeguard the B2G data they receive and destroy it when finished but offers no specific guidelines for how long the public sector and government institutions can have the data, how these institutions must protect commercially sensitive data, or how broad their requests can be. It also offers no specific guidance for how to handle any personal data that might be included in such a request. These shortcomings leave B2G data sharing under the Data Act open for potential misuse or abuse.
The Czech presidency’s proposed compromise for the Data Act is essential because it addresses these problems. The proposed compromise defines “exceptional need” scenarios as unforeseen and limited in time and scope and defines “public emergencies” as natural or human-induced disasters to be defined by procedural law. Both ensure that the EU public sector and the government sector cannot use stretched definitions of “exceptional need” or “public emergencies” to gather data when convenient for other purposes.
The Czech compromise text of the Data Act reflects a recommendation the Center for Data Innovation provided previously to the European Commission, where we suggested the Commission provide “further clarification on what qualifies as a public emergency or exceptional situation and the requirements on how the government can treat the data obtained.” But the Commission should further amend the Data Act to clarify the maximum timespan public institutions can hold business data, what security measures must be in place to protect data shared with the public sector, and what exactly a government agency needs to provide to request B2G data sharing.
The EU policymakers who crafted the Data Act are correct in wanting B2G data sharing for the public good, but further refinements are necessary to safeguard data the government requires businesses to share.