Close

A Comment on the Data Act, Europe's Bold Proposal for IoT Regulation

Gilbert Hill, Matt Prewitt, Divya Siddarth

April 1, 2022

European Commission Flags

From our founding in 2018, the RadicalxChange community has advocated for power-distributing, rather than power-concentrating systems. The information flowing through the data economy creates opportunities for power concentration; but also opportunities to create hugely distributed value and agency. How to balance the two?

Our 2020 paper, the Data Freedom Act, was an influential early articulation of a regulatory framework that would facilitate efficient flows of information, while also avoiding extreme concentrations of power. Today, we’re happy to see many of its principles appearing in meaningful policy.

The European Commission’s recent proposal for a Data Act is a major chapter in this story. More than anything we’ve seen before – including the final EU Data Governance Act, whose enacted text was somewhat disappointing compared with earlier drafts – the proposed Data Act seems capable of redirecting part of the data economy towards the public good instead of a power grab.

Our biggest concern is that its scope is not wide enough. It puts in place a deeply sensible framework for IoT providers, aligning incentives between returning privacy-preserving control of data to data holders, while allowing collaborative use of this data to solve problems in both the public and private sectors. This framework is so sensible that we’d like to apply beyond IoT. We could say “it’s a step in the right direction” – and it is – but experience teaches that the second step is often harder than the first. The rules in this regulation would do a much better job transforming the whole data economy if they applied to software and smartphone providers, in addition to IoT product providers.

Unfortunately, industry players have already signaled that they will fight the core provisions of the regulation. That is a discouraging signal that they do not wish to compete in a fair and open ecosystem; we hope policymakers and the public will see the pushback for what it is.

Here’s a quick tour of a few of the Data Act’s main ideas, with commentary.

Scope

The Data Act applies, in general, to IoT businesses, which is to say providers of “tangible items” that generate, collect, and transmit data “and whose primary function is not the storing and processing of data.” While it is not addressed precisely in the text, this language seems to exempt providers of software, as well as computing devices like smartphones.

As a general matter, we have some doubts about whether IoT presents issues distinct enough from software that it should be regulated differently. The most obvious distinction is simply that the proliferation of data-collecting devices in everyday life crosses various thresholds leading to qualitative and quantitative step-changes in data collection. But software services, too, are ubiquitous, dynamic, and constantly making radical new incursions into once-unquantified aspects of everyday life.

Our point here is not that it doesn’t make sense to regulate IoT with the Data Act’s framework; it does. But the Data Act framework is so good that it should cover the whole data economy, including software services, not just IoT. Here’s why it’s so good.

Forcing IoT Businesses To Find Business Models Other Than “Data Grab!”

The Data Act would require IoT providers to give their customers easy electronic access to all of the data the IoT products generate. Further, customers could request the IoT providers to share their information directly with third parties, such as other businesses that may be able to plug it into their services. So the ability of IoT businesses to predicate their business models on the data they collect would be very limited.

The biggest limitation to the Data Act’s right to get data from IoT companies is this: customers and/or third parties who receive it may not then use it to develop products that compete with the product from which it originated. It’s clear why businesses would want this. But it isn’t clear that it’s necessary to ensure a dynamic IoT industry. Why do IoT businesses need to have an exclusive ability to use the data they collect in order to improve their products and services?

To be sure, with reduced exclusivity in their ability to use the data, IoT providers start to look more like commodity hardware providers. But is that actually a bad thing? Don’t we want the opportunities for improving IoT to be obvious and accessible to everyone?

The framework in the Data Act would undermine many extractive IoT business models and tilt the balance of power towards ordinary users. It would not undermine the quality of data-based services, whose potential value is obviously huge. Instead, it would distribute the gains, which is exactly what we want markets to do.

Standardizing Data Portability

Article 5 of the Data Act introduces a right for users to share data with third parties, while excluding ‘gatekeepers’ (ie, monopolistic platform services, as defined in the Digital Markets Act).

This is a step toward ensuring that the power in IoT will not flow right back to huge third party software providers running services on top of the hardware – i.e., that the Data Act will not push customers right back into the arms of Google, Amazon, Facebook, and Microsoft.

Among other benchmarks, businesses with market capitalizations above 100 billion Euros may be designated as gatekeepers per the Digital Markets Act. But plenty of mischief can be done by software companies of far smaller size: they could try to corner parts of the market and gain undue power over consumers in precisely the way that the Data Act prevents IoT companies from doing. In light of this, we would prefer to see a de novo definition of the kinds of software companies that cannot receive customer data through the Data Act. Or even better: simply subject software companies to the same reasonable framework the Data Act imposes on IoT companies.

Smart Contracts

The Data Act would require businesses managing data through smart contracts to ensure that their smart contracts do not preclude compliance with the rest of the Act. This is reasonable – the point of smart contracts shouldn’t be to automate execution to preclude compliance. Of course, this might mean that non-European players take the lead in smart contract-mediated data ecosystems that aren’t compatible with the Data Act. In particular, calls for ‘safe termination and interruption’, as well as auditability, may prove difficult to execute on in the existing environment of smart contract development.

It’s an unavoidable tradeoff if the Commission wants to be able to regulate in the EU.

Dispute Settlement & Intermediary bodies

As outlined in the Data Governance Act (DGA), the EU wants to promote the classification and certification of intermediaries, holding a number of workshops involving MyData and other groups in which elements such as common standards and labeling schemes were discussed.

Much of the focus of the DGA and the EU Data Strategy in general has been on scenarios where such intermediaries help promote data altruism, or act as ethical brokers for people to realize their data’s value. The Data Act appears in Article 10 to outline another role for intermediaries - in dispute settlement.

Predictions had been made in some circles of a post-GDPR wave of class-action lawsuits as people collectively sought redress in the event of a breach or negligence by a data controller. Despite a few high-profile cases this hasn’t come to pass due to the need for representatives (lawyers and litigation funders) to find a viable business model, and reliance on laborious DSAR processes for evidence-gathering.

Article 10 proposes that data holders and recipients shall have access to dispute settlement bodies, who should offer a “simple, fast and low-cost solution” to the parties. The Commission would maintain and publish a list of recognised bodies, presumably with a standardized process for certification and review.

It is not currently clear whether an intermediary could perform a dispute resolution, and the Data Act does not affect the right of parties to seek another legal remedy. However, it does outline a workable approach to dispute resolution than class actions and another step towards data intermediaries being a viable economic ecosystem.

Our hope is that such intermediaries could develop into more robust institutions collectively representing peoples’ data interests, along the lines of what we proposed in the Data Freedom Act. As written, the Data Act is still only a baby step towards that.

Conclusion

Hats off to the European Commission for drafting a serious proposal.

No one can accuse these regulators of naivete; nor are they overzealous. Against the backdrop of a deeply dysfunctional data economy which, left to its own devices, could get worse, this proposal isn’t as aggressive as some will say it is. As much as the Data Act would reshape IoT, its scope should actually be broader. We hope that impartial Europeans will see this, and help guide this process to a conclusion that sets a positive precedent for the rest of the world.