The EU is changing its policy: what companies need to do now

The European Union has unveiled new rules that will make it easier for users to transfer data generated by products such as Alexa from Amazon or vehicles.

The European Commission’s Data Act will set out rules on how companies can access so-called non-personal data or data that does not contain information that identifies a person.

The proposal will affect a wide variety of sources, including information collected in connected machines and devices, such as smart cars and appliances.

For example, under the new rules, the driver of a car may request that any data generated on the vehicle’s performance be sent to a repair shop of his choice. This could help customers get cheaper services than being forced to go directly to the car company, according to the commission.

Cloud service companies such as Amazon and Microsoft will also be forced to facilitate switching between providers.

“We want to give consumers and businesses even more control over what can be done with their data,” said Margrethe Vestager, the Commission’s chief competition officer.

The proposal will now go to EU countries and the European Parliament for approval, but could take years to enter into force.

What it means for companies

Companies are already worried that the new rules would harm non-EU businesses and make data flows with the EU more difficult. According to the proposal, very high-tech companies, such as Google, are unlikely to benefit from slowing down data transfers.

“Data law will serve the EU’s digital ambitions if it protects confidential business information, treats all companies equally and avoids creating new restrictions on data flow,” said Alexandre Roure, director of public policy at the Computer and Communications Industry Association.

The proposal also lays down news rules stating:

• Companies are prohibited from entering into unfair contracts that prevent data sharing with smaller companies.
• Companies need to make the data available to the public sector in an emergency.
• Companies must allow users of connected devices access to the data they generate.

European regulators have consistently established stricter rules on how companies handle user data. The Irish Data Protection Authority is currently examining the legality of a contract that allows companies to deliver large amounts of commercial data across the Atlantic.

The Data Act will also require companies to introduce safeguards to prevent non-EU governments from accessing data and forcing companies to allow users to transfer data between cloud providers at no additional cost.

“Regulations should not conflict with the law or create barriers to data transfers,” said Emilie Petras-Sohie, IBM Europe’s chief policy and legal manager.

“And cloud switching requirements should strike the right balance between avoiding blocking providers and enabling cloud providers to deliver innovative services.”