Having earlier passed through subcommittee, the American Data Privacy and Protection Act (ADPPA) has now been cleared for floor consideration by the U.S. House Energy and Commerce Committee. Before the markup, we noted that the ADPPA mimics some of the worst flaws found in the European Union’s General Data Protection Regulation (GDPR), while creating new problems that the GDPR had avoided. Alas, the amended version of the legislation approved by the committee not only failed to correct those flaws, but in some cases it actually undid some of the welcome corrections that had been made to made to the original discussion draft.

Read the full piece here.

We appear to be reaching an end stage in negotiations between the European Parliament and the Council of the European Union on a plan to extend the EU’s financial-surveillance regime over the cryptocurrency industry. Alas, lawmakers were in such a rush that they appear not to have noticed that the hastily crafted legislative package violates fundamental tenets of the EU’s founding treaties.

Read the full piece here.

INTRODUCTION AND BACKGROUND

On 23 February 2022, the European Commission unveiled its proposal for a Data Act (DA).[1] As declared in the Impact Assessment,[2] the DA complements two other major instruments shaping the European single market for data, such as the Data Governance Act[3] and the Digital Markets Act (DMA),[4] and is a key pillar of the European Strategy for Data in which the Commission announced the establishment of EU-wide common, interoperable data spaces in strategic sectors to overcome legal and technical barriers to data sharing.[5] The DA also represents the latest effort of European policy makers to ensure free flows of data through a broad array of initiatives which differ among themselves in terms of scope and approach: some interventions are horizontal, others are sector-specific; some mandate data sharing, others envisage measures to facilitate the voluntary sharing; some introduce general data rights, others allow asymmetric data access rights.

Notably, the General Data Protection Regulation (GDPR) enshrined a general personal data portability right for individuals,[6] the Regulation on the free flow of non-personal data facilitated business-to- business data sharing practices,[7] the Open Data Directive aimed to put government data to good use for private players,[8] and the Data Governance Act attempted to harmonising conditions for the use of certain public sector data and further promoting the voluntary sharing of data by increasing trust in neutral data intermediaries that will help match data demand and supply in the data spaces.[9] Sector- specific legislations on data access have also been adopted or proposed to address identified market failures, such as in the automotive,[10] payment service providers,[11] smart metering information,[12] electricity network data,[13] intelligent transport systems,[14] renewables,[15] and energy performance of buildings.[16]

Against this background, given that the DA is a horizontal legislative initiative fostering data sharing by unlocking machine-generated data and overcoming vendor lock-in, an issue of coherence with existing and forthcoming EU data-related legislations emerges.

The premise of such regulatory intervention is provided by the fact that an ever-increasing amount of data is generated by machines or processes based on emerging technologies, such as the Internet of Things (IoT), and is used as a key component for innovative services and products, in particular for developing artificial intelligence (AI) applications.[17] The ability to gather and access different data sources is crucial in order for IoT innovation to thrive. IoT environments are possible as long as all sorts of devices can be interconnected and can exchange data in real-time. Therefore, access to data and data sharing practices are pivotal factors for unlocking competition and incentivising innovation.

From this perspective, the proposal for a DA represents the last episode of a long thread of European Commission interventions. Since the 2015 Digital Single Market Communication, the Commission has indeed emphasised the central role played by big data, cloud services, and the IoT for the EU’s competitiveness, also pointing out that the lack of open and interoperable systems and services and of data portability between services represents a barrier for the development of new services.[18] The issue of (limited) access to machine-generated data has been raised in the 2017 Communication on the European Data Economy,[19] where the Commission envisaged some potential interventions which are now advanced by the DA, as well as in more recent Commission’ Communications on a common European data space and a European strategy for data.[20] In particular, the latter indicated the “issues related to usage rights for co-generated data (such as IoT data in industrial settings)” as a priority area for a legislative intervention.[21]

Moreover, the IoT economy has been the subject of a recent sector inquiry which offered a comprehensive insight into the current structure of IoT environments and the competitive dynamics that are shaping their development.[22] In particular, the Commission underlined the role of digital ecosystems within which a huge number of IoT interactions take place and identified the most widespread operating systems and general voice assistants as the key technological platforms that connect different hardware and software components of an IoT business environment, increase their complementarity as well as provide a single access point to diverse categories of users.[23] Against this backdrop, interoperability is deemed to play a crucial role in improving consumer choice and preventing lock-in into providers’ products.

To contribute to the current policy debate, this paper will provide a first assessment of the tabled DA and will suggest possible improvements for the ongoing legislative negotiations. The paper is structured as follows. Section 2 deals with the problems addressed and the objectives pursued by the legislative initiative. Section 3 analyses the scope of the new data access and sharing right for connected devices. Then, Section 4 investigates the provisions aimed at favouring business-to- government data sharing for the public interest. Section 5 deals with the rules which tackle the vendor lock-in problem in data processing services by facilitating switching between cloud and edge services. Section 6 analyses the requirements set forth regarding interoperability. Finally, Section 7 concludes by addressing the governance structure. Each section briefly summarises the DA proposal and then makes a first assessment with suggestions for improvements.

[1] European Commission, ‘Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access and use of data (Data Act)’ COM(2022) 68 final.

[2] Commission Staff Working Document, Impact Assessment Report accompanying the Proposal for a Regulation on harmonised rules on fair access to and use of data (Data Act) SWD(2022) 34 final, 1.

[3] Regulation (EU) 2022/868 on European data governance (Data Governance Act) [2022] OJ L 152/1.

[4] Regulation (EU) on contestable and fair markets in the digital sector (Digital Markets Act).

[5] European Commission, ‘A European strategy for data’ COM(2020) 66 final.

[6] Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, [2016] OJ L 119/1, Article 20.

[7] Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the European Union, [2018] OJ L 303/59.

[8] Directive (EU) 2019/1024 on open data and the re-use of public sector information, [2019] OJ L 172/56.

[9] Data Governance Act, supra note 3.

[10] Regulation (EU) 2018/858 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC, [2017] OJ L 151/1.

[11] Directive (EU) 2015/2366 on payment services in the internal market, [2015] OJ L 337/35, Article 67.

[12] Directive (EU) 2019/944 on common rules for the internal market for electricity and amending Directive 2012/27/EU, [2019] OJ L 158/125; and Directive 2009/73/EC concerning common rules for the internal market in natural gas and repealing Directive 2003/55/EC, [2009] OJ L 211/94.

[13] Regulation (EU) 2017/1485 establishing a guideline on electricity transmission system operation, [2017] OJ L 220/1; and Regulation (EU) 2015/703 establishing a network code on interoperability and data exchange rules, [2015] OJ L 113/13.

[14] Directive 2010/40/EU on the framework for the deployment of Intelligent Transport Systems in the field of road transport and for interfaces with other modes of transport Text with EEA relevance, [2010] OJ L 207/1.

[15] Proposal for a Directive amending Directive (EU) 2018/2001, Regulation (EU) 2018/1999 and Directive 98/70/EC as regards the promotion of energy from renewable sources, and repealing Council Directive (EU) 2015/652, COM(2021) 557 final.

[16] Proposal for a Directive on the energy performance of buildings (recast), COM(2021) 802 final.

[17] On the economic value of data, see Jan Krämer, Daniel Schnurr, and Sally Broughton Micova (2020), ‘The role of data for digital markets contestability’, CERRE Report https://cerre.eu/wp-content/uploads/2020/08/cerre- the_role_of_data_for_digital_markets_contestability_case_studies_and_data_access_remedies-september2020.pdf.

[18] European Commission, ‘A Digital Single Market Strategy for Europe’, COM(2015) 192 final, 14.

[19] European Commission, ‘Building a European Data Economy’, COM(2017) 9 final, 12-13.

[20] European Commission, ‘A European strategy for data’, supra note 5, 10; and European Commission, ‘Towards a common European data space’, COM(2018) 232 final, 10.

[21] European Commission, ‘A European strategy for data’, supra note 5, 13, and 26.

[22] European Commission, ‘Final Report – Sector inquiry into consumer Internet of Things’ COM(2022) 19 final.

[23] Commission Staff Working Document accompanying the ‘Final Report – Sector inquiry into consumer Internet of Things’ COM(2022) 10 final.

European Union lawmakers appear close to finalizing a number of legislative proposals that aim to reform the EU’s financial-regulation framework in response to the rise of cryptocurrencies. Prominent within the package are new anti-money laundering and “countering the financing of terrorism” rules (AML/CFT), including an extension of the so-called “travel rule.” The travel rule, which currently applies to wire transfers managed by global banks, would be extended to require crypto-asset service providers to similarly collect and make available details about the originators and beneficiaries of crypto-asset transfers.

Read the full piece here.

ICLE Director of Law & Economics Programs Gus Hurwitz joined Steptoe & Johnson’s The Cyberlaw Podcast to discuss the American Data Privacy and Protection Act’s legislative prospects. The full episode is embedded below.

https://www.steptoe.com/podcasts/TheCyberlawPodcast-414.mp3

 

The European Union’s Digital Markets Act (DMA) has been finalized in principle, although some legislative details are still being negotiated. Alas, our earlier worries about user privacy still have not been addressed adequately.

Read the full piece here.

Just three weeks after a draft version of the legislation was unveiled by congressional negotiators, the American Data Privacy and Protection Act (ADPPA) is heading to its first legislative markup, set for tomorrow morning before the U.S. House Energy and Commerce Committee’s Consumer Protection and Commerce Subcommittee.

Read the full piece here.

Background…

After years of fragmented privacy law across the 50 states, a recently introduced bipartisan and bicameral bill proposes to create a federal privacy regime. Sponsors of the American Data Privacy and Protection Act (ADPPA) say it will set a national baseline for privacy protections and user remedies, while allowing firms to continue to innovate.

But…

The bill’s breadth and onerous requirements could have unintended negative consequences for consumers. Worse, the measure would only partially preempt state law, arguably leaving the worst of both worlds.

Read the full explainer here.

Abstract

The right to be forgotten, which began as a part of European law, has found increasing acceptance in state privacy statutes recently enacted in the U.S. Commentators have largely analyzed the right to be forgotten as a clash between the privacy interests of data subjects and the free speech rights of those holding the data. Framing the issues as a clash of individual rights largely ignores the important scholarly literatures exploring how giving data subjects the ability to render certain information unobservable can give rise to systemic effects that can harm society as a whole. This Essay fills this gap by exploring what the right to be forgotten can learn from the literatures exploring the implications of adverse selection, moral hazard, and the emerging policy intervention know as ban the box.