EU action on data-sharing for smart devices raises concerns

Media Fellowship

The European Union says its legislation would give consumers and companies a say on what can be done with the data generated by their connected products.

EU flags waving in front of the European Commission

The European Union is moving closer to legislation that would allow companies and people to freely transfer data captured by internet-of-things devices across member states with the goal of lowering the digital divide among countries. 

But trade groups and legal experts are still seeking clarity on how the process would work and whether transferring data would hurt trade secrets or collide with the EU’s personal data privacy governed by the General Data Protection Regulation, known as GDPR.

The European Parliament and the European Council reached a tentative agreement late last month on the outlines of the new legislation, moving it one step closer to being finalized before the end of the year. The Council is part of the executive body and is made up of heads of state or heads of government of the 27 member states.

The outcome may bring insight for what happens in the United States, which is grappling with some of the same questions.

Unlike traditional products such as furniture in which consumers acquire all parts and accessories at sale, “it’s often not clear who can do what with the data” for smart products and internet-connected devices, the EU said in a fact sheet about the legislation. In some cases manufacturers stipulate that they have exclusive rights to the data. 

The legislation would “empower consumers and companies by giving them a say on what can be done with the data generated by their connected products,” allowing them to transfer the data to whoever they wish, the fact sheet said.

The legislation is a key part of the EU’s goal of becoming “a leader in the data-driven society,” the EU said in a statement. The legislation would include data gathered by internet-of-things devices such as home security cameras and thermostats as well as data gathered by cars, trucks, electric scooters and bicycles.

“The Data Act is a game-changer,” European Member of Parliament Pilar del Castillo Vera, who led the discussions on the legislation, said in a June 28 statement.  

By allowing users to transfer data from their devices, consumers, farmers, airlines, building owners and others could choose cheaper service providers rather than rely on manufacturers of equipment, the EU said.

In the United States, Congress has been concerned about the security of the internet of things and has passed legislation to improve cybersecurity standards for such devices. U.S. lawmakers have not, however, taken up the issue of data-sharing by makers and users of such devices. While 12 U.S. states have passed data privacy regulations, Congress has yet to pass federal legislation on data privacy for individuals.

For the data-sharing legislation to take effect in the EU, the provisional agreement would have to be endorsed by the Council and the European Parliament as well as adopted by both institutions following legal-linguistic revision. 

While some European companies welcomed it, others raised concerns about a thicket of rules the territory has either adopted or is in the process of finalizing. 

The European Association of Automotive Suppliers said it welcomed the new legislation and said it would free up data from the hands of big manufacturers. 

Cars and trucks collect huge quantities of data on both the users and the vehicles themselves but “automotive suppliers and other third-party service providers currently rely on the willingness and conditions of a limited group of market players to provide access to this data,” the association said in a June 28 statement. “Such a level of control on the market carries the risk of creating ‘gatekeepers,’ with a detrimental effect on fair competition, innovation, and consumer choice.”

Other industry groups are still seeking clarity on how companies are expected to separate personal data of individuals and data collected by devices while allowing users to share, said Marco Leto Barone, a senior policy manager at the Brussels office of ITI, a technology trade group that represents top tech companies including Amazon, IBM, Yahoo and Zoom among others. 

“The border between what is personal and what’s non-personal is blurred,” Barone said in an interview in the Brussels office of ITI. 

Companies typically process mixed data sets that include both personally identifiable information of individuals and other non-identifiable data. Allowing users to share this information with other companies and third-party suppliers could create some friction between EU’s data privacy rules under the GDPR and the new Data Act, Barone said. 

Barone said companies also are concerned that allowing users to freely transfer from devices they own could jeopardize the intellectual property and trade secrets of manufacturers that build the devices. 

“You have to have safeguards that can allow [companies] to protect their bread and butter, your intellectual property,” and avoid any damage, Barone said. 

This story was originally published by CQ Roll Call on July 11, 2023.