The European Association of Co-operative Banks (EACB) supports the Data Act’s goal of facilitating the sharing of data, based on voluntary data sharing or on a contractual basis.
Business-to-Government data sharing for the public interest is an important topic, which may require legislative action. However, access and re-use will need to be linked to the specific public interests pursued by the relevant public-sector bodies, which will be different for different sectors and use cases. As such, sectorial legislation might be more appropriate to specify the necessary goals and conditions. Given the invasiveness of mandatory access, extensive impact analyses must be conducted to verify and justify the goals pursued and conditions identified for each individual use case where mandated access is being explored. As a rule, beyond existing legislative or regulatory areas, access and re-use should be pursued on a voluntary as opposed to mandatory fashion in order to generate a positive innovation dynamic between the private and public sector based on mutual benefit and trust. We are confident that the market will efficiently explore possibilities for access and re-use, and that regulatory intervention should be restrained so as not to stifle innovation.
Business-to-business data sharing would bring benefits such as scalability, better data for the development of new products and services adapted to customers’ needs, a better understanding of the underlying risks to improve risk management, process automation, prevention and assistance. We hesitate, however, to do a blanket translation of the FRAND principles in data access legislation and the concept so far has been tried and tested mainly in the area of standardization.
Portability for business users of cloud services should be established as a right in EU legislation. The right to portability for users and the commitment to portability for cloud providers can only be applied if this right/obligation results from a binding regulatory text. The scope of this right should cover data and applications as a minimum and the main elements such as deadlines, technical formats and recovery of transformed data. A combination of high-level principles and more detailed contractual conditions would be needed to ensure a sufficiently detailed and actionable right for organizations. The specific technical conditions should not be detailed in legislation but be left to standards organisations. Supplementing legislation with standard clauses would avoid negotiation difficulties encountered with certain cloud service providers on these subjects.
Portability under Article 20 GDPR should not focus purely on user consent but on all legal bases already applicable both under the GDPR and the ePrivacy Directive, which are equally valid. User consent should not be stressed as the only tool to enable data sharing.