Data Act: Proposal for a Regulation on harmonised rules on fair access to and use of data

Data Act: Proposal for a Regulation on harmonised rules on fair access to and use of data

Key points

• SBS welcomes the Data Act proposal, as it addresses key concerns raised in the past and supports a more competitive data economy. SBS explicitly welcomes the SME-friendly angle of the proposal, exemplified in its promotion of the FRAND (fair, reasonable and non-discriminatory) conditions.

In order to avoid a one-size-fits-all approach, it is necessary to simultaneously deploy a horizontal and sector-specific perspective regarding data access requirements, while still respecting legal consistency.

Data portability, interoperability, and access according to their terms of use, together with effective technical instruments to support them, are crucial for data-sharing between different
market players and require standards that work for all companies.

Ensuring coherence across different pieces of legislation relevant to the digital transition, as well as providing support and points of contact to SMEs, is crucial to guarantee SMEs’ ability to comply, develop and innovate.

The European Commission should investigate how the Data Act may interact with a potential “Right to Repair” and “Right to Update”. Device owners should have the right to access any data necessary for the primary function of a device and be able to provide access to after-sales services. The European Commission must ensure that manufacturers do not restrict access and repairability of their devices.

In order to ensure a competitive after-sales market in Machine Learning Operations, data traceability needs to be guaranteed. Access to the training data, or alternatively, to a list of its sources, is highly recommendable.


New data-driven business models are an opportunity for Europe’s economy. Small and-sized companies from all sectors can benefit from these new business models and become leaders with innovative products and services.

However, some barriers to the uptake of these business models exist. For example, access to data is a key barrier to AI development & deployment. Similarly, uncertainties regarding how to demarcate the application of GDPR to machine-generated data in interaction with individuals seem to curtail SMEs’ willingness to take risks. Intellectual property concerns have also been named as a limitation to the use of data sets.

In 2020, SBS called for a solid and clear legal framework for the data economy, specifically for legal certainty of access to data and data ownership. SBS highlighted the following key issues:

Importance of the data economy for SMEs, as they should be able to profit from the opportunities provided by the data economy and its associated potential for creating innovative products and services

Importance of standardisation in the data economy context where the concentration of information restricts competition and increases entry barriers to the market. SMEs suffer more than bigger companies from these restrictions, due to the high cost incurred for buying data.

• Interoperability and open standards, where data should be interoperable and be used independently from the manufacturer, operating system, or other technical issues. In addition,
open standards should be adopted and used to avoid lock-in effects. This is also true for AI standards, as access to data and AI technologies are interlinked.

A position paper by SMEunited in 2020 focused on the importance of standards to ensure data access and interoperability. The paper recognised that access to data is a growing issue for all SMEs, and it is more problematic in some sectors (such as automotive, maintenance and repair, hospitality industry). While a right to access data was considered important, this needed practical technical implementation to be enforceable. A subsequent position paper in 2022 recognised the proposed Data Act as a much-needed step towards a fair and balanced legal framework for the data economy, where “stimulating the data market must come with enhancing the capacity of SMEs to participate in this data economy”.

Over the past years, evidence points to a need to increase SMEs’ weight in commercial relationships, notably with the rise of platform-dependent relations, where SMEs provide goods & services either in the supply chain or via gatekeepers in different industries. Nonetheless, the specific situation may differ from industry to industry, therefore requiring a mix of a minimum access right and conditions and a careful assessment of the situation in different sectors, where more stringent rules may be needed.

The Data Act – Supporting a competitive environment is essential for SMEs to innovate in data economy

SBS welcomes the SME-friendly angle of the Data Act. During the rest of the discussion on the proposal, policymakers need to ensure the conditions to have a well-functioning, competitive market is and a robust data economy. In this sense, SBS would like to make the following comments.

Business-to-Governments Data Sharing Obligations

There is a need to ensure that no additional obligations stemming from this legal act other than those already derived from existing legislation on data protection and data (e.g. for data-sharing) are put on SMEs.

Regarding the obligation to make data available to public sector bodies in “exceptional circumstances”, further information is required as to what would be considered as such. The possibility to purchase data at below-market rates could lead to market distortions and affect the profitability of investments into the collection and use of certain data that is more likely to be considered of “public interest”. Furthermore, more information is required as to: why a public body is not able to purchase at market rates, who decides the rate that the public body will pay, and whether companies have the right to refuse if granting data access or performing transfers would lead them incurring a loss.

Protection is needed so that companies’ investments in generating and processing data are not undermined via public sector requisition. This is the case in particular if they are engaged with other
private sector bodies to process and use said data, who may gain an unfair competitive advantage through accessing data at below market rates. Similarly, the concept of “public emergency”, which would give the public administration the exceptional prerogative to use data held by private companies, should be further specified in order to avoid legal uncertainty.

Fair Contract Terms

SBS welcomes the adoption of FRAND (fair, reasonable and non-discriminatory) conditions and contract terms. The question of what constitutes FRAND conditions is complex. The Data Act foresees the development of model contractual terms that will assist SMEs to negotiate fair and balanced data sharing contracts. Moreover, the proposal contains a list of terms deemed to be unfair which render the contract non-binding. As a result, the Data Act provides clear guidance and instructions to SMEs.

Sector-Specific Approach

The specific situation may differ from industry to industry, from sector to sector, therefore requiring a mix of minimum horizontal data access requirements and a careful assessment of the situation in different sectors, where more stringent rules may be needed.

Key Elements for the Digital Transition

In addition to regulatory measures, a successful transition to data-driven business models requires skills and investment at all levels of the organisation. SBS welcomes the perspective mentioned in the regulation preamble (paragraphs 31 – 33) on making data generated by the use of a product and related service available upon the request of the user. Third parties are obliged to only process the data for the purposes agreed with the user and only share data with a third party if this is necessary to provide the service requested by the user. This perspective may place additional constraints on SMEs. However, the benefits to European citizens will far outweigh the costs of these constraints. We believe that these provisions can have the same net positive effect as the GDPR.


Standards are a fundamental instrument for sharing data. On the one hand standards can promote interoperability and data portability, which encourages the Data Space operators and market players to easily share data. On the other hand, they can provide minimum requirements for smart contracts and interoperability as a technical tool to support data access and use in line with the proposed legislative provisions. However, while SMEs as market players and innovative providers of data sharing services are key actors to ensure a successful implementation of this policy initiative, they are often under-represented in standardisation. Standardisation processes need to include SME participation by providing financial support and any other necessary instrument.

Regulatory Coherence

SMEs in the data economy will have to deal with a host of digital legislation either already in place, or coming into effect, ranging from the General Data Protection Regulation (GDPR), Data Governance Act, Digital Markets Act, Digital Services Act, AI Act, and any other relevant act. In addition, cybersecurity and information security requirements need to be met, which inevitably connect to issues about how to deal with data. While many of these pieces of legislation are beneficial to SMEs, it may be difficult for smaller companies to maintain a complete overview of the rules that may potentially affect them. Therefore, the European Commission should ensure utmost consistency across the different pieces of legislation and provide support measures and points of contact for guidance to SMEs. These should be made available to SMEs by national authorities for free.

Data spaces are the way to ensure data will be made available. Currently, the development of those data spaces is not yet mature enough to be able to evaluate their effectiveness. For instance, a European Health Data Space proposal will be presented by the European Commission, with a focus on interoperability and standards. The European Commission should further investigate the interaction of the data spaces with the Data Act. The openness and suitability of the relevant infrastructure for SMEs should be one of the main subjects of this investigation.

“Right to repair” and “Right to update”

In the ICT sector, electronic devices often become obsolete due to a lack of updates. Specifically, providers of operating systems or essential hardware may not provide the necessary updates. This leads to a situation where a device is either no longer secure, or may not function anymore with a specific operating system, thus becoming obsolete. While the Data Act regulates access to data, it does not tackle the access to the actual device to carry out updates or repairs, or to load a third-party software on the device, where this is demanded by the consumer. The European Commission should investigate how the Data Act may interact with a potential “Right to Repair” and “Right to Update”. Ultimately, the device owner should have the right to access the data, to provide access to others, and to have freedom of choice as to the providers of after-sales services.

There is a risk that Original Equipment Manufacturers (OEMs) may impose complex security standards to ensure that access to a device is carried out in a safe manner. This can lead to a factual market-access barrier to SMEs. For many services and repairs, “read-only” remote access is sufficient to allow SMEs to offer after-sales services. However, other repairs require “write-mode” access, thus offering novel business opportunities. The European Commission has to ensure that the after-sales market remains open and competitive, and that relevant security provisions imposed via standards do not allow OEMs to limit access to SMEs. One way to ensure this is the introduction of simplified cybersecurity schemes that are tailored to SMEs, which can be easily implemented and would guarantee the same level of conformity in terms of security requirements.

Machine Learning Operations (MLOps) offer a case of special relevance. In order to enable SMEs’ access to the after-sales market – as well as to foster further innovation and the auditability of ML models – it is important to ensure data traceability. The ability to track the final product back to the training datasets is key to testing, fixing and improving ML models. Therefore, making the training data accessible – or, alternatively, listing the original data sources – should be a priority, provided that these requirements don’t place too high of an administrative burden on SMEs.


The Data Act is an important legislation that sets a clear framework for a competitive data economy in Europe. The SME-friendly angle is a step in the right direction towards supporting SMEs competitiveness in the Single Market. In particular, SBS welcomes exemption of SMEs from data sharing obligations towards public sector bodies, fair contracts terms, and key elements on digital transformation. The Data Act should though focus on sector specific approach to avoid a “one-size-fits-all”, investigate how the Data Act should support the “right to repair” principle, and to ensure utmost consistency across the different pieces of legislation and provide support measures and points of contact for guidance to SMEs. With regards to upcoming standardisation in support of the Data Act, SMEs are often under-represented in standard-setting committees. We recommend further funding of SMEs representation in all relevant technical committees in addition to further inclusion of SMEs representatives in all relevant technical committees’ oversight bodies, such as the European Data Innovation Board established by the Data Governance Act.



Views and opinions expressed are those of Small Business Standards (SBS) only and do not necessarily reflect those of the European Union or EFTA. Neither the European Union nor EFTA can be held responsible for them.