The new era for data regulation and what it means for the tech sector

Data is the engine of the tech sector and the fuel of digital transformation. For the last few years, data protection and privacy has been the focal point of data regulation globally, but that is changing. While data protection and privacy will continue to be a pillar of data regulation, 2023 will be the dawn of a new data regulatory framework that is much more positive and enabling.

The European strategy for data intends to make Europe a leader in the data economy. It is about encouraging and facilitating data governance and the access to, sharing and reusing of data. The EU is seeking to achieve this by adopting a new regulatory framework for data, which will have a significant impact on the tech sector; in particular via the Data Governance Act (DGA) and the Data Act (DA).

One of the four sets of measures introduced by the DGA is a notification and supervisory framework for the provision of data intermediation services, which are organisations that set up commercial arrangements for the purposes of data sharing between data holders and data subjects on the one hand, and data users on the other. They will function as trustworthy organisers of data pooling within the common European data spaces (covering sectors such as health, finance and energy). The DGA applies from 24 September 2023.

Data Act and other data-related legislation

The DA proposal applies to manufacturers of connected products (see the review's article on Internet of Things) and providers of related services that are placed on the EU market. It will apply to a wide range of products from connected machinery that is monitored or controlled with external software to smart consumer products. 

The DA governs rights and obligations regarding the personal or non-personal data generated by the use of those products and services, including an obligation to make that data accessible to the user. It will also include specific provisions on data processing services (most cloud services) that aim to remove obstacles to switching providers.

There are also data-related aspects to other pieces of new or proposed EU legislation, including the AI Act and the Digital Services Act, all of which are relevant to businesses in the tech sector. Competition law (particularly in Germany) and competition-related regulation, such as the Digital Markets Act, provide for specific access rights and sharing obligations for data owners that can have an appreciable impact on business, with considerable risks of fines and authority enforcement for non-compliance.

The UK: similar objective, different approach?

The UK is implementing its national data strategy, which has similar objectives to the EU's. One of the five main missions of the UK's strategy is to "unlock the value of data across the economy" by freeing up businesses and encouraging innovation with the aim of driving growth.

However, the UK is not currently planning to create an overarching regulatory framework. Instead, the UK focus appears to be on deregulation, in order to reduce compliance requirements for business and to provide the infrastructure required to facilitate increased data sharing.

In 2022, the UK government introduced the Data Protection and Digital Information Bill (DPDI), which seeks to reform existing UK data protection laws to remove some of the administrative burden on businesses and promote innovation.

It proposes to replace the concept of the independent data protection officer with a more flexible "senior responsible individual", to expand the use of cookies without consent and to introduce a number of "recognised legitimate interests" as a basis for processing personal data. The DPDI was put on hold in the second half of 2022 and is expected to be revived shortly.

Data-driven businesses may benefit from a less complicated, more flexible approach to data regulation. However, larger data-driven businesses operating across the UK and the EU will still need to comply with the existing EU data protection regime, as well as the emerging regulatory framework for non-personal data.

India's middle ground

Data protection and privacy will continue to be a pillar of data regulation globally. New data privacy laws continue to be developed across the world, with the "gold standard" still being set by the GDPR. However, one size will not fit all, and countries will look to implement privacy laws that fit their needs. For some jurisdictions, a full-on GDPR framework is not suited to them, and they will look to a middle-ground solution, similar to the regime in Singapore. 

For example, in 2022, India released a new draft Digital Personal Data Protection Bill that replaced the 2019 draft of the bill, which was withdrawn earlier in the year. The 2022 bill is shorter than its 2019 counterpart and moves away from the previous approach of importing GDPR concepts into Indian law. The 2022 bill also dilutes some of the controversial data localisation requirements in the 2019 draft and smooths the path for cross-border transfers of personal data to "trusted" jurisdictions. 

Crucially, the draft bill does not try and do everything, everywhere, all at once; non-personal data is excluded, as is data stored non-digitally and historical public domain data. It is hoped that because of its relative simplicity (compared with the 2019 draft), the 2022 bill will have a smooth passage through Parliament, potentially coming into force as early as spring 2023. 

Lessons are being learned from the GPDR but, as the global economy is in troubled waters and governments are looking to stimulate growth, we are starting to see a shift in emphasis that is very welcome, hopefully encouraging businesses to see data far more as an asset than a burden.