Legal briefing | |

EU draft Data Act - proposed rules for accessing and sharing data

"The cornerstone of a strong, innovative and sovereign European digital economy"

Thierry Breton, Commissioner for Internal Market

Overview

The European Commission published a draft Data Act on 23 February 2022 ("Data Act"), as part of the implementation of its February 2020 strategy for data.  This proposed regulation, which will have direct effect in members states, is intended to set standards at an EU-wide level to facilitate and create a fairer, more competitive digital environment for the sharing and re-use of data (both personal and non-personal). This briefing looks at who the Data Act impacts, what it does and how it fits into the EU's vision for a single European market for data.

 

Who will the Data Act impact?

The Data Act will impact various stakeholders:

  • manufacturers of connected products (i.e. IoT products) that generate data that are placed on the EU market and suppliers of "related services" (a digital service inter-connected with a product such that, without it, the product would not perform one of its functions)

  • users (consumers and businesses) of those products

  • data holders that make data available to data recipients in the EU

  • recipients of such data

  • public sector bodies in the EU

  • providers of cloud services to customers in the EU.

While all types of enterprises across all sectors are in scope, the proposal takes account of the size of an organisation and exempts or relaxes some obligations for SMEs. 

Regardless of where your business is established, it may still be impacted.  The Data Act has extra-territorial reach and any organisation doing business in the EU will need to consider the implications of these proposals – the location of your business, within or outside the EU, is not relevant.

Definition of "data"

The Data Act defines "data" as: “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording.” The EU's data strategy requires a shift in mindset: grappling with rules around the use and transfer of personal data has now become familiar, if sometimes challenging, territory, but these proposals, as they apply in respect of both personal and non-personal data, are likely to require impacted organisations to think about the data they hold more holistically. 

What does the Data Act do?

The key provisions of the proposal are:

Access to data and data sharing obligations for connected products

Every user (businesses and consumers), generating data on connected devices and related services, will be able to gain access to this data to use it for their own purposes or share it with third parties (or demand that that the data holder provides the data directly to third parties).  The data holders must make the data easily accessible free of charge, without undue delay and – where relevant – continuously and in real time. 

Tangible products and related services only

The definition of "product" catches tangible products only.  Online applications and mobile services (and the vast quantities of data that they generate) are therefore not in scope. Might this be a missed opportunity on the part of the European Commission?

There are transparency obligations imposed on data holders.  They must provide clear and comprehensive information on the data that will be generated, when using the product or service, including the nature and volume of the data, how this data will be used, means to request access to, and porting of, the data and the right to lodge a complaint with a competent authority. 

Similar to GDPR's "privacy by design" concept, manufacturers of connected products need to design those products so that they are easily accessible by default.

Whilst data-driven businesses will be familiar with the need to point to a legal basis for the processing of personal data, they'll need to apply similar considerations in respect of the non-personal data that they hold e.g. data holders can only use non-personal data on the basis of a contractual agreement with the user.  They cannot use the IoT data to derive insights that could undermine the commercial position of the user or third party acting on behalf of the user in the markets in which the user or third party is active.

Stimulating innovation and competition

The Data Act is likely to open up competition in aftermarket services and repair of connected products. 

There are provisos. While data porting may extend to competitors of data holders, data cannot be used to develop products in direct competition with the data holder. 

The proposal also contains provisions to address possible anti-competitive use of these access provisions. "Gatekeepers" as defined under the draft EU Digital Markets Act – the very largest online core platforms (e.g. social networks, online marketplaces and search engines) – are not eligible to receive data. 

Terms for data access and sharing

The Data Act establishes detailed rules to rectify the power imbalance between data holders and SMEs in relation to data access and sharing arrangements including by:

  • Introducing an "unfair contract terms" concept, requiring terms to be fair, reasonable and non-discriminatory. The European Commission will develop model terms for data sharing

  • Imposing a reverse burden of proof on data holders to prove that terms are non-discriminatory

  • Capping the compensation paid by SMEs for making data available at the actual cost of sharing the data

Data access for public bodies

Where public bodies need to access data on the basis of an exceptional need (including, for example emergency scenarios, such as natural disaster, health emergencies and terrorist attacks), data holders must provide this information without undue delay and without charge.

Switching between cloud service providers

The Data Act sets out provisions that aim to remove obstacles to switching and interoperability between providers of cloud data-processing services.  Cloud service providers must conclude contracts with customers that allow the customer to switch within 30 days, support customers in the switching process and ensure compatibility with open standards or interoperability interfaces.  Charges for switching services will be gradually phased out over a three year period from the effective date of the Data Act.  This is clearly good news for customers, but rather a sea change from what tends to be the current position, with exit services often being complex and expensive.

Data processing service providers must take all reasonable technical, legal and organisational steps and have safeguards to prevent the transfer of data outside the EU

Providers of data processing services will have to take all reasonable steps to prevent government access to, or transfer of, non-personal data that would be incompatible with European or national law. Access to the data by authorities or courts located in third countries would only be lawful under certain conditions that are similar to those established for personal data in the Schrems II decision.

A Schrems II for non-personal data?

This notion, in itself, is likely to send shudders down some spines, and is likely to be controversial. Where does it leave workarounds on which businesses conventionally rely to manage restrictions imposed by the GDPR, for example, the anonymisation of data? Organisations could find themselves in an "out of the frying pan, into the fire" situation, where anonymisation avoids the strict data transfer rules under the GDPR, but the transfer is nevertheless caught by the (arguably even stricter) rules of the Data Act.

Clarification that database rights do not apply to machine-generated data

The Data Act explicitly states that the Database Directive cannot be used to prevent data generated by a connected product or related service from being accessed, as this would otherwise cut across the access and portability rights laid out in the Data Act.

Enforcement

Enforcement is at the hands of the competent authorities designated by member states, and any infringements for not complying with the rules are to be "effective, proportionate and dissuasive" but are left at their discretion.  Fines could be set at a level commensurate with the significant fines of the GDPR.  There is therefore scope for uneven enforcement across the EU (and the uncertainty for businesses that this entails). 

The EU Data Act also paves the way for new dispute settlement bodies to settle disputes about data sharing and access.

The bigger picture

The Data Act is part of the Commission's strategy to make the EU a leader in a data-driven society and to create a single market for data that will ensure the EU's competitiveness globally.  In the words of the Commission's president Ursula von der Leyen:

The EU's proposal for a Data Governance Regulation in November 2020 sought to create the processes and structures to facilitate data sharing; the Data Act is the next step and clarifies who can create value from data and under which conditions.

By making more data available for reuse and innovation, the Commission expects to create €270 billion of additional GDP by 2028.

There is likely to be resistance from industry players, particularly in the tech and automotive sectors.  This is unsurprising given the broad territorial reach of the Data Act, the measures that seek to shift the power balance away from large (mainly non-EU) data incumbents to smaller, EU, organisations, the additional cost that data sharing obligations will bring, and the proposed expansion of restrictions on data flows to third countries.  A draft letter raising concerns was circulated amongst trade associations, when the proposal content was leaked in early February 2022, arguing that incentives around data access and sharing that build on existing best practice, instead of mandatory requirements, would be a better way forward. 

At a member state level, negotiations over the Data Act may echo recent negotiations over the Data Governance Regulation, split between those members states that are data sovereignty-minded (France, Spain, Italy) and those that favour a more liberal approach to the US-based data incumbents (Ireland and eastern Europe), with Germany's position remaining ambiguous owing to disagreement within the new government over which position to take.

What about the UK – will it follow suit?  Many UK businesses operating in the EU will be impacted, but it's less certain that the UK Government will see fit to legislate in this area, as this would appear to be incompatible with the objectives set out in its consultation on data protection reform, "Data: A new direction", e.g. to make data subject rights less burdensome for business.

How does the Data Act fit in with the GDPR?

The European Commission has asserted that the proposed Data Act is consistent with the GDPR i.e. it should be read in parallel with the GDPR.

It certainly borrows heavily from the GDPR concepts such as user control over data, data portability and conditions around international transfers.  The question whether non-personal data warrants the same level of protection as personal data in these areas will no doubt be the subject of much debate.

In certain respects, e.g. data portability and international data sharing by cloud services, it arguably goes further than the GDPR:

  • the right to data portability in the GDPR is not absolute, but instead applies only to personal data processed in certain circumstances. The Data Act extends the right to data portability contained within the GDPR for users of connected devices by allowing users to access any data that they generate, irrespective of whether it is personal or non-personal data.

  • On the face of it, the rules requiring cloud service providers to put safeguards in place to prevent access by non-EU governments also appear to be less nuanced than the requirements for the transfer of personal data outlined by the European Data Protection Board (EDPB) following the Schrems II decision. While the EDPB issued guidance for an impact assessment regarding the transfer of personal data, the Data Act makes no provision for either this type of assessment or for supplementary measures safeguarding data security to be put in place by the data exporter.

From the other perspective, it is unclear how the Data Act's aim to increase data-sharing and reuse can be reconciled with the data minimisation principle in the GDPR.

Next steps?

This is just a proposal for now and it is likely to change significantly. The next step for the draft Data Act is that it will be debated in the EU Parliament and Council, which are each expected to come up with their proposed amendments by late 2022/early 2023, with a view to adopting the Data Act by mid-2023. The implementation period proposed is 12 months from final approval.

GET IN TOUCH

Read Dan Reavill Profile
Dan Reavill
Read Navita Suglani Profile
Navita Suglani
  • Navita Suglani

  • Trainee
Back To Top