The Unbearable Lightness of Data - how the European Data Act will regulate the elusive

The European Commission released its long anticipated proposal of the European Data Act (full name: Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data, “Data Act”). Timelex had the honour of assisting the Commission in two separate studies, providing some of the analysis that preceded the adoption of the proposal. In this blogpost we explore the EU’s ambitious approach to regulate the access to data and provide answers to the most relevant questions for companies and consumers.

Why does EU want to regulate data? Which data will be affected?

The EU has long been debating about the need to ensure that access to data is possible more frequently, and on fairer terms. The Data Act is the result of these discussions and it regulates digital information in a very broad sense, including information generated by connected devices and various data held by businesses. This may also include personal data, although it is not limited to it, or focused on it.

The aim of the Data Act is thus:

• making data generated by the use of a product or related service available to the user of this product or service,
• making data available by data holders to data recipients,
• mandatory business-to-government data sharing, where there is an exceptional need,
• addressing unfair contractual terms related to sharing of data,
• making the switching between data processing services easier,
• protecting EU non-personal data held by certain service providers.

The proposal intersects with a number of other EU laws (such as the GDPR, Free Flow of Non-Personal Data Regulation, Database Directive, Open Data Directive, Unfair Contract Terms Directive) and proposals (notably the Digital Markets Act and Data Governance Act). It will apply to essentially everyone located in the EU and doing business in the EU.

How will the Data Act benefit users of connected devices?

More and more products are being connected to the Internet, be it a car, a home appliance such as a coffee machine or a refrigerator, virtual assistants, medical devices or industrial machinery. These machines – including most IoT devices - generate a vast amount of data about their use. Moreover, different services, such as software apps, are required to run the products, which also create data. This data is often kept by the manufacturer or distributor of the product or the provider of the service (the Data Act uses the term: “data holder”). Currently the rules of obtaining this data from the owner of the product are not straightforward. In practice, this allows the holder to capture much of the economic value of the data by imposing any constraints that are beneficial to them.

The Data Act will give the users of the connected products and related services the right to access data generated by those products and services. This data can be needed for their repair, but also could be used for other purposes and services. For instance, a car owner could export the data from their vehicle to the insurer to secure a discount for being a cautious driver or a company could hire a consultant which analyses the data obtained from their IoT machines to optimize business operations.

Some important points to note:

• the user’s right will be free of charge and will not limited to consumers. A business entity which bought or leased a connected product (e.g. a coffee machine for its employees) will also be able to request the product data;
• restrictions on what the user may do with the obtained data will apply. For example, the user cannot exploit this information to develop a competing product;
• the connected products will need to be designed in such a way, to make the extraction of the data easy for the user, for example via an online account;
• the user will have to be informed - among others - about the data to be produced by a connected device and how they can access it, in a clear and comprehensive way.

There are also some important limits which apply:

• the Data Act does not apply to data from products whose primary function is storing and processing of data. Thus a smartphone, smart TV or a laptop data will not be covered;
• data access right does not apply to information derived or inferred from the machine data (e.g. interpretation of this data made by the manufacturer).

Will the manufacturers still be able to use the data from the devices they have produced?

Yes, but not without limitations. Manufacturers will need to enter into an agreement with the user regarding their use of the non-personal data which is generated by the product. Also, they will not be allowed to infer insights from this data about the economic situation of the user, his assets or production methods if that could undermine the commercial market position of the user. For example, this protects farmers that use smart agricultural equipment against manufacturers who would use insights into farm yields to speculate on agricultural commodity pricing, thus essentially using a farmer’s data against him.

What other entities may request the data about connected devices?

The data holder will need to make the connected device data available to any third party which acts upon a request by the user. This right could be useful for the providers of repair or other aftermarkets services. In this way, the Commission hopes to facilitate competition and innovation.

Some practical points to note:

• the data holder will have to make the data available to third parties under fair, reasonable and non-discriminatory terms and in a transparent manner. In particular, it cannot discriminate between comparable categories of recipients, for example by giving different quality of data to its linked enterprises than to non-partners. Exclusive contracts will be in principle forbidden;
• the access to products’ data by a third party may or may not be free of charge. The Data Act allows the data holder to set reasonable compensation for any cost incurred in providing direct access to the data (i.e. costs necessary for data reproduction, dissemination via electronic means and storage but not of data collection or production);
• having received access to data, the third party can only use the data for the purposes agreed with the user and must delete them after the completion of this purpose. They also cannot, for example, pass the data to another party, unless it is necessary for the service required by the user.

Micro and small enterprises will be exempt from these obligations as data holders. The Data Act also intervenes when it comes to undertakings providing core platform services that have been designated as gatekeepers by the Digital Markets Act. Those gatekeepers will not be able to benefit from the right of access. They are also forbidden to incentivize users to provide them with the data which the users themselves had obtained from other data holders. This can be read as an attempt to prevent draining of the data from the smaller players to the already data rich companies.

Does this mean that my company will need to disclose our data to its competitors?

This is possible but depends on your business activities and on the plans of your competitors. For example, this can happen if your customer wants to repair their connected device at a different repair workshop, and this would require that workshop to access your data.

The proposal tries to strike careful balance between the interests of the data holders and data recipients, which potentially may be competitors. Disputes over data access terms may be resolved not only in court, but also by certified dispute settlement bodies set up by the Member States.

Wait, will the database rights not stand in the way of data access rights?

No. The Data Act will also amend the Database Directive. Thus, the sui generis right that protects the substantial investments in a database will not apply to databases containing data obtained from or generated by the use of a product or a related service.

Will the Data Act affect contractual terms regarding data sharing?

Yes, but not all data sharing contracts will be affected. The Data Act intervenes only when it comes to terms concerning access to and use of data that are unilaterally imposed by an enterprise on a micro, small or medium-sized enterprise (“SME”). The Data Act thus intervenes in the freedom of contracting in a B2B-context.

Those provisions aim to remedy a possible lack of balance in the “take it or leave it” service terms offered by the large providers of certain data related services (for example hosting providers). SMEs are often not in a position to negotiate them and may thus be forced to accept detrimental or unfair terms if they are purchasing those services.

Examples:

• of unfair contractual terms:  excluding or limiting liability of the party which unilaterally imposed the terms for intentional acts or gross negligence;
• of terms that are presumed to be unfair:  provisions allowing the imposing party to access and use data of the weaker contracting party in a manner that is significantly detrimental to the legitimate interests of this other contracting party or provisions enabling the stronger party to terminate the contract with unreasonably short notice.

The examples listed in the Data Act should serve as a yardstick to interpret the general unfairness provision. Data Act stipulates that unfair terms will not be binding on the weaker party.

Will my company need to make its data available to the government?

This can happen, but only under very specific conditions. The Data Act allows government authorities and public bodies to request data directly from its holder, such as a company, if they demonstrate that there is an exceptional need to use such data. Unsurprising, the COVID-pandemic is often invoked as an example where there is a clear public policy interest for public administrations to ask for data held by private entities. There are however a number of requirements that the authorities have to fulfill, so this ability should be seen as exceptional, rather than a rule.

These include:

• Governments may request access only under special circumstances, e.g. in the case of public emergencies or in situations where lack of data prevents the authority from carrying out its tasks and authority has been unable to obtain data by alternative means.
• The request has to be substantiated and proportionate. There are also restrictions imposed on the authority regarding handling the received data, e.g. aimed to respect privacy of any disclosed personal data or confidentiality of trade secrets.
• The data obtained by the government will not be available for reuse within the meaning of Open Data Directive. This provision ensures that obeying such a government demand does not result in the data becoming accessible to other parties.

The company which receives such a request must comply with it without delay. However, the Data Act provides for a process for challenging the authority’s demand. In principle, the data must be provided to government free of charge (some exceptions apply).

Will the Data Act make switching between cloud providers easier?

Yes, under the Data Act providers of so called “data processing services” will have to allow their customers to switch to another provider without impediment – building on the data portability right of the GDPR, which is limited however to personal data. This will apply to digital services which enable on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources. The most obvious example is cloud based services.

The Data Act lists various requirements that the contract for data processing services will need to include. These provisions are aimed to enhance the position of the cloud customers and safeguard their choice to change the provider without risking losing their data or business continuity.

Additionally, the Data Act will encourage the use of voluntary standard contractual clauses for the providers of processing services, which are to be published by Commission.

How does the Data Act protect non-personal data against being transferred outside of the EU?

The GDPR prohibits unlawful transfers of personal data outside EEA. However, this does not resolve concerns about unlawful third party access to non-personal data held in the EU by data processing services. Thus, the proposal introduces provisions aimed to protect, for example, information relevant for national security or defence, commercially sensitive data, trade secrets and intellectual property rights, from being illegally obtained by non-EU countries (third countries). It’s worth noting that the scope of protection is broader in theory than under the GDPR: where the GDPR regulates transfers of personal data, the Data Act requires providers to protect data against the risk of access (even in the absence of any actual transfer).

Under those provisions, the providers of data processing services (such as cloud and edge services) will be required to take all reasonable technical, legal and organisational measures to prevent third country access that conflicts with competing obligations to protect such data under EU law, unless strict conditions are met. In principle, transfer of such information should be allowed only if there is an international treaty of the requesting country with the EU or a Member State. In the absence of international agreement, transfer or access should only be allowed if the provider has verified that the third country’s legal system provides certain safeguards, including: reasons and proportionality of the decision requiring access, remedies available to the addressee to question this decision and powers of the court that will hear the objection. The provider will also have to inform the data holder about receiving a request for their data.

Are there any requirements about interoperability in the Data Act?

Yes, the Data Act contains requirements for interoperability which will be relevant for the operators of data spaces, data processing service providers and vendors of applications using smart contracts. The Commission will also be able to request technical specifications or standards that facilitate effective cloud interoperability at the PaaS (platform-as-a-service) and SaaS (software-as-a-service) levels to be developed by European standardization bodies.

Will there be sanctions for non-compliance?

Yes, the infringements of the Data Act obligations will be sanctioned by GDPR-style financial penalties of up to EUR 20 000 000, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The proposal requires each Member States to designate one or more competent authorities which will oversee the enforcement. The natural and legal persons will to be entitled to seek redress for the infringements of their rights under the Data Act by lodging complaints with those authorities.

When will Data Act apply?

The Data Act has just been published and it will need to be passed by the European Union legislators. In the weeks to come, the co-legislators, the Council of the EU and the European Parliament will assess the proposal and begin the discussions. Once adopted, the rules will apply from a year after entry into force of the Regulation.

Want to know more?

Draft of the regulation: here

Questions and answers: here

Do you have a specific question or would you like support in this matter? We are happy to help. Book a free 15-minute call with Magdalena at magdalena.kogut.lawyer.brussels (reserved for organisations).