The European Commission released its long anticipated proposal of the European Data Act (full name: Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data, “Data Act”). Timelex had the honour of assisting the Commission in two separate studies, providing some of the analysis that preceded the adoption of the proposal. In this blogpost we explore the EU’s ambitious approach to regulate the access to data and provide answers to the most relevant questions for companies and consumers.
The EU has long been debating about the need to ensure that access to data is possible more frequently, and on fairer terms. The Data Act is the result of these discussions and it regulates digital information in a very broad sense, including information generated by connected devices and various data held by businesses. This may also include personal data, although it is not limited to it, or focused on it.
The aim of the Data Act is thus:
The proposal intersects with a number of other EU laws (such as the GDPR, Free Flow of Non-Personal Data Regulation, Database Directive, Open Data Directive, Unfair Contract Terms Directive) and proposals (notably the Digital Markets Act and Data Governance Act). It will apply to essentially everyone located in the EU and doing business in the EU.
More and more products are being connected to the Internet, be it a car, a home appliance such as a coffee machine or a refrigerator, virtual assistants, medical devices or industrial machinery. These machines – including most IoT devices - generate a vast amount of data about their use. Moreover, different services, such as software apps, are required to run the products, which also create data. This data is often kept by the manufacturer or distributor of the product or the provider of the service (the Data Act uses the term: “data holder”). Currently the rules of obtaining this data from the owner of the product are not straightforward. In practice, this allows the holder to capture much of the economic value of the data by imposing any constraints that are beneficial to them.
The Data Act will give the users of the connected products and related services the right to access data generated by those products and services. This data can be needed for their repair, but also could be used for other purposes and services. For instance, a car owner could export the data from their vehicle to the insurer to secure a discount for being a cautious driver or a company could hire a consultant which analyses the data obtained from their IoT machines to optimize business operations.
Some important points to note:
There are also some important limits which apply:
Yes, but not without limitations. Manufacturers will need to enter into an agreement with the user regarding their use of the non-personal data which is generated by the product. Also, they will not be allowed to infer insights from this data about the economic situation of the user, his assets or production methods if that could undermine the commercial market position of the user. For example, this protects farmers that use smart agricultural equipment against manufacturers who would use insights into farm yields to speculate on agricultural commodity pricing, thus essentially using a farmer’s data against him.
What other entities may request the data about connected devices?
The data holder will need to make the connected device data available to any third party which acts upon a request by the user. This right could be useful for the providers of repair or other aftermarkets services. In this way, the Commission hopes to facilitate competition and innovation.
Some practical points to note:
Micro and small enterprises will be exempt from these obligations as data holders. The Data Act also intervenes when it comes to undertakings providing core platform services that have been designated as gatekeepers by the Digital Markets Act. Those gatekeepers will not be able to benefit from the right of access. They are also forbidden to incentivize users to provide them with the data which the users themselves had obtained from other data holders. This can be read as an attempt to prevent draining of the data from the smaller players to the already data rich companies.
This is possible but depends on your business activities and on the plans of your competitors. For example, this can happen if your customer wants to repair their connected device at a different repair workshop, and this would require that workshop to access your data.
The proposal tries to strike careful balance between the interests of the data holders and data recipients, which potentially may be competitors. Disputes over data access terms may be resolved not only in court, but also by certified dispute settlement bodies set up by the Member States.
No. The Data Act will also amend the Database Directive. Thus, the sui generis right that protects the substantial investments in a database will not apply to databases containing data obtained from or generated by the use of a product or a related service.
Yes, but not all data sharing contracts will be affected. The Data Act intervenes only when it comes to terms concerning access to and use of data that are unilaterally imposed by an enterprise on a micro, small or medium-sized enterprise (“SME”). The Data Act thus intervenes in the freedom of contracting in a B2B-context.
Those provisions aim to remedy a possible lack of balance in the “take it or leave it” service terms offered by the large providers of certain data related services (for example hosting providers). SMEs are often not in a position to negotiate them and may thus be forced to accept detrimental or unfair terms if they are purchasing those services.
The examples listed in the Data Act should serve as a yardstick to interpret the general unfairness provision. Data Act stipulates that unfair terms will not be binding on the weaker party.
This can happen, but only under very specific conditions. The Data Act allows government authorities and public bodies to request data directly from its holder, such as a company, if they demonstrate that there is an exceptional need to use such data. Unsurprising, the COVID-pandemic is often invoked as an example where there is a clear public policy interest for public administrations to ask for data held by private entities. There are however a number of requirements that the authorities have to fulfill, so this ability should be seen as exceptional, rather than a rule.
The company which receives such a request must comply with it without delay. However, the Data Act provides for a process for challenging the authority’s demand. In principle, the data must be provided to government free of charge (some exceptions apply).
Yes, under the Data Act providers of so called “data processing services” will have to allow their customers to switch to another provider without impediment – building on the data portability right of the GDPR, which is limited however to personal data. This will apply to digital services which enable on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources. The most obvious example is cloud based services.
The Data Act lists various requirements that the contract for data processing services will need to include. These provisions are aimed to enhance the position of the cloud customers and safeguard their choice to change the provider without risking losing their data or business continuity.
Additionally, the Data Act will encourage the use of voluntary standard contractual clauses for the providers of processing services, which are to be published by Commission.
The GDPR prohibits unlawful transfers of personal data outside EEA. However, this does not resolve concerns about unlawful third party access to non-personal data held in the EU by data processing services. Thus, the proposal introduces provisions aimed to protect, for example, information relevant for national security or defence, commercially sensitive data, trade secrets and intellectual property rights, from being illegally obtained by non-EU countries (third countries). It’s worth noting that the scope of protection is broader in theory than under the GDPR: where the GDPR regulates transfers of personal data, the Data Act requires providers to protect data against the risk of access (even in the absence of any actual transfer).
Under those provisions, the providers of data processing services (such as cloud and edge services) will be required to take all reasonable technical, legal and organisational measures to prevent third country access that conflicts with competing obligations to protect such data under EU law, unless strict conditions are met. In principle, transfer of such information should be allowed only if there is an international treaty of the requesting country with the EU or a Member State. In the absence of international agreement, transfer or access should only be allowed if the provider has verified that the third country’s legal system provides certain safeguards, including: reasons and proportionality of the decision requiring access, remedies available to the addressee to question this decision and powers of the court that will hear the objection. The provider will also have to inform the data holder about receiving a request for their data.
Yes, the Data Act contains requirements for interoperability which will be relevant for the operators of data spaces, data processing service providers and vendors of applications using smart contracts. The Commission will also be able to request technical specifications or standards that facilitate effective cloud interoperability at the PaaS (platform-as-a-service) and SaaS (software-as-a-service) levels to be developed by European standardization bodies.
Yes, the infringements of the Data Act obligations will be sanctioned by GDPR-style financial penalties of up to EUR 20 000 000, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The proposal requires each Member States to designate one or more competent authorities which will oversee the enforcement. The natural and legal persons will to be entitled to seek redress for the infringements of their rights under the Data Act by lodging complaints with those authorities.
The Data Act has just been published and it will need to be passed by the European Union legislators. In the weeks to come, the co-legislators, the Council of the EU and the European Parliament will assess the proposal and begin the discussions. Once adopted, the rules will apply from a year after entry into force of the Regulation.
Draft of the regulation: here
Questions and answers: here
Do you have a specific question or would you like support in this matter? We are happy to help. Book a free 15-minute call with Magdalena at magdalena.kogut.lawyer.brussels (reserved for organisations).