News
Data Act – one of the key regulation proposals for the EU data economy of the future
Data is certainly a valuable commodity for the digital economy and society. As part of the 2020 European Data Strategy, the European regulators are working to develop new rules in order to ensure greater and fairer data flows and unlock the potential and value of data across all economic sectors in line with European values. The Data Act is designed to respond to these needs.
Background
The volume of data generated by individuals and use of Internet of Things (IoT) connected devices, as well as the volume of data processed via cloud and edge services is constantly growing. By 2025, a data volume of 175 zettabytes is expected to be reached and by 2030, the EU data economy should cross the €1 trillion threshold. Nevertheless, most of data is underused at EU level due to several factors such as lack of clarity on who can use and access data generated by connected products, concentration of data in the hands of big players and inability of small and medium enterprises (SMEs) to negotiate fair data sharing contracts with stronger market players, difficulties in switching between cloud and edge services in the EU, as well as a limited ability to combine data deriving from different areas of economic activities.
Within this context, the European Commission published on 23 February 2022 its proposal for a regulation regarding harmonized rules on fair access to and use of data across the EU (the "Data Act").
What is the Data Act?
The Data Act is a horizontal regulation, being the second main legislative initiative following the Data Governance Act (which was adopted by the European Parliament on 6 April 2022 and shall apply from 24 September 2023), resulting from the February 2020 European Data Strategy.
The European Commission stated that the main objective of the Data Act is to “unlock the value of data generated by connected objects in Europe”, especially for individuals, SMEs and public sector bodies, and to " clarify who can create value from such data and under which conditions".
While the primary scope was to regulate measures intending to leverage the data resources generated by the IoT, the Data Act deals also with several other areas, such as facilitating easier switch between cloud, edge and other data processing service providers.
Very importantly, the Data Act deals with the "big data", meaning both personal and non-personal data.
Similarly to GDPR, the Data Act applies primarily to entities (e.g. manufacturers of connected products and services providers) which, irrespective of their seat, place their products or services on the EU market or make their data available to recipients within the EU.
Key Measures
In order to achieve its envisaged aim, the Data Act includes several key measures addressing mainly the following:
i. Right of users of connected products to access and use data generated by them and to share such data with third parties (the user being the person that owns or rents a connected product or benefits of a related service)
The Data Act acknowledges the user's right to access and use (directly or via third parties) data generated by IoT products and related services. The data holders (e.g. manufacturers of connected products) qualifying as SMEs are exempted from these obligations, presumably as a protection tool and also considering the limited resources these companies could allocate to meet the new compliance requirements under the Data Act. Apart from the user and its proxy holder (i.e. third party), no other person has the means under the Data Act to oblige the data holder to make the data available.
Manufacturers, in their capacity as data holders, are obliged to ensure access by design to data generated using connected devices or related services, respectively such products should be designed and manufactured to allow, by default, easy and secure access by users to data. Also, before concluding a contract (purchase, rent or lease of a connected product or a related service), users must be provided with clear information on what data will be accessible and how to access it.
Where data cannot be directly accessed by the user from the product or related service, the data holder must make available to the user the data generated by such product or related service without undue delay, free of charge and, where applicable, continuously and in real time.
Trade secrets will be disclosed only if confidentiality can be ensured. Moreover, data obtained by users cannot be used to develop products that compete with products from which the data originate.
Manufacturers (data holders) may use the non-personal data generated by a connected product or related service for their own interest only based on (i) a prior information of the user and (ii) a written contract concluded with the respective user.
Also, as noted, apart from using the data directly, users may oblige data holders to make the data generated by connected devices and related services available to third parties of the user’s choice. It is to be noted that companies designated as "gatekeepers" under the EU Digital Markets Act do not qualify as third parties, such exemption being provided in order to restrict gatekeepers from collecting even more data.
The Data Act additionally sets out the data access rules. Where a data holder is obliged to make data available to a data recipient, this must be done based on fair, reasonable and non-discriminatory contractual terms. Data holders can require “reasonable” compensation from the data recipient for making the data available. However, any compensation set for SMEs must not exceed the actual cost of making the data available. Member States are obliged to set up dispute settlement bodies (certified as per Data Act) designated to assist parties that disagree on the compensation or conditions to come to an agreement.
ii. Rebalancing negotiation power for SMEs by preventing unfair contractual terms in data sharing contracts
The Data Act additionally addresses unfairness of contractual terms in data sharing contracts between businesses, in situations where a contractual term is unilaterally imposed by one party on a SME. To this end, the Data Act provides for an unfairness test which includes details on meaning of "unfair" contractual term and a list of clauses that are either always unfair or presumed to be unfair. Subject to the "fairness test" are only contractual terms unilaterally imposed on SMEs, any "unfair" terms being deemed non-binding.
The European Commission will develop model (non-binding) contractual terms to help SMEs draft and negotiate fair data sharing contracts.
It is unclear in our view whether this Chapter of the Data Acts applies to all contracts concerning sharing of data between SMEs and non-SMEs or only to contracts falling under the mandatory supply of data under the preceding chapters (i.e. mandatory supply of data to the user of connected products and its proxy holders).
iii. Conditions under which public sector entities may access and use data held by the private sector
The Data Act sets out a harmonized framework for the use by public sector entities of data held by entities in private sector in situations where there is an exceptional need for the data requested (such as in response to a public emergency, e.g. pandemics or natural disasters), as well as where data is required for "fulfilling a specific task in the public interest that has been explicitly provided by law and cannot be obtained otherwise” (e.g. urban development).
Where the data requested is necessary to respond to a public emergency, access to the data will have to be granted without undue delay and free of charge. In other situations, the data holder is entitled to compensation that includes costs related to making the relevant data available plus a reasonable margin.
Again it seems unclear what is the scope of this data accessible by the public sector, any data or only that generated by the use of connected products.
iv. Framework to enable consumers effectively switching between providers of data processing services
The Data Act contains rules to facilitate users switching between data processing services. Such service providers are required to implement measures by removing any commercial, technical, contractual and/or organizational obstacles related to services in order "to ensure that customers of their service can switch to another data processing service, covering the same service type, which is provided by a different service provider“. The Data Act provides an exception for technical unfeasibility, but the burden of proof in this regard lies with the service provider. Users should be able to switch between providers of data processing services without incurring any costs. However, it is to be noted that switching charges can continue to apply for three years following the entry into force of the Data Act.
v. Rules for interoperability of data processing services and safeguards against unlawful international data transfers
Operators of data spaces and vendors of applications or other persons using smart contracts must comply with essential requirements to facilitate interoperability of data. The European Commission may adopt further implementing acts that specify the interoperability requirements and may also request European standardization organizations to draft harmonized standards.
Additionally, the Data Act includes rules addressing the unlawful third party access to non-personal data held in the EU. The providers of data processing services are required to take all reasonable technical, legal and organizational measures in order to prevent the international transfer of, or governmental access, to non-personal data held in the EU, where such transfer or access would create a conflict with EU or relevant Member State law.
The EDPB-EDPS joint opinion on the Data Act
On 5 May 2022, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint opinion addressing certain concerns on the Data Act, urging European co-legislators to act in this respect and recommending several improvements. EDPB and EDPS stress the necessity to consider additional safeguards in order to avoid lowering the level of protection of the personal data in relation to:
- the rights to access, use and share data under the Data Act, which is likely to extend to entities other than the data subjects, including businesses;
- the lawfulness, necessity and proportionality of the obligation to make data available to public sector entities on the ground of “exceptional need”;
They also consider that the oversight mechanism established by the Data Act may lead to fragmented and incoherent supervision.
So, what does this all mean? What is the expected direct impact?
In our view, the scope of work of the Data Act seems sometimes unclear since some Chapters concern the reuse of data generated by the IoT, while other chapters (e.g. safeguards for SMEs/fairness test, sharing of data with the public sector bodies) seems to apply in general words to all data.
In terms of legislative process, the number of regulations concerning the big data seems quite high, potentially slightly overlapping and the exact scope of each of these seems rather difficult to follow, especially for players that cannot dedicate sufficient resources to understand the impact or the benefits of the various regulations (e.g. the Free Flow of Non-Personal Data Regulation, the Database Directive, the Open Data Directive, the Data Governance Act, etc.)
Thirdly, in terms of business impact, while the scope of the mandatory sharing of data generated by the IoT is limited (sharing to the user and proxy holders of the user), and notwithstanding the fact that the sharing is intended to lead to increased competition (and while protecting the trade secrets), such sharing may in our view lead to an increase in anticompetitive / unfair practices among businesses.
Also, various businesses, especially the holders of data generated by the IoT will most likely experience lots of pressure and costs in implementing the various measures imposed by the Data Act, such as in relation to data access by design and business to business contractual framework for data access.
Article provided by INPLP member: Adelina Iftime Blagean and Nina Lazar (Wolf Theiss, Romania)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010