The Data Act: new EU rules for data sharing
Blanca Escribano Cañas
EY Law, Madrid
blanca.escribano.canas@es.ey.com
Sofía Fontanals
EY Law, Madrid
sofía.fontanals@es.ey.com
Background
The European Union‘s strategy for data aims at creating a single market for data that will allow it to flow freely within the EU and across sectors for the benefit of businesses, researchers and public administrations. The free movement of data is defined as the ‘five freedoms’ of the European market.
In this context, on 23 February 2022 the European Commission published its proposal for a regulation on harmonised rules on fair access to and use of data (‘Data Act Proposal’).[1]
Following the Data Governance Act,[2] the upcoming Data Act is the second main proposal released recently as part of the European strategy for data[3] and complements the existing data framework: the General Data Protection Regulation (GDPR),[4] the Free Flow of Non-Personal Data Regulation[5] and the Open Data Directive.[6] There are other forthcoming regulations that will impact the current data rules, as the Digital Markets Act[7] or the Digital Services Act.[8]
What is the purpose of the Data Act Proposal?
As with the Data Governance Act, it is important to keep in mind that the Data Act Proposal compiles a ‘patchwork’ of issues that the Commission considers are needed to complete the rules governing data. The rights and obligations laid down therein seem to be unconnected, but it should be kept in mind that the overall purpose of the regulation is to unlock the full potential of data in the EU, tackling those which remain unsolved.
In short, the Data Act Proposal covers the following main contexts: (i) mandatory access to data (generated by connected devices, held by those that are subject to data sharing obligations by law) by consumers, businesses and public authorities; (ii) data sharing when small and medium-sized enterprises (SMEs) are involved; and (iii) data processing services (switching, international transfer of non-personal data and interoperability). Thus, the initiative intends to increase data availability and facilitate data sharing among the different players (business to consumer (B2C), business to business (B2B), and business to government (B2G)) across all economic sectors, clarifying who can use and access what data and for which purposes, and establishing conditions for such access and use.
For these purposes, the Data Act Proposal is horizontal legislation which covers different aspects relating to data sharing, ranging from access to data generated by connected devices (eg, internet of things (IoT)), mandatory B2G sharing in exceptional circumstances and contractual imbalances in data sharing contracts, to cloud switching, international transfers of non-personal data or interoperability.
Moreover, it must be noted that the Data Act Proposal leaves the door open to further future legislation in light of the needs of a sector, a common European data space, or an area of public interest.
Who is subject to this act?
The new rules will apply to a wide variety of actors: manufacturers and providers of connected products and services placed on the market in the EU; users of such products and services (both individuals and legal persons); data holder making data available to data recipients in the EU; data recipients in the EU to whom data are made available; public sector bodies and EU institutions, agencies or bodies; and providers of data processing services offered in the EU. Micro, small and medium-sized companies are exempted from some obligations.
What data is under the scope?
The Data Act Proposal covers both personal and non-personal data.
However, considering the different aspects and contexts addressed in the norm and that the current text is not always straightforward, there is plenty of confusion about the scope of application and which data is covered in each case.
The First Presidency compromise text, presented by the Czech Presidency of the Council of the European Union in July 2022,[9] has provided some clarification by specifying the types of data covered by specific chapters of the proposal as follows:
- Data concerning the performance, use and environment of products and related services: rules on access to data generated by connected devices (Chapter II of the Data Act Proposal).
- Any private sector data subject to statutory data sharing obligations: Rules for data holders legally obliged to make data available in business-to-business relations (Chapter III of the Data Act Proposal).
- Any private sector data accessed and used on the basis of contractual agreements between businesses: rules for preventing abuse of contractual imbalances in data sharing contracts (Chapter IV of the Data Act Proposal).
- Any private sector data with a focus on non-personal data: rules on mandatory B2G sharing in case of exceptional need (Chapter V of the Data Act Proposal).
- Any data processed by data processing services: rules on cloud switching (Chapter VI of the Data Act Proposal).
- Any non-personal data held in the EU by providers of data processing services: rules on international data transfers (Chapter VII of the Data Act Proposal).
What is the interplay with other EU data rules?
As anticipated above, the interrelationships of the Data Act Proposal with the main pieces of legislation in this field, the GDPR and the Data Governance Act, are tried to be untangled and clarified.
Firstly, as regards the GDPR, while it deals with personal data only, the Data Act Proposal covers both personal and non-personal data, so both norms must be taken together where applicable (eg, in case of mixed data sets).
The Data Act Proposal complements and is without prejudice to the GDPR, supplementing the existing rights and obligations, which remain unaffected. For instance, it is expressly indicated in the draft text that, insofar personal data are processed, data holders should be controllers under the GDPR and, thus, they will be subject to obligations therein. On the other hand, the transparency obligations imposed by the Data Act Proposal regarding data generated by connected devices, do not affect the controllers’ information obligations under the GDPR. With regard to connected devices, the Data Act Proposal enhances the right to data portability, and users may be able to access and port both personal and non-personal data generated by those objects. Likewise, a number of safeguards for the international flow of non-personal data is set out, without impinging on the rules governing the transfer of personal data to third parties outside the EU.
As regards the Data Governance Act, it is also complemented by the Data Act. As stated by the European Commission, while the Data Governance Act creates processes and structures to promote data sharing by companies, individuals and the public sector (focusing on the reuse of public sector data, rules for data intermediaries or data altruism), the Data Act regulates access and use of data, clarifying who can create value from data and under which conditions.
On the basis of the foregoing, and although the Data Act is yet at a proposal stage, it is important to understand the impact that the new rules will have on organisations, so an overview of its key points are outlined below.
Mandatory access to data
Access to data generated by connected devices
Under the Data Act Proposal, users (both natural and legal persons) are entitled to access and use the data generated by the use of products or related services,[10] such as IoT devices, and can also request data holders to make the data available to third parties.
Considering the huge volumes of data generated by connected devices (many of which are unused non-personal data), this intends to empower and give users more control over the data from those objects and related services, to enhance the right to data portability, as well as to facilitate the provision of aftermarket and other data-based services.
An obligation to provide certain pre-contractual information to users is imposed, in order to ensure transparency regarding the data to be generated and facilitate access for the user.
In those cases where data cannot be directly accessed by the user or the data must be made available to third parties, access must be granted without undue delay, free of charge to the user and, where applicable, continuously and in real time.
Providers of core platform services which are designated as gatekeepers[11] in accordance with the Digital Markets Act are not eligible third parties for these purposes. Therefore, they cannot request or be granted access to users’ data generated by the use of a product or related service.
It is worth noting that the Data Act Proposal also imposes a ‘data accessibility by design’ obligation under which devices and services must be designed and manufactured to make the data, by default, accessible to the user in an easy, secure and, where appropriate, direct manner.
In any event, several obligations and limitations regarding the use of the shared data are imposed in order to protect the data holder’s interests. For instance, users and third parties are banned from using the data received to develop products competing with that from which the data originate. Furthermore, trade secrets may only be disclosed if specific measures to preserve confidentiality are taken and, where the data is to be made available to third parties, if it is strictly necessary to fulfil the purpose agreed with the user.
Special considerations for telco operators
It must be noted that the definitions of ‘product’ and ‘related services’ are quite broad and vague (see note 9). Although certain guidance and examples are provided in the Recitals of the Data Act Proposal,[12] in many cases it is difficult to determine whether a specific product or service falls within the scope of the regulation and, thus, whether an organisation is subject to the above-mentioned obligations regarding access to data generated by connected devices.
This has been spotlighted by telecom operators and in their Joint Position on the Data Act Proposal,[13] the associations representing the telecommunications sector – the European Telecommunications Network Operators’ Association (ETNO) and the Global System for Mobile Communications Association (GSMA) – have stressed the need for more precise definitions to increase legal certainty.
In particular, they claim that the definitions of ‘product’ and ‘related services’ should be clarified and fine-tuned, covering services directly related to the product offering and the functionalities of the product itself and excluding electronic communications services.
It is stated that connectivity allows for smart devices to function and communicate with other devices and services and is the medium through which data is transmitted. However, electronic communications services are not typically related to a specific functionality or product as such, but they are only used in the management and operation of the underlying connectivity. Accordingly, electronic communications services and the data generated by them must be excluded from the definitions and, thus, from the scope of the data sharing obligations.
Obligations for data holders obliged by law to make data available
The Data Act Proposal includes general access and sharing rules for those cases where a data holder is legally obliged to make data available to a third party (data recipient), among which the following should be highlighted:
- The data must be made available under fair, reasonable and non-discriminatory conditions, and in a transparent manner.
Unless requested by the user of a product or service, exclusive arrangements are not permitted.
- Compensations agreed between the data holder and the data recipient must be reasonable and, in case of micro, small of medium-sized enterprises, they cannot exceed the direct costs incurred for making the data available.
- Any disputes which may arise may be resolved dispute settlement bodies, certified by Member States, without prejudice to the parties’ right to seek redress before a national court or tribunal.
- Technical protection measures may be applied by data holders, although they cannot be used to hinder the user´s right to provide data to third parties or other third-party rights.
Data sharing
Fair and balanced B2B data sharing agreements
With the purpose of avoiding the abuse of contractual imbalances due to unequal negotiating power of the parties to data sharing contracts, the Data Act provides for the invalidity of unfair contractual terms on data access and use which are unilaterally imposed on micro, small and medium-sized enterprises. It also includes a list of clauses which will be considered and presumed to be unfair.
This will be complemented with non-binding model contractual terms which will be developed and recommended by the European Commission to facilitate the negotiation and conclusion of fair and balanced contracts.
B2G data sharing
The Data Act Proposal introduces the obligation to make private sector data available to public bodies and EU institutions, agencies or bodies, upon request, in situations of exceptional need (for instance, when required to respond to, prevent or assist the recovery from public emergencies).
Specific obligations are imposed on recipient bodies and private data holders (except for micro and small companies) for these purposes.
Certain safeguards are provided to protect private entities when sharing data, including the obligation to demonstrate the exceptional need for which the data are requested, to indicate the purpose of the request and the intended use of the data, to respect the data holder’s legitimate interests (eg, protection of trade secrets), or the proportionality, transparency and public availability of the requests. Requests for data may also be challenged.
In addition, the recipient must: (i) not use the data in a manner incompatible with the purpose for which the request was made; (ii) implement technical and organisational measures to protect data subjects’ rights and freedoms, if personal data must be processed; and (iii) destroy the data once they are no longer necessary and inform the data holder of the destruction.
Except in cases of data provided to respond to public emergencies, data holders may claim compensation for making data available, which may not exceed the technical and organisational costs of complying the request plus a reasonable margin.
The national or EU bodies receiving the data may share them with third parties acting on a not-for-profit basis or in the context of a public-interest mission, for scientific research or analysis purposes, or for compiling official statistics.
Data processing services
New measures to facilitate cloud and other data services switching
A number of contractual, commercial and technical requirements are introduced in order to make it easier to switch between cloud, edge and other data processing service providers covering the same type of service.
Providers are, therefore, required to remove obstacles to switching, for instance: (i) through written contracts with a mandatory minimum content covering customers’ rights and providers’ obligations in relation to switching; (ii) by gradually removing charges for the switching process; and (iii) by maintaining functional equivalence of services (ie, minimum level of functionality of a service after switching to another provider); or (iv) by ensuring compatibility with open interoperability technical specifications or European standards.
Safeguards for international transfers of non-personal data
The Data Act Proposal seeks to prevent the unlawful transfer or access to non-personal data by third countries, complementing the framework on international data flows laid down in the GDPR and the Data Governance Act.
With growing concerns about industrial espionage, intellectual property (IP) theft and unlawful access to information by foreign authorities, the new rules focus on protecting commercially sensitive data as trade secrets and data subject to intellectual property rights or confidentiality obligations under European law. Therefore, certain measures are introduced to ensure that the level of protection provided by the European regulatory framework is observed when non-personal data is transferred outside the EU territory.
For these purposes, data processing services providers must adopt all reasonable technical, legal and organisational measures to avoid international transfers or governmental access to non-personal data held in the EU that could create a conflict with EU or national law (eg, commercially sensitive information, data which may affect security or defence interests).
Furthermore, court judgements and administrative decisions from third countries requiring the transfer or access to non-personal data held in the EU will only be recognised or enforceable if based in an international agreement. Otherwise, in order for the transfer or access to take place, such decisions must meet certain strict conditions and only the minimum amount of data permissible may be provided.
In this respect, the Data Act Proposal has captured the statements of the Court of Justice of the European Union (CJEU) in the Schrems II case[14] with regard to personal data transfers, requiring a prior assessment of the legal and judicial system and practices of third countries to determine whether transfers comply with the requirements and guarantees of European legislation.
Other provisions
The Data Act Proposal includes several essential requirements in terms of interoperability for operators of data spaces, data processing services and smart contracts for data sharing.
On the other hand, the proposed text addresses the challenges posed by the sui generis protection of databases in the IoT environment, by excluding the application of the sui generis right under the Database Directive[15] to databases containing data obtained from or generated by the use of a connected devices and related services.
Timing
The Data Act Proposal is being processed under the ordinary legislative procedure and must be approved by the European Parliament and the Council of the EU.
Once adopted, the Data Act will be directly applicable in all EU Member States and, according to the proposal, it will be applicable one year following the publication in the Official Journal of the European Union so that affected players are able to adapt to the new requirements.
Enforcement and sanctions
With regard to enforcement, Member States must appoint the national competent authorities for application and enforcement and establish the penalties framework for infringements of the Regulation. Thus, although the Data Act will be a Regulation, directly applicable, this room for transposition could lead to a lack of harmonisation in the field of sanctions, as penalties may differ from country to country. On the other hand, those considering that their rights under the Data Act have been violated may lodge complaints with the competent authorities.
Finally, but very importantly, the rules have extraterritorial effect and are likely to be adopted as global standards beyond the EU – as is the case with the GDPR and it will likely happen with the forthcoming AI Act, Digital Services Act and Digital Markets Act – therefore expanding the EU influence worldwide (the so-called ‘Brussels effect’).[16]
[1] Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act) COM(2022) 68 final, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52022PC0068.
[2] Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0767). The European Parliament's position on the Data Governance Act was approved by the Council of the European Union on 16 May 2023. The Data Governance Act now awaits publication in the Official Journal of the European Union, and it will enter into force 20 days after publication.
[3] https://ec.europa.eu/info/strategy/priorities-2019-2024/europe-fit-digital-age/european-data-strategy_en.
[4] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02016R0679-20160504&from=ES).
[5] Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R1807&from=EN.
[6] Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019L1024&from=EN.
[7] Proposal for a Regulation of the European Parliament and of the Council on contestable and fair markets in the digital sector (Digital Markets Act) COM/2020/842 final, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020PC0842&from=en.
[8] Proposal for a for a Regulation of the European Parliament and of the Council on a Single Market for Digital Services (Digital Services Act) and amending Directive 2000/31/EC COM/2020/825 final.
[9] Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act) – First Presidency compromise text (Chapters I, II, III and IV). Interinstitutional File: 2022/0047(COD). 12 July 2022.
[10] Under Article 2 of the Data Act Proposal, ‘product’ means ‘a tangible, movable item, including where incorporated in an immovable item, that obtains, generates or collects, data concerning its use or environment, and that is able to communicate data via a publicly available electronic communications service and whose primary function is not the storing and processing of data’; and ‘related service’ means ‘a digital service, including software, which is incorporated in or inter-connected with a product in such a way that its absence would prevent the product from performing one of its functions’.
[11] According to the European Commission’s proposed Digital Markets Act, ‘gatekeepers’ are providers of core platform services that: (a) have a significant impact on the internal market; (b) operate a core platform service which serves as an important gateway for business users to reach end users; and (c) enjoy an entrenched and durable position in its operations or it is foreseeable that it will enjoy such a position in the near future. It is worth noting that, under the Digital Markets Act, gatekeepers will be obliged to provide more effective portability of data generated by business and users’ activities.
[12] Recitals 14 to 17 Data Act Proposal.
[13] Joint ETNO and GSMA position on the EC proposal for a Data Act, 19 July 2022.
[14] Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (C-311/18), 16 Jul 2020.
[15] Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:01996L0009-20190606&from=EN.
[16] This concept was coined in 2012 by Anu Bradford, a Columbia Law School professor, who has authored the book The Brussels Effect: How the European Union Rules the World (New York, 2020; online edn, Oxford Academic, 19 Dec 2019).