On February 23, 2022, the European Commission published the draft EU Regulation on harmonized rules on fair access to and use of data, also referred to as the “Data Act” (available here). The Data Act is just the latest EU legislative initiative, sitting alongside the draft Data Governance Act, Digital Services Act, and Digital Markets Act, motivated by the EU’s vision to create a single market for data and to facilitate greater access to data.
Among other things, the proposed Regulation:
- grants “users” of connected “products” and “related services” – meaning a digital service incorporated in or inter-connected with a product in such a way that its absence would prevent the product from performing one of its functions – offered in the EU rights to access and port to third parties the data generated through their use of these products and services (including both personal and non-personal data);
- requires manufacturers of these products and services to facilitate the exercise of these rights, including by designing them in such a way that any users – which may be natural and legal persons – can access the data they generate;
- requires parties with the right, obligation or ability to make available certain data (including through the Data Act itself) – so-called ”data holders” – to make available to users the data that the users themselves generate, upon request and “without undue delay, free of charge, and where applicable, continuously and in real-time”;
- requires data holders to enter into a contract with other third-party “data recipients” on data sharing terms that are fair, reasonable and non-discriminatory; relatedly, any compensation agreed between the parties must be “reasonable” and the basis for calculating the compensation transparent, with special rules set out for micro, small or medium-sized data recipients to facilitate their access to the data at reduced cost;
- authorizes public sector bodies and Union institutions, agencies or bodies to request access to the data in “exceptional need” situations;
- requires certain digital service providers, such as cloud and edge service providers, to implement safeguards that protect non-personal data from being accessed outside the EU where this would create a conflict with EU or Member State law;
- requires such data processing service providers to make it easy for the customers of such services to switch or port their data to third-party services; and
- imposes interoperability requirements on operators of “data spaces”.
As a next step, the Council of the EU and the European Parliament will analyze the draft Regulation, propose amendments and strive to reach a compromise text that both institutions can agree upon. Below, we discuss the key provisions of the Data Act in more detail.
- Chapter II of the Regulation (a) grants users rights in relation to the data generated from their use of connected products and related services offered in the EU and (b) imposes further obligations on the use and disclosure of users’ data, including product design mandates – in particular, it:
- grants users the right to access and use the data, as well as the right to port the data to a third party, upon request. The draft Data Act aims to “complement” the data portability right arising under Article 20 EU General Data Protection Regulation (“GDPR”) and pertaining to regulated “personal data”. The Data Act thus applies to personal data and non-personal data. Chapter II also includes rules that restrict the third party’s ability to use the data, once received from a data holder. To avoid a potential clash with the EU’s sui generis database right, Article 35 provides that the right does not apply to databases obtained from or generated through the use of a connected product or related service.
- requires manufacturers to design and manufacture connected products in such a manner that users can, by default, easily and securely access the data they generate either:
- directly (g., through the products or services settings) or
- indirectly, by requesting access to the data.
- requires users to be informed, whether by a manufacturer, product or service supplier, in a “clear and comprehensible” manner about: (i) the data that their use of the product or related service will generate, (ii) how the data will be used, including whether it will be shared with third parties, and (iii) the users’ rights to access and port the data, and (iv) the right to lodge a complaint with a competent authority.
- places restrictions on use of the data by data holders, for example, by prohibiting them from using non-personal data other than “on the basis of” a contractual agreement with the user and from using the data to derive insights about the economic situation, assets and production methods of the user in a manner that could undermine the user’s commercial position.
- Chapters III and IV of the Regulation require a data holder to enter into a data sharing agreement with a data recipient (e., a person other than the user). For example, as indicated above, if a user requests a data holder to share data with a third party (i.e., a data recipient), the data holder and the third party must enter into a data sharing agreement.
The terms of this agreement must respect the rules set out in the draft Data Act calling for terms that are fair, reasonable and non-discriminatory. For example, Chapter III prohibits terms that make data available on an exclusive basis or that discriminate between comparable types of data recipients. Chapter IV prohibits terms in contracts with micro, small or medium-sized enterprises that are unfair because they “grossly deviate from good commercial practice in data access and use, are contrary to good faith and fair dealing.”
Chapter III also requires Member States to establish dispute settlement bodies that are available to data holders and data recipients in case of disputes arising in connection with the data sharing agreement.
- Chapter V of the Regulation authorizes public sector bodies and Union institutions, agencies or bodies to request access to data from data holders if they demonstrate an “exceptional need” to use the data requested. This Chapter set out a limited set of the grounds that constitute “exceptional need”, which include where data is necessary to respond to or prevent a public emergency or where it is needed to fulfill a specific task in the public interest explicitly recognized in law. Data holders receiving such a request must make the data available without undue delay.
- Chapters VI and VII of the Regulation impose two types of obligations on providers of digital services that enable “on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources” (g., cloud, edge and related services):
- portability obligations. Chapter VI imposes obligations that aim to make it easy for the customers of such services to switch to alternative third-party service providers. This Chapter requires, among other things, the digital service provider and its customer to enter into a contract that sets out the rights of the customer and the obligations of the digital service provider in relation to switching to third party service providers. It also calls for the elimination of other commercial, technical and organizational obstacles.
- obligations to restrict access to non-personal data outside of the EU. Chapter VI also requires the digital service provider to implement safeguards that restrict international transfers or access by foreign authorities to non-personal data where such transfer or access would create “a conflict” with EU or Member State law.
This Chapter does not apply to online content services, which are subject to specific portability obligations under Regulation (EU) 2017/1128.
- Chapter VIII imposes interoperability requirements on operators of data spaces and data processing services. This Chapter imposes obligations on operators of data spaces, a term that is not defined, and data processing services to facilitate interoperability of data, data assets, data sharing mechanisms and services. There are also minimum requirements addressing the use of smart contracts for data sharing purposes.
The Data Act requires Member States to designate one or more enforcement authorities and to lay down penalties for violations of the Act, although the draft Regulation clarifies that the designation of an authority will not impinge the powers granted under the GDPR to national data protection authorities in relation to personal data. Natural and legal persons will have the right to lodge a complaint with these competent authorities, and where more than one exists, Member States are to designate a coordinating competent authority. As regards penalties, Member States are required to set down penalties that are “effective, proportionate and dissuasive”, which would not displace the penalties provided for under the EU GDPR in cases where that statute might also be infringed.
* * *
The Data Act in intended to be a critical part of the EU’s strategy for data, which has given rise to a number of recent EU legislative initiatives, including the Data Governance Act (see our blog post here). We are monitoring these legislative initiatives closely. Stay tuned you our blog as we continue to report on any developments.