On June 27, 2023, the European Parliament and the Council of the EU reached a political agreement on the Data Act (see our previous blog post here), after 18 months of negotiations since the tabling of the Commission’s proposal in February 2022 (see our previous blog post here).  EU lawmakers bridged their differences on a number of topics, including governance matters, territorial scope, protection of trade secrets, and certain defined terms, among others.

The Data Act is a key component of the European strategy for data. Its objective is to remove barriers to the use and re-use of non-personal data, particularly as it relates to data generated by connected products and related services, including virtual assistants. It also seeks to facilitate the ability of customers to switch between providers of data processing services.

We’ve outlined below some key aspects of the new legislation.

Scope

The Data Act covers both personal and non-personal data, and will apply to manufacturers of products and suppliers of related services placed on the market in the Union and the users of such products or services in the Union; data holders that make data available to recipients in the Union; data recipients in the Union; and providers of data processing services offering such services to customers in the Union, as well as EU institutions and public sector bodies accessing data under the Act.

Connected Products and Related Services

With respect to the provisions on connected products, the agreed text distinguishes between “product data” (meaning “data, generated by the use of a connected product, that the manufacturer designed to be retrievable, via an electronic communications service, a physical connection or on-device access, by a user, data holder or a third party, including, where relevant, the manufacturer”) and “related service data” (i.e., “data representing the digitisation of user actions or events related to the connected product, recorded intentionally by the user or as a by-product of the user’s action, which is generated during the provision of a related service by the provider”).

A. Design and Transparency Requirements

Access-by-default.  Manufacturers of connected products and providers of related services must design and provide covered products and services in such a manner that “product data” and “related service data”, including the relevant “metadata necessary to interpret and use the data”, are, by default, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format, and, where relevant and technically feasible, directly accessible to the user. Where the data cannot be accessed directly, data holders must make accessible “readily available data” (i.e., product and related service data lawfully obtained by a data holder without disproportionate effort) and relevant metadata.

Transparency.  Prior to concluding a contract with the user, specific pre-contractual information must be provided about the connected product’s data generation capabilities, and how the user may access, retrieve and delete those data, among others.

B. Trade Secret Protection

As a rule, trade secrets must be protected and may only be disclosed if the data holder and the user “take all necessary measures prior to the disclosure” to preserve confidentiality. 

Access may be refused only if the data holder, which is a “trade secret holder”, can demonstrate, and duly substantiate, that they are “highly likely to suffer serious economic damage” from the disclosure, on a case-by-case basis.  In such cases, the data holder will have to notify the competent national authority, while users are given specific avenues to challenge the decision, such as a right to lodge a complaint with the competent national authority, or to agree with the data holder to refer the matter to a dispute settlement body.

C. Data-Sharing Obligations

Upon request by a user, data holders must make “readily available data” and relevant metadata available to a third party. 

Data holders and recipients must agree transparent, fair, reasonable and non-discriminatory terms for sharing data with such data recipients.  The data holder may receive a reasonable compensation, which may include a profit margin, for sharing the data.

D. Contractual Terms on Data Access and Use

The Data Act establishes that certain contractual terms relating to access and use of data, liability, exclusion of remedies, or termination, when unilaterally imposed by one party, shall not be binding on the other party, if the term is deemed “unfair”. The Data Act characterizes as “unfair” a term which is “of such a nature that its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing”, and lists a number of examples of terms per se or presumptively considered unfair.

Data Access by Public Bodies

The Data Act imposes an obligation on data holders to make data available to public-sector bodies (including the European Commission and the European Central Bank), on request and based on a demonstrated “exceptional need” to carry out their duties in the public interest. An “exceptional need” shall be deemed to exist only where (1) the data is necessary to respond to a “public emergency”; and (2) with respect to non-personal data only, where the data are necessary for the fulfilment of a specific public interest task explicitly provided by law, such as official statistics or the mitigation or recovery from a public emergency. In the latter case, the public body must demonstrate that it has exhausted all available avenues to obtain the data, including purchase of the data on the market; while data holders will be entitled to fair remuneration for providing such access, which may include a reasonable profit margin. Public-sector bodies may not require disclosure of trade secrets unless such disclosure is “strictly necessary”.

Obligations on Data Processing Services

The Data Act imposes distinct obligations on providers of “data processing services,” defined as services “enabling ubiquitous, and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature, provided to a customer, that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Providers of such services must enable customers, including through contractual and information requirements, to switch to different providers of the same type of service, or to use several providers at the same time. This includes obligations to facilitate porting of data and to “take all reasonable measures” to facilitate the customer’s ability to “achieve […] functional equivalence in the use of the destination service.”

Data processing service providers are also required to take “all adequate technical, legal and organisational measures, including contractual arrangements” to prevent international and third-country governmental access and transfer of EU-stored non-personal data.

Interoperability

The Data Act establishes “essential requirements” to facilitate the interoperability of data spaces, as well as interoperability specifications and harmonized standards for data processing services, and requirements relating to the in-parallel use of data processing services.  

Moreover, the Data Act lays out the conditions for developing common interoperability standards.

Enforcement

The Data Act will be enforced by national competent authorities, to be designated by each Member State. Data protection authorities will be responsible for monitoring application of the Act to the extent the protection of personal data is concerned.  Penalties for infringements of the Data Act will be set out in national laws.

Next Steps

The agreed text must now be formally adopted by the European Parliament and Council, which is expected around September or October 2023.  Once adopted, the Data Act will enter into force on the 20th day following its publication in the Official Journal of the EU.  Its obligations will apply 20 months after its entry into force.

***

The Covington team is happy to assist with any inquiries relating to the Data Act.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Marty Hansen Marty Hansen

Martin Hansen has over two decades of experience representing some of the world’s leading innovative companies in the internet, IT, e-commerce, and life sciences sectors on a broad range of regulatory, intellectual property, and competition issues. Martin has extensive experience in advising clients…

Martin Hansen has over two decades of experience representing some of the world’s leading innovative companies in the internet, IT, e-commerce, and life sciences sectors on a broad range of regulatory, intellectual property, and competition issues. Martin has extensive experience in advising clients on matters arising under EU and U.S. law, UK law, the World Trade Organization agreements, and other trade agreements.

Photo of Shona O'Donovan Shona O'Donovan

Shóna O’Donovan is an associate in the technology regulatory group in the London office. She advises clients, particularly in the technology industry, on a range of data protection, e-privacy and online content issues under EU, Irish and UK law.

Shóna advises multinational companies…

Shóna O’Donovan is an associate in the technology regulatory group in the London office. She advises clients, particularly in the technology industry, on a range of data protection, e-privacy and online content issues under EU, Irish and UK law.

Shóna advises multinational companies on complying with EU and UK data protection and e-privacy rules. She regularly defends clients in regulatory investigations and inquiries, and provides strategic advice on incident response. She advises clients on existing and emerging online content laws, including those affecting intermediary services and audiovisual media services. In this context, she regularly advises clients on the intersection between online content and privacy rules.

Shóna also counsels clients on policy developments and legislative proposals in the technology sector, and the impacts of these developments for their business.

In her current role, Shóna gained experience on secondment to the data protection team of a global technology company. In a previous role, she spent seven months on secondment to the European data protection team of a global social media company.

Shóna’s recent pro bono work includes providing data protection advice to the International Aids Vaccine Initiative and a UK charity helping people with dementia, and working with an organization specializing in providing advice to states involved in conflict on documenting human rights abuses.

Photo of Laura Somaini Laura Somaini

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules…

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules as well as data protection contracts and policies.