On June 27, 2023, the European Parliament and the Council of the EU reached a political agreement on the Data Act (see our previous blog post here), after 18 months of negotiations since the tabling of the Commission’s proposal in February 2022 (see our previous blog post here). EU lawmakers bridged their differences on a number of topics, including governance matters, territorial scope, protection of trade secrets, and certain defined terms, among others.
The Data Act is a key component of the European strategy for data. Its objective is to remove barriers to the use and re-use of non-personal data, particularly as it relates to data generated by connected products and related services, including virtual assistants. It also seeks to facilitate the ability of customers to switch between providers of data processing services.
We’ve outlined below some key aspects of the new legislation.
Scope
The Data Act covers both personal and non-personal data, and will apply to manufacturers of products and suppliers of related services placed on the market in the Union and the users of such products or services in the Union; data holders that make data available to recipients in the Union; data recipients in the Union; and providers of data processing services offering such services to customers in the Union, as well as EU institutions and public sector bodies accessing data under the Act.
Connected Products and Related Services
With respect to the provisions on connected products, the agreed text distinguishes between “product data” (meaning “data, generated by the use of a connected product, that the manufacturer designed to be retrievable, via an electronic communications service, a physical connection or on-device access, by a user, data holder or a third party, including, where relevant, the manufacturer”) and “related service data” (i.e., “data representing the digitisation of user actions or events related to the connected product, recorded intentionally by the user or as a by-product of the user’s action, which is generated during the provision of a related service by the provider”).
A. Design and Transparency Requirements
Access-by-default. Manufacturers of connected products and providers of related services must design and provide covered products and services in such a manner that “product data” and “related service data”, including the relevant “metadata necessary to interpret and use the data”, are, by default, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format, and, where relevant and technically feasible, directly accessible to the user. Where the data cannot be accessed directly, data holders must make accessible “readily available data” (i.e., product and related service data lawfully obtained by a data holder without disproportionate effort) and relevant metadata.
Transparency. Prior to concluding a contract with the user, specific pre-contractual information must be provided about the connected product’s data generation capabilities, and how the user may access, retrieve and delete those data, among others.
B. Trade Secret Protection
As a rule, trade secrets must be protected and may only be disclosed if the data holder and the user “take all necessary measures prior to the disclosure” to preserve confidentiality.
Access may be refused only if the data holder, which is a “trade secret holder”, can demonstrate, and duly substantiate, that they are “highly likely to suffer serious economic damage” from the disclosure, on a case-by-case basis. In such cases, the data holder will have to notify the competent national authority, while users are given specific avenues to challenge the decision, such as a right to lodge a complaint with the competent national authority, or to agree with the data holder to refer the matter to a dispute settlement body.
C. Data-Sharing Obligations
Upon request by a user, data holders must make “readily available data” and relevant metadata available to a third party.
Data holders and recipients must agree transparent, fair, reasonable and non-discriminatory terms for sharing data with such data recipients. The data holder may receive a reasonable compensation, which may include a profit margin, for sharing the data.
D. Contractual Terms on Data Access and Use
The Data Act establishes that certain contractual terms relating to access and use of data, liability, exclusion of remedies, or termination, when unilaterally imposed by one party, shall not be binding on the other party, if the term is deemed “unfair”. The Data Act characterizes as “unfair” a term which is “of such a nature that its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing”, and lists a number of examples of terms per se or presumptively considered unfair.
Data Access by Public Bodies
The Data Act imposes an obligation on data holders to make data available to public-sector bodies (including the European Commission and the European Central Bank), on request and based on a demonstrated “exceptional need” to carry out their duties in the public interest. An “exceptional need” shall be deemed to exist only where (1) the data is necessary to respond to a “public emergency”; and (2) with respect to non-personal data only, where the data are necessary for the fulfilment of a specific public interest task explicitly provided by law, such as official statistics or the mitigation or recovery from a public emergency. In the latter case, the public body must demonstrate that it has exhausted all available avenues to obtain the data, including purchase of the data on the market; while data holders will be entitled to fair remuneration for providing such access, which may include a reasonable profit margin. Public-sector bodies may not require disclosure of trade secrets unless such disclosure is “strictly necessary”.
Obligations on Data Processing Services
The Data Act imposes distinct obligations on providers of “data processing services,” defined as services “enabling ubiquitous, and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature, provided to a customer, that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Providers of such services must enable customers, including through contractual and information requirements, to switch to different providers of the same type of service, or to use several providers at the same time. This includes obligations to facilitate porting of data and to “take all reasonable measures” to facilitate the customer’s ability to “achieve […] functional equivalence in the use of the destination service.”
Data processing service providers are also required to take “all adequate technical, legal and organisational measures, including contractual arrangements” to prevent international and third-country governmental access and transfer of EU-stored non-personal data.
Interoperability
The Data Act establishes “essential requirements” to facilitate the interoperability of data spaces, as well as interoperability specifications and harmonized standards for data processing services, and requirements relating to the in-parallel use of data processing services.
Moreover, the Data Act lays out the conditions for developing common interoperability standards.
Enforcement
The Data Act will be enforced by national competent authorities, to be designated by each Member State. Data protection authorities will be responsible for monitoring application of the Act to the extent the protection of personal data is concerned. Penalties for infringements of the Data Act will be set out in national laws.
Next Steps
The agreed text must now be formally adopted by the European Parliament and Council, which is expected around September or October 2023. Once adopted, the Data Act will enter into force on the 20th day following its publication in the Official Journal of the EU. Its obligations will apply 20 months after its entry into force.
***
The Covington team is happy to assist with any inquiries relating to the Data Act.