The European Commission has presented its draft Data Act, which will affect a broad range of companies and heavily emphasizes data accessibility and fairness. Companies should begin to evaluate their current practices and assess how they may be impacted by this new framework.
On February 23, 2022, the European Commission presented its draft Data Act which is a proposal for a Regulation on harmonized rules on fair access to and use of data. The Data Act is designed to apply to all sectors with respect to the rights to use data– particularly in the areas of smart machinery or consumer goods and notably also covers non-personal data. The Data Act is part of a wider strategy and is the EU’s latest legislative attempt to bolster its leadership by helping to create a single market for data. The European Union has previously pursued complementary legislation. For example, the proposed Regulation on data governance (the Data Governance Act) is aimed at facilitating “the voluntary sharing of data by individuals and businesses” while also harmonizing “conditions for the use of certain public sector data, without altering material rights on the data.” On November 30, 2021, the European Parliament and EU Member States reached a political agreement on this dossier, and the Data Governance Act now awaits final votes and publication in the Official Journal in the coming months.
Complementing the Data Governance Act, the Data Act is aimed at ensuring “fairness in the allocation of value from data among actors in the data economy and to foster access to and use of data.” Underlying the emphasis on fairness are two key issues: The European Commission believes, first, that business-to-business contractual agreements do not necessarily guarantee adequate access to data for small and medium-sized enterprises (“SMEs”) due to disparities in negotiation power and expertise; and second, that on the business-to-government front, there should be clarification on the conditions and situations in which the private sector should be obligated to make data available for use by the public sector.
Specifically, the draft Data Act has the following objectives: (1) to facilitate access to and the use of data by consumers and businesses, while preserving incentives to invest in ways of generating value through data; (2) to provide for public sector data use where there is an exceptional data need; (3) to facilitate switching between cloud and edge services (edge computing handles and stores data locally in an edge device); (4) to provide safeguards against unlawful data transfer without notice by cloud service providers; (5) to provide for the development of interoperability standards for data to be reused between sectors; and (6) to remain consistent with existing policy provisions. Thus, the draft Data Act does not alter pre-existing legislation like the European Union General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), but rather complements it.
Initial Takeaways from the draft Data Act:
- Right to data access (Chapter II). Products and services should, by default and design, make data that a user, individual, or organization is generating available to that user or individual.The user should then be able to use this data or share it free of charge. Furthermore, the data holder is obligated to make such data available to third parties upon the request of the user. Micro and small enterprises will be exempt from these obligations.
- Limitations on data use and disclosure (Chapter II). Notably, the data made available may not be used to develop products in competition with the data holder and users or third parties may not share such data with organizations designated as gatekeepers under the Digital Markets Act. Trade secrets are also afforded protection; they may only be disclosed to third parties subject to an agreement, only to the extent strictly necessary to fulfill the agreed upon purpose, and only when specific agreed upon measures are taken by the third party to preserve the confidentiality of the trade secret.
- Third parties receiving data at the request of the user (Chapter II). Data may only be processed for the purposes and under the conditions agreed upon with the user, and subject to the rights of the data subject insofar as personal data are concerned and shall delete the data when they are no longer necessary for the agreed purpose. Notably, third parties cannot “coerce, deceive or manipulate the user, by subverting or impairing the autonomy, decision-making or choices of the user, including by means of a digital interface with the user” or make the data available “to another third party, in raw, aggregated or derived form, unless this is necessary to provide the service requested by the user.”
- Fairness of contractual terms (Chapter IV). Contractual terms unilaterally imposed on a micro, small or medium-sized enterprise must be fair, reasonable, and non-discriminatory. Unfair contractual terms are defined as those that grossly deviate “from good commercial practice in data access and use, contrary to good faith and fair dealing.” Additionally, a list of clauses that are either always unfair or presumed to be unfair is provided. The data holder bears the burden of showing that terms are non-discriminatory.
- Public sector data access (Chapter V). Public bodies may have access to data in exceptional circumstances, like responding to emergencies and fulfilling legal obligations; however, the data sharing requests must be proportionate and must not be to the detriment of the data holder.In other cases of exceptional need (e.g. to prevent or assist the recovery from a public emergency) the data holder making should be entitled to compensation that include costs related to making the relevant data available plus a reasonable margin.
- Cloud switching and interoperability (Chapter VI). Contracts should contain clauses that support switching, interoperability requirements, and a transition period to prohibit data processing service providers from charging any fee for switching. Notably, the proposal does not mandate specific technical standards or interfaces, but it does require services to be compatible with European standards or open interoperability technical specifications where these exist.
- Data Transfers (Chapter VII). Providers of data processing services should take all reasonable legal, technical, and organizational measures to prevent governmental access or transfers of non-personal data that would conflict with European or national law.
- Enforcement (Chapter IX). To be left to authorities designed by the Member States with penalties also being defined at the national level. The Commission shall recommend voluntary model contractual terms on access to and use of data. Member States will lay down the rules on penalties applicable to infringements of the draft Data Act. The penalties shall be effective, proportionate, and dissuasive.
The proposal will very likely see extended and intense negotiations in the coming months. Once adopted, the Data Act will be effective on the twentieth day following its publication in the Official Journal of the European Union with, under current plans, only a 12-month implementation period from that date. Companies physically located in, or offering services and products in, the EU market will be affected in a variety of ways, that may even affect their core business models. Given this degree of importance, companies should monitor further developments and start to evaluate current data practices and possibly required changes to implement the new obligations, e.g. to be prepared to ensure that data that users generate may be made readily accessible to the user and to ensure that contractual terms are appropriately fair, reasonable, and non-discriminatory.