Data is one of the highest value goods in our modern economy. That is why companies generally want to protect their data and, especially, keep it secret from third parties. In order to unlock the significant value-creation potential offered by sharing data, on 23 February 2022 the EU Commission introduced a proposal for the so-called Data Act. The Data Act would contain rules on fair access to, and use of, data.
What is the background of the proposed Data Act?
The Data Act is one of a series of major data-related legislative projects presented by the EU Commission in its 2020 data strategy. It focuses on the question of who may create value from data and under what conditions. It aims primarily to facilitate data exchange and cooperation between companies in order to make the EU a leader in our international data-driven society.
The Data Act complements the Data Governance Act, which provides a framework for the re-use of data held by public sector bodies.
What does the proposed Data Act say?
The main objective of the proposed Data Act is to clarify who can create value from data and under what conditions. It contains six main topics of regulation:
- A right for data users to access and use data generated by their use of products and services
- The prohibition of unfair contract terms in standardized data licensing agreements
- A right for public sector bodies to access and use data in extraordinary circumstances
- Facilitation of the switch between data processing services
- The interoperability of data processing services
- Safeguards regarding international data access and transfer
Users’ right to access and use data
The Data Act intends to create a right for users to access data generated by their use of products and services. This should be integrated in products and services by default and by design. According to Art. 3 of the proposed Data Act, large enterprises will be obligated to design and manufacture their products and services in a way, “that data generated by their use are, by default, easily, securely and, where relevant and appropriate, directly accessible to the user.”
Art. 4 No. 1 of the Data Act adds that where data is not directly accessible from the product for the user, the data holder must make the respective data available to the user without undue delay, and, “where applicable, continuously and in real time”. If technically possible, this should be made possible through a simple request by electronic means. However, it is questionable how practically feasible this is, as providing data “continuously and in real-time” could pose significant challenges for many companies.
Moreover, users should be able to use data generated by their use for any lawful purpose. Therefore, they may share such data with a third party that provides an aftermarket service, even if it competes with a service provided by the data holder, or request the data holder to make the data available to such third parties (Art. 5 Data Act; Recital 28 of the Data Act). Third parties may be entities such as enterprises, research organisations or NGOs (Recital 29 of the Data Act). It should, however, be prevented that large platforms can expand their gatekeeper function through this provision. Therefore, Article 5 (2) Data Act states that companies that provide core platform services, where one or more of those services have been designated as gatekeepers under the Digital Markets Act, should not qualify as third parties under the provision. Therefore, under the proposed Data Act they may not
- solicit or commercially incentivise users, including by paying money, to provide data previously requested from the data holder under Art. 4 (1) Data Act to one of their services;
- solicit or commercially incentivise users to request data from the data holder to be provided to one of their services pursuant to Art. 5 (1) Data Act; or
- receive data from users obtained through a request under Art. 4 (1) Data Act.
Data made available by the data holder may only be processed by the receiving third parties, “for the purposes and under the conditions, agreed upon with the user. The data must be deleted when it is no longer required for the purposes (Art. 6 (1) Data Act).
Access to and use of data (Art. 3 and 4 Data Act), as well as the sharing of data (Art. 5 Data Act), should be free of charge for the user. The obligations under Art. 3 – 5 Data Act will not apply to micro and small enterprises (Art. 7 Data Act). According to Article 2 of the Annex to Recommendation 2003/361/EC micro and small enterprises are companies with fewer than 50 employees, and a maximum annual turnover and/or annual balance sheet total of EUR 10 million.
Prohibition of unfair contract terms in standardised data licensing agreements
Another essential element of the proposed Data Act is the prohibition of ”unfair“ contractual terms in standardised licensing agreements concluded by large enterprises with micro, small and medium-sized enterprises. A large part of existing data is owned by several large companies. This allows them to usually set contract terms unilaterally. The purpose of these provisions is therefore to balance out existing power asymmetries between the contracting parties.
According to the definition in Art. 13 (2) Data Act, unfair contract terms are terms whose use greatly deviates from “good commercial practice” for data access and their use is, “contrary to good faith and fair dealing”. To specify this rather vague provision, Art. 13 (3) and (4) Data Act provide a list of contractual clauses that are either always unfair or presumed to be unfair. The data holder has the burden of proving that the terms are “fair”.
The provisions of Art. 13 Data Act only applies to standardised contractual clauses, so that the parties to a data licensing agreement are free to enter into individual agreements.
Right to access and use of data by public sector bodies
The proposed Data Act also provides for a right of public sector bodies to use and access data in exceptional circumstances (“exceptional needs”; Art. 14 Data Act). Exceptional circumstances may be, in particular, a public emergency, such as a natural disaster or a pandemic, or the fulfilment of legal obligations serving the public interest (Art. 15 Data At).
This may allow public sector bodies to access individuals’ personal data under certain circumstances, which constitutes an interference with individuals’ right to privacy. Therefore, these provisions face strong concerns from EU data protection experts. In a joint opinion by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) the circumstances justifying the access are criticised as not being sufficiently specified. The terms “exceptional need” and “public emergency” should, in their view, be defined more stringently (see Art. 2 (10) Data Act) as privacy limitations can only be legally justified, if their legal basis is “adequately accessible and foreseeable and formulated with sufficient precision to enable individuals to understand its scope.” Moreover, a precise definition of the scope and manner of exercise of the public sector bodies’ powers is also necessary to protect against arbitrary state interference.
Facilitation of the switch between data processing services
The proposed Data Act should also facilitate provider switching. This aims to promote competition. Currently, users often refrain from switching providers, as this is usually time-consuming and involves high costs. This ties the user to a certain extent to a provider once chosen, thus reducing competition.
Therefore, according to Art. 23 (1) of the Data Act, data holders shall eliminate obstacles of a commercial, technical, contractual and organizational nature that prevent the contracting party from:
- terminating the service agreement with a notice period of a maximum of 30 days,
- entering into a new contract with another provider providing for the same service type,
- transferring its data, applications, and other digital assets to another data processing provider,
- maintaining access to a certain minimum level of functionalities after a change of provider.
The obligation to enable a termination within 30 days could have serious consequences for many cloud providers. The provision would eliminate long-term customer relationships, which are essential for revenue recognition for many cloud providers.
Art. 24 Data Act will require that the service provider’s obligations be stipulated in a written contract.
In addition, Art. 25 will prohibit providers from charging a fee for switching as of three years after the date of entry into force of the Data Act. As a transitory provision until that date, only reduced costs that do not exceed the costs directly linked to the switching process may be charged.
Interoperability of data processing services
Another aspect to boost competition is interoperability. Therefore, the Data Act proposes to obligate data processing providers (like cloud services) to ensure interoperability between different services through open standards and open interfaces.
The draft regulation does not yet include specific technical norms or standards. According to Art. 28 (4) Data Act, the EU Commission may request European standardisation organisations to develop harmonised standards for interoperability. If no standards are developed, or if they are deemed insufficient, the EU Commission itself shall be able to define interoperability standards (Art. 28 (5) Data Act).
Safeguards regarding to international data access and transfer
Ultimately, providers should take, “reasonable technical, legal and organisational measures, including contractual arrangements,” to prevent governmental access to or the international transfer of non-personal data if it would conflict with EU or national law (Art. 27 Data Act).
The proposed Data Act could create a completely new framework for data access and exchange. The Act will now pass through the European Parliament and the Council of the European Union. It is to be expected that some significant changes will be made to the draft during this process.
The underlying aim of reducing the gatekeeper function of some large companies with regard to data could increase competition on the respective markets and, in particular, benefit small and medium-sized enterprises. However, the provisions of the proposed Data Act, if enacted as described, also pose major economic, technical, and organisational challenges for providers of data processing services. We therefore recommend that (especially large) companies follow the development of the Data Act closely and familiarise themselves with the proposed new rules.
The proposed new set of rules will also pose significant legal challenges for companies, as data protection laws (such as the GDPR) will also have to be complied with when personal data is shared due to an obligation under the Data Act. This means that any personal data may only be made available under the Data Act if there is a corresponding legal basis to do so under Article 6 (1) GDPR.
Moreover, all rights and obligations under the Data Act exist in addition to the existing rights of access and portability under the GDPR. Navigating the legal regulations surrounding data in future and currently will pose a significant challenge to companies, large and small. Having legal experts in data protection law at your side will make navigating a whole lot easier.