EU Data Act

Written By Mona Hariri

Introduction

On November 27, 2023, the European Union ("EU") adopted the final text of the Data Act, marking an effort to create a harmonized, cross-sectoral data sharing framework with the stated goal of ensuring fair access to and use of data. The regulation provides harmonized rules on data access, cloud provider switching, and interoperability requirements across the EU. The Data Act is expected to significantly impact companies doing business in the EU .

Background

Connected Products, often referred to as the "Internet of Things", are items: (i) that obtain, generate or collect data concerning their use or environment and that are able to communicate product data (e.g., via an Internet connection, telephone networks or near-field communications); and (ii) whose primary function is not the storing, processing or transmission of data on behalf of any party other than the use. The proliferation of Internet-connected products, has significantly amplified the quantity and potential value of data for consumers, enterprises, and the broader society.

Recognizing that impediments to data sharing hinder optimal data allocation for societal benefit, the European Commission proposed the Data Act on February 23, 2022. After subsequent negotiations an agreement was reached in June 2023. The regulation was adopted by the Parliament on November 9, 2023. With approval of the final text by the Council on November 27, 2023. The requirement to structure connected products and associated services so that data from the product and service is accessible by default will come into effect 20 days after publication in the Official Journal and will apply 20 months after entry into force, as per Article 50.

Read the final text of the Data Act as approved by the Council and the European Commission's Press Release.

Objectives

Pursuant to the Commission's digital objectives for the year 2030, the Data Act is expected to help drive the EU’s digital transformation and transform the EU into a leader in the digital and data space. The Data Act aims to boost the EU's data economy and create a Digital Single Market. It provides users of connected products or services with more rights and increases competition in digital markets, particularly by strengthening small-and medium-sized enterprises’ (SMEs) competitive position. Moreover, the Act defines conditions for access to product and service data generated by connected products and related services .

Scope of Application

The Data Act has an extraterritorial scope. It applies to data holders, typically manufacturers of connected products and providers of related services, irrespective of their place of establishment. Thus, it is relevant beyond the EU borders and applies to manufacturers of connected products and providers of related services placed on the EU market.

Key Rights and Obligations

The Data Act includes provisions for data access by design and by default, data sharing with third parties, data sharing with EU or national public institutions, transparency, unfair contract terms, and interoperability. Encompassing both personal and non-personal data, the Data Act incorporates several pivotal components. These components are meticulously designed to cultivate an efficient, equitable, and innovative data economy:

  • Data Access: Data holders are required to provide access to specific data from the relevant products or services upon a user's request, whether business-to-business (B2B) or business-to-consumer (B2C). However, data holders may impose certain conditions before sharing data that are trade secrets. Exceptionally, they can also withhold or suspend user access or data sharing with third parties if trade secrets' confidentiality is at risk.

  • Third-Party Data Sharing: Data holders are obligated to make the relevant data accessible to third parties designated by the user under fair, reasonable, non-discriminatory terms and conditions, and in a transparent manner.

  • Data Sharing with Public Sector Bodies: In high public interest situations, such as natural disasters, private data holders are required to make data available to public EU institutions upon request. Personal data requests are only permissible in exceptional circumstances, such as responding to a public emergency when public sector entities cannot obtain such data through alternative means in a timely and effective manner.

  • Design Requirements and Transparency: Relevant products must be designed and manufactured, and relevant services must be provided, to allow users to access data by default. This access should be easy, secure, free of charge, and provided in a structured, commonly used, and machine-readable format.

  • Unfair Contractual Terms: To prevent the exploitation of imbalances in B2B relationships, unfair contractual terms regarding data access and use are prohibited. A contractual term is considered unfair if it deviates from good commercial practice in data access and use, contrary to good faith and fair dealing.

  • Unlawful International Governmental Access and Transfer: To avoid conflicts with EU law or national law due to international and third-country governmental access and transfer of non-personal data held in the EU, data processing service providers must implement adequate technical, organizational, and legal measures. This includes contractual agreements to protect the data.

  • Service Switching and Interoperability: Data and cloud interoperability rules require data processing service providers to take specific measures to enable end users to effectively switch between cloud and edge service providers, or to use multiple providers simultaneously. Furthermore, data processing service providers must facilitate interoperability between data processing services, including ensuring compatibility with open interoperability specifications and harmonized standards.

  • Restrictions for Gatekeepers: Gatekeepers are prohibited from benefiting from the new user right to share data with third parties. This means they cannot share data themselves nor receive such data, as making data available to designated gatekeepers is forbidden.

Relationship with GDPR

While the scope of the GDPR is limited to personal data, the Data Act applies to both personal data and non-personal data, indicating a more expansive scope of application. Unlike the GDPR, the Data Act applies to users and data recipients in the EU only.

However, as stipulated in Article 1(5) of the Data Act, it acknowledges that legislative frameworks such as the GDPR and the e-Privacy Directive (and other national and EU laws pertaining to the protection of personal data and privacy), may operate concurrently and may supersede the Data Act in the event of a conflict. This is explicitly stated in the final text of the Data Act, which clarifies that the user's data access and portability rights under the Data Act are intended to supplement, not replace, the individual's rights under the GDPR.

Furthermore, access to personal data can only be granted when there is an appropriate legal basis under Art. 6, and where applicable, Art. 9 of the GDPR, has been established by the data holder. The Data Act explicitly states that only when it includes a specific legal requirement to share personal data can the data holder rely on "compliance with a legal obligation" as a legal basis under the GDPR. For any other data sharing or processing activities, such as data collection or generation, an alternative legal basis would need to be relied upon.

This broader scope of the Data Act, as compared to the GDPR's limitation to personal data, is further emphasized in Article 1(5) of the Data Act. This article stipulates that the enactment of the Data Act does not infringe upon the GDPR or other national and EU laws pertaining to the protection of personal data and privacy. This includes the authority and proficiency of supervisory bodies and the rights of data subjects. Therefore, in instances where personal data is derived from connected products or associated services, the stipulations of both the Data Act and the GDPR must be adhered to.

Enforcement, Fines and Outlook:

To ensure the effective application and enforcement of the Data Act, it is incumbent upon EU Member States to designate one or more competent supervisory authorities. In circumstances where more than one authority is designated, the appointment of a data coordinator as the primary national contact point is necessitated, as per Article 37(1), (2).

The Data Act will be enforced at the national EU Member State level, and does not impose any minimum or maximum amounts for administrative fines. Furthermore, the responsibility of defining penalties for contraventions of the Data Act would involve consideration of various factors, including the infringer's annual turnover in the EU during the preceding financial year. These penalties ought to be effective, proportionate, and serve as a deterrent. As stipulated in Article 40(4), infringements pertaining to the sharing provisions of personal data may be subject to the administrative fines delineated in the GDPR, i.e., up to the greater of €20m, or four percent of worldwide annual turnover.

Next Steps

Those who have obligations to the EU Data Act should begin by:

  1. Understanding which products are in scope

  2. Complete a data assessment on connected products

  3. Complete a legal analysis of generated data to understand the inherent risks of the sharing of data fields such as intellectual property and trade secrets

  4. Where applicable, to ensure the connected product is capable of generating data continuously and in real-time

  5. Establish documentation for the user on available procedures for switching and porting to the data processing service

  6. Update or create legal contracts on data sharing provisions between the user and designated third parties

Conclusion

The Data Act is a significant step in the EU's efforts to regulate data access and usage. It aims to enhance data accessibility and utility, protect individual and business interests, and foster a more competitive and innovative digital market in the EU . It's important to note that while the Data Act can provide SMEs with new opportunities, it also comes with new obligations and potential challenges. SMEs will need to understand these implications and adjust their strategies and operations accordingly.

Mona Hariri
Next

ARTICLE | To what extent, if any, can fake news be regulated without violating the First Amendment?