Background and context
On 23 February 2022, the European Commission (the Commission) announced a new addition to its digital rulebook in the form of a proposal for a new Data Act and accompanying sector-specific regulations. The proposal has significant implications for both holders and users of data (whether personal data and or otherwise). Accordingly, the scope of the Act goes far beyond the boundaries of the EU General Data Protection Regulation (GDPR).
These proposed rules will set out who can use and access data generated by connected devices, primarily in relation to industrial data, across all economic sectors in the European Union. It forms part of the Commission's wider data strategy, which focuses on ideas and actions to enable digital transformation (and is also closely linked to the wider EU industrial strategy).
The Data Act is the second proposal, alongside the Data Governance Act, aimed at making the European Union a leader in the data-sharing space. As part of this, the European Union has new initiatives on an EU-federated cloud, an industry alliance for cloud architectures, and is seeking to create both a horizontal and vertical – that is, sector-specific data segments. Together, it is hoped that these proposals will "unlock the economic and societal potential of data and technologies" and create a single market for the free flow of data in the European Union.
This Data Act looks to harness the potential power that data has as a "non-rival good", which means that it can be used at the same time by many individuals and consumed over and over again without impacting the quality of the data or depleting the supply.
This makes data a hugely valuable resource that everyone can benefit from; according to the Commission, however, only 20% of the industrial data that exists in the European Union is currently used. The Data Act, therefore, hopes to remedy the underuse of data by providing new rules to make data available for reuse, and to address the legal, economic and technical barriers that currently exist and reduce data use.
The purpose of the Data Act is to:
- ensure fairness in the digital environment, through enabling consumers and companies to have more control over their data, clarifying who can access it and on what terms;
- stimulate a competitive data market, by "unlocking a wealth of industrial data";
- open opportunities for data-driven innovation; and
- make data more accessible to all.
The Commission hopes that the Data Act will also aid the development of new and innovative services, and produce more competitive prices for aftermarket services and repairs of connected objects.
The proposals for the Data Act include the following:
- There will be measures that allow users of connected devices to gain access to the data generated by them, free of charge, which at present is often exclusively harvested by manufacturers. It is hoped that this will both enable users to share the data with third parties and maintain incentives for manufacturers to invest in high-quality data generation. Users and consumers such as farmers, airlines and construction companies could use the data to make better and more informed decisions, including purchasing higher quality, more sustainable products and services. For example, farm machinery, including combine harvesters, contains valuable data that could assist others in competing for aftercare services, while data relating to crops and usage may also assist farmers and other ancillary suppliers to develop and adjust their products, services and level of supply and time to market.
- There will also be measures to encourage a more level playing field in terms of contract negotiation and licensing by removing or reducing the imbalance of negotiation power, which is a challenge often faced by small and medium enterprises (SMEs), and preventing the abuse of contractual imbalances in data-sharing contracts. In particular, SMEs will be protected from unfair contractual terms and the Commission plans to develop non-binding model contractual terms to help SMEs draft and negotiate fair data-sharing contracts. This will undoubtedly be of relevance to competition authorities in assessing any potential prejudice to competitive markets and any abuse of market power in the context of merger control or by those who either have dominance in a particular market or who are entering into arrangements that may result in anticompetitive behaviours.
- There are proposed measures to enable public sector access and use of data held by the private sector in relation to exceptional circumstances – in particular, in the case of a public emergency (floods or wildfires) or to implement a legal mandate.
- The proposed measures will allow customers to switch effectively between different cloud data-processing services providers, therefore enabling greater data mobility:
- This concept already exists in the EU GDPR and is otherwise known as "data portability", but it only applies to personal data (ie, one's personal information) and the right is exercisable only by the data subject to whom such personal data relates.
- The Act goes further in this regard, in that it requires that, when a user wishes to transfer data services to a competing provider, the holder of that data (or applicable platform) should ensure that data is shared in fair, reasonable and non-discriminatory conditions. In general, this adopts the approach taken in the Second Payment Services Directive where banks were obliged, with the consumer's consent, to transfer data to third-party providers through an open application programming interface (API).
- In addition, platform or application providers are required to ensure that outgoing customers maintain functional equivalence after switching to a new supplier.
- The proposals promote interoperability by empowering the Commission, with the support of standardisation organisations, to intervene with common specifications to promote the interoperability of data-processing services, to facilitate the pooling of data (eg, in data spaces, or data provision "for good") and promote easier switching across providers. This provision will apply also to smart contracts for data spaces (as set out in the Commission's strategy on standardisation).
The Data Act will also review certain aspects of the Database Directive, which was created in the 1990s to protect investments in the structured presentation of data. Notably, it clarifies that databases containing data from internet of things devices and objects should not be subject to separate legal protection: under article 35, the sui generis right provided for in article 7 of the Database Directive will not apply to databases containing data obtained from or generated by the use of a product or a related service. This will ensure such data (and the devices themselves) can be accessed and used for the benefit of the wider economy.
For breaches of the proposed EU Data Act, the supervisory data protection authorities in each member state may impose administrative fines for the following categories of infringements.
For breaches to Chapters II ("B2C and B2B Data sharing"), III ("Data holders to make data available") and V ("Making data available to public sector bodies") of the Act, the supervisory authorities referred to in the GDPR (article 51) may impose administrative fines in line with the GDPR (article 83) – that is, maximum fines up to the greater of 4% of global annual turnover or €20 million. Accordingly, the fines for these breaches are significant and appear to be on a par with the sanctions and level of enforcement available under the GDPR.
It will also be interesting to see how the level of fines and sanctions develops in relation to Chapter 4 ("Unfair terms in data sharing") and the extent to which member states may be free to set their own penalties in this regard.
The Commission is hoping that the Data Act will increase data-driven innovation across the European Union and that more data being available for reuse will create €270 billion of additional gross domestic product by 2028. It is also hoped that better access to real-time data will help the European Union achieve climate goals and shrink carbon emissions.
The Data Act awaits backing from the European Union's co-legislators; however, the proposals demonstrate the Commission's growing awareness of the competitive power of data and the need for data transparency. A recent European case, where a company was fined by the relevant competition agency for an anticompetitive use of data in the energy sector, is indicative of this new understanding and focus. One of the penalties handed down was a requirement for the company to make customer data available to all rivals. Not only does this demonstrate that there is a growing interest in data and its value, but also that data issues are not limited to the digital space.
The requirements and legal framework set out in the EU Data Act are no doubt beneficial for a fairer and competitive market and also to maximise the benefits of the wider data economy. However, despite good intentions, it remains to be seen how the EU authorities will be able to enforce its provisions. That said, it would be unwise to ignore its potential scope and ambit. For example, article 4(1) of the proposed Act provides that:
where data cannot be directly accessed by the user from the product, the data holder shall make available to the user the data generated by its use of a product or related service without undue delay, free of charge and, where applicable, continuously and in real-time.
Therefore, platforms that are covered by the proposed Data Act should consider building in features and functionality, including reviewing existing APIs and user-request processes to prepare for such data requests. It could be particularly costly to retrofit such functionality.
Notably, to seek to provide a fair balance, article 13 does allow a data holder to apply appropriate technical protection measures, including smart contracts, to prevent unauthorised access to the data and to ensure compliance with articles 5, 6, 9 and 10, as well as with the agreed contractual terms for making data available. This is only on the condition that these technical measures are not used to hinder the user's right to effectively provide data to third parties.
A key focus will also be to review the specific terms which are deemed to be unfair pursuant to article 13 when imposed on SMEs. These include terms (among others) that:
- are of such a nature that their use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing;
- give the party that unilaterally imposed the term the exclusive right to determine whether the data supplied are in conformity with the contract or to interpret any term of the contract; or
- allow the party that unilaterally imposed the term to access and use data of the other contracting party in a manner that is significantly detrimental to the legitimate interests of the other contracting party.
The actual list of terms that are unfair is much wider than this, however, and it will be important to review any licensing or access terms against this blacklist to identify, remove and amend any terms that may otherwise put a data holder in breach of the Act.
Along with the Digital Markets Act and Digital Services Act, there continues to be a significant amount of flux in the regulatory landscape for data in the immediate and foreseeable future.
For further information on this topic please contact Philip James, Annabel Borg, Ros Kellaway or Martin Bechtold at Eversheds Sutherland by telephone (+44 20 7919 4500) or email ([email protected], [email protected], [email protected] or [email protected]). The Eversheds Sutherland website can be accessed at www.eversheds-sutherland.com.
Nils Mueller, Olaf van Haperen, Emmanuel Ronco and Marie McGinley, partners, assisted in the preparation of this article.