Background

The European Commission’s European Strategy for data aims at creating a single market for data. Common European data spaces will ensure that more data becomes available for use in the economy and society, while keeping the companies and individuals who generate the data in control. The European Strategy for data, among others, “incorporates” the upcoming AI Act, the European Cyber Resilience Act, the NIS2 Directive, the Digital Services Act and the Data Governance Act.

As part of the European Strategy for data, the Commission had also proposed measures for a fair and innovative data economy (“Data Act”). The final text of the Data Act has been politically agreed between the Council and the Parliament already in June 2023, but the final text of the Data Act was formally approved by the European Parliament and the European Council on 27 November 2023.

The Act is expected to be published in the Official Journal of the EU still in December 2023, and then it will enter into force on the 20th day after the publication, while will be applicable 20 months after its entry into force.

The Data Act is expected to have a significant impact on all businesses that need, use, collect or manage data.

The main provisions of the Data Act

  1. The Data Acts aims to regulate the use of and access to data (and metadata) generated through connected devices and also imposes general requirements on cloud computing providers with a view to facilitate switching between providers. It is a cross-sectoral framework for data sharing across the Internet of Things (IoTs) within the EU.
  2. Individual and business users of connected devices will be granted enhanced rights to a third-party data that has been generated through their use of the connected device, which could potentially require manufacturers and service providers to redesign products in a way that such facilitated access is unhindered. Data holders may also have to rethink operations and data management.
  3. Product data and related service data shall be accessible to the user (companies or individuals)
    1. securely,
    2. free of charge,
    3. in a comprehensive, structured, commonly used and machine-readable format, and,
    4. where relevant and technically feasible,
      1. directly,
      2. continuously and
      3. in real-time
    5. where applicable, of the same quality as is available to the data holder.
  4. The Act also aims to ease the switching between providers of data processing services by giving both individuals and businesses more control over their data through a reinforced portability right, copying or transferring data easily from across different services, where the data are generated through smart objects, machines, and devices.
  5. Prior to the conclusion of a contract the manufacturer or the provider is obligated to provide information to the user on the data related to the purchase or service.
  6. Users and data holders may contractually restrict or prohibit accessing, using, or further sharing data, if such processing could undermine security requirements of the connected product, as laid down by EU or national law, resulting in a serious adverse effect on the health, safety or security of natural persons.
  7. Certain sectors are to be targeted with sector-specific regulation (e.g., smart cars for in-vehicle data).
  8. If a Member State designates more than one competent authority, it shall appoint a data coordinator from among them to facilitate cooperation between the competent authorities and to assist the entities in all matters relating to the application and enforcement of the Data Act.

Refusal of a request

The data holder may refuse on a case-by-case basis a request for access if the data holder who is a trade secret holder is able to demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade secrets, despite the technical and organizational measures taken by the user.

Such demonstration shall be duly substantiated on the basis of objective elements, in particular the enforceability of trade secrets protection in third countries, the nature and level of confidentiality of the data requested, and the uniqueness and novelty of the connected product, and shall be provided in writing to the user without undue delay. Where the data holder refuses to share data, it shall notify the competent authority.

A user wishing to challenge a data holder’s decision to refuse / withhold / suspend data sharing, may

  1. lodge a complaint with the competent authority, which without undue delay, decide whether and under which conditions data sharing is to start or resume; or
  2. agree with the data holder to refer the matter to a dispute settlement body.

The relationship between the Data Act and the GDPR

  1. One of the major differences from the GDPR is that the Data Act covers both personal and non-personal data.
  2. Any processing of personal data should also comply with the GDPR, including the requirement of a valid legal basis for processing under Articles 6 and 9 of the GDPR and Article 5(3) of the ePrivacy Directive. The Data Act itself does not constitute a legal basis for the collection or generation of personal data by the data holder.
  3. Where the user is not the data subject, the Data Act does not create a legal basis for providing access to personal data or for making personal data available to a third party and should not be understood as conferring any new right on the data holder to use personal data generated by the use of a connected product or related service. The data holder can comply with requests in those cases, inter alia, by anonymizing personal data or, where the readily available data contains personal data of several data subjects, transmitting only personal data relating to the user.
  4. The technical measures to comply with the principles of data minimization and data protection by design and by default may involve pseudonymization and encryption as well as the use of technology that permits algorithms to be brought to the data and allow valuable insights to be derived while only processing the necessary data.

The Data Act will allow users of connected devices, ranging from smart household appliances to intelligent industrial machines, to gain access to data generated by their use which is often exclusively harvested by manufacturers and service providers. Therefore, under the Data Act, IoT device manufacturers and service providers may have to redesign their products to comply with the upcoming regulation.

The Data Act also improves the conditions under which businesses and consumers can use cloud and edge services in the EU. It becomes easier to move data and applications (from photo archives to entire business administrations) from one provider to another without incurring any costs, because of new contractual obligations that the new regulation presents for cloud providers, and a new standardization framework for data and cloud interoperability.

In addition, the Data Act introduces mandatory safeguards to protect data held on cloud infrastructures in the EU.

The new law contains measures to prevent abuse of contractual imbalances in data sharing contracts due to unfair contractual terms imposed by a party with significantly stronger bargaining position. Moreover, the text of the regulation provides additional guidance regarding the reasonable compensation of businesses for making the data available.

These new obligations of the data holders prescribed by the Data Act require strategic considerations that need to be addressed by companies operating in Hungary in a time-sensitive manner, especially given the transition period of less than two years. The preparation for the new era of Data Act, which facilitates the commercialization of industrial data, shall be commenced.