On 27 November 2023, the Council formally adopted the final version of the regulation on harmonised rules on fair access to and use of data (“Data Act”), after the European Parliament had adopted the Data Act earlier this month.
Drafted with the objective of fostering innovation and facilitating the sharing of data between service providers, the Data Act introduces rules on sharing, access to and re-use of data; data sharing agreements; public emergency access to data; cloud switching obligations; and data portability.
This new horizontal regulation has important implications for data regulation, intellectual property and contract law within the European Union.
Summary of key provisions
- Data sharing obligations – Under the Data Act, several types of data sharing obligations are introduced:
- Product data and related service data: Manufacturers of connected products and suppliers of related services placed on the market in the EU must ensure ‘access by design’ for the user, to “product data and related service data, including the relevant metadata necessary to interpret and use the data”. Such access should be easy, secure, free of charge, in a comprehensive structured, commonly used and machine-readable format, and, where relevant and technically feasible, directly accessible.Product data means “data generated by the use of a connected product that the manufacturer designed to be retrievable, via an electronic communications service, physical connection or on-device access, by a user, data holder or a third party, including, where relevant, the manufacturer”.Related service data means “data representing the digitisation of user actions or of events related to the connected product, recorded intentionally by the user or generated as a by-product of the user’s action during the provision of a related service by the provider”.In addition, where the user cannot directly access those data, the data holder must make “readily available data” and the relevant metadata necessary to interpret and use those data accessible to the user. Readily available data means “product data and related service data that a data holder lawfully obtains or can lawfully obtain from the connected product or related service, without disproportionate effort going beyond a simple operation”.To enable data portability, the data holder also needs to provide the same data to a third party – which cannot be a gatekeeper within the meaning of the Digital Markets Act (“DMA”) – upon the user’s or its representative’s request.These data must be made available in a comprehensive structured, commonly used and machine-readable format; in an easy and secure manner, in the same quality; on a continuous basis and in real-time (where relevant and technically feasible); and free of charge to the user, and if requested by the user, to a third party.While the concept of a ‘user’ includes a data subject (within the meaning of GDPR) that owns, rents or leases a product or receives a related service, the notion also includes legal persons and thus also applies in B2B relations. The availability of these IoT data will likely lead to the creation of (new) secondary markets for many organisations. The obtained data can, however, not be used to compete with the originating product (i.e. on the product’s primary market).
- Data sharing with public bodies: Data holders that are legal persons will be obliged to share the data they hold (and associated metadata) with public bodies, the European Commission, the European Central Bank and Union bodies, where there is an exceptional need to use the requested data, such as in case of public emergencies or the production of official statistics or the mitigation of or recovery from a public emergency. In the latter situation, the public body must have “exhausted all other means at its disposal to obtain such data, including purchase of non-personal data on the market by offering market rates, or by relying on existing obligations to make data available or the adoption of new legislative measures which could guarantee the timely availability of the data”.The Data Act lays down a specific procedure for these public emergency data requests which include requiring the public body to specify what data are required; demonstrate the exceptional need for which the data are requested; explain the purpose of the request, the intended use of the data requested, and the duration of that use; state the legal basis for requesting the data; and specify the deadline by which the data are to be made available or within which the data holder may request the public body to modify or withdraw the request.The Data Act sets out further requirements regarding purpose of data use, onward sharing of the data by public bodies; and processing of personal data and disclosure of trade secrets. While the data in principle need to be provided free of charge, compensation would be possible in certain instances. While the data holder receiving a request for access must provide the data without undue delay, the data holder may decline or seek the modification of the request within certain circumstances.Requests may also be directed to data holders established in other Members States, subject to approval of the competent authority of that Member State of establishment.The procedure does not apply when public bodies are acting in a law enforcement context.
- Data sharing agreements – The Data Act also restricts contract freedom in relation to data sharing agreements in B2B relations for cases where data sharing obligations apply.Provisions that, to the user’s detriment, derogate or deviate from its rights in relation to the data are not binding.Data sharing conditions between data holders and data recipients must be fair, reasonable, transparent and non-discriminatory (FRAND) and – unless upon the user’s request – non-exclusive.Even in B2B relations, only a reasonable compensation that considers certain criteria can be agreed between data holders and data recipients.In case of conflicts, users and data recipients have access to dispute settlement bodies.The Data Act also foresees a prohibition of certain ‘unfair’ data related terms which has been unilaterally imposed. The mechanism provides for an open norm, along prohibited or presumably prohibited data related clauses.
- Cloud switching obligations and contractual requirements – Providers of data processing services (including cloud and edge services) must ensure that their customers can switch to different data processing services of another service provider of the same service type, to an on-premises system or to use several providers at the same time.The Data Act prohibits any type of obstacles that inhibit customers, for example, from terminating the service agreement after the maximum notice period, or from porting customer’s exportable data and digital assets to another provider or on-prem system. In addition, customers may not be prevented from maintaining ‘functional equivalence’ of the service in the IT-environment of the different provider(s).Furthermore, customer agreements for data processing services are subject to a set of minimum requirements, including the requirement that the rights of the customer and the obligations of the provider of a data processing service in relation to switching between providers of such services shall be clearly set out in a written contract, as well as requirements for transition and notice clauses.In addition, a gradual withdrawal of switching and data egress charges within three years after the entry into force is foreseen and, in some situations, technical measures to facilitate switching are made mandatory.
- Transfer restrictions for non-personal data – As under the Data Governance Act (DGA), the Data Act contains measures to ensure that non-personal data is not transferred to countries outside the European Economic Area (EEA) without sufficient protection of intellectual property rights, trade secrets, confidentiality, and other EU interests. A more detailed analysis of these rules is provided in this article.In addition, the Data Act imposes transparency obligations upon providers of data processing services with regard to the jurisdiction to which the IT infrastructure is deployed and the technical and organizational measures adopted to “prevent governmental access to non-personal data held in the EU where such transfer or access would create a conflict with EU or Member State law.
- Interoperability and essential requirements – The Data Act sets out several interoperability requirements, including for data processing services and participants in data spaces.For participants in data spaces, it provides “essential requirements” for harmonised standards.For data processing services, the requirements are similar and also aim to achieve operability for the purposes of in-parallel use of data processing services. The new regulation also sets minimum requirements for smart contracts which must be complied with by vendors of applications using smart contracts or, in their absence, ‘deployers’ of certain smart contracts.In these cases, the Commission may (or must) request European standardisation organisations to draw up standards complying with these conditions, as well as adopt common specifications based on open interoperability specifications covering the essential requirements by means of an implementing act.
- Sanctions and enforcement – The Data Act refers to the data protection authorities and their tasks and powers under the GDPR insofar as personal data is concerned. In contrast, for non-personal data, it is still largely left to the Member States to determine which authority (or authorities) they want to assign for supervision and enforcement, the scope of powers awarded to these authorities and to lay down the applicable sanctions, subject to some minimum requirements set out in the Data Act.Entities falling within the scope of the Data Act will be subject to the competence of their Member State of establishment or, for entities established in multiple Member States, their main establishment (i.e. their head office or registered office). Unlike under the GDPR’s one-stop-shop, for entities that are not established in the EU, the designation of their legal representative will determine which Member State will have competence. Where a Member State designates more than one competent authority, it shall designate a “data coordinator”to facilitate cooperation between the competent authorities.At EU-level, a special role is reserved for the European Data Innovation Board (EDIB), established under the DGA, with advisory and supporting competences similar to those of the European Data Protection Board (EDPB) under the GDPR. However, the EDIB will have no enforcement role. Natural and legal persons can lodge a complaint and seek judicial remedies for alleged infringements of their rights under the Data Act.
Main discussion points in final negotiations
The adopted Data Act contains a number of changes to the original proposed Act. We have set out a summary of the key changes below:
- Scope – the type of data that is to be covered by the Data Act has been a controversial point throughout negotiations. In the adopted Data Act, the types of data falling within scope have been clarified. In particular, in relation to IoT data, the adopted Data Act focuses on the functionalities of the data collected by connected products instead of the products themselves. A number of definitions have been added with the aim of either aligning the text with existing legislation, such as the Data Governance Act and the Digital Markets Act, or to clarify key concepts.
- Interplay with existing legislation – In the adopted Data Act a number of changes have been introduced throughout in order to address the relationship between the Data Act and other relevant legislation, such as the GDPR. These changes aim to clarify the interplay between the legislations when both personal and non-personal data is included in the request, including the role of different regulators within these areas.
- Trade secrets and intellectual property rights – One of the most negotiated areas of the Data Act has been the data sharing obligations and the balance between the protection of trade secrets and intellectual property rights and the objectives of the Data Act. In particular, there has been concern surrounding data access obligations and whether a data holder can prevent the disclosure of sensitive commercial information. Further safeguards in relation third parties have been added and the text now states that under certain conditions, data holders have the right to reject data access requests with a view to protecting trade secrets.
- Sui generis right to databases – according to the Explanatory Memorandum of the Data Act, the evaluation of the Database Directive (No. 96/9/EC) pointed out that legal uncertainty remains around the application of the sui generis right to databases composed of machine-generated data. As the sui generis right of the Database Directive aims to protect the investments in the collection, and not “the creation of data as a by-product of another economic activity”, the Data Act states that sui generis database right protection does not apply to databases containing data from, or generated by, the use of devices connected to IoT. The Explanatory Memorandum of the Data Act states that Chapter X aims to contribute to legal certainty in cases where the protection of the sui generis right was previously unclear.
- Functional equivalence – one of the specific objectives of the Data Act is to facilitate switching between cloud and edge services. In particular, the proposed Data Act required that customers maintain functional equivalence (a minimum level of functionality) of the service after they have switched to another service provider. This requirement attracted criticism from commentators, who argued that the scope of the concept was too wide and caused legal uncertainty – for example, by potentially requiring the cloud provider of origin to take responsibility for the performance of a competitor’s service. The final approved version of the Data Act, states that “functional equivalence should not be understood to oblige the source provider of data processing services to rebuild the service in question within the infrastructure of the destination provider of data processing services. Instead, the source provider of data processing services should take all reasonable measures within its power to facilitate the process of achieving functional equivalence through the provision of capabilities, adequate information, documentation, technical support and, where appropriate, the necessary tools”.
The Data Act will enter into force after its publication in the Official Journal, which is expected to take place soon. Most of the provisions within the Data Act will become applicable 20 months after its entry into force (likely by August 2025). Organisations should therefore start reviewing their data sharing agreements.
These rules complement the framework for re-using and sharing of data under the DGA which entered into force on 23 June 2022 and, following a 15-month grace period, is applicable since September 2023.
For a broader picture on the legal initiatives of the EU Data Strategy, we refer to our previous blog posts – “EU Regulatory Data Protection: Many pieces to the regulatory framework puzzle” and “Who’s who under the DMA, DSA, DGA and Data Act?’”.