A central plank in the EU’s digital scaffolding is the proposal for a Data Act, which sets out new rules regarding who can use and access data in the EU across all economic sectors. The proposed Data Act (2022/0047(COD)), which includes an update to the Database Directive, was presented by the European Commission on 23 February 2022. It takes the form of a horizontal Regulation and is meant to complement the incoming Data Governance Act.

The Data Act, which covers both personal and non-personal data and co-generated (Internet of Things) data, aims “to ensure fairness in the allocation of data value among actors in the data economy and to foster access to and use of data”. It will also provide for the use by public sector bodies and Union institutions, agencies or bodies of data held by enterprises in certain situations where there is an exceptional data need, such as public emergencies. In addition, it includes measures regarding data availability and contractual terms, public usage of data, cloud switching and interoperability, international access to data and the review of the Database Directive.

Overall, the proposal regulates business-to-business (B2B), business-to-consumer (B2C) and business-to-government (B2G) data sharing. The text will be applicable to manufacturers of connected products and providers of related services, enterprises (data holders), data recipients and public sector bodies, as well as providers of data processing services offered to customers in the EU.

Key Obligations

Designers and manufacturers shall provide products in which data is accessible by default. Data holders must make available to the user the data generated by the use of a product. The user, in turn, may authorise data holders to give access to data to third parties. These obligations would not apply to data generated by products manufactured by micro and small enterprises.

Data availability and contractual terms:

The proposed Regulation states that the conditions under which data holders make data available shall be fair, reasonable, non-discriminatory and transparent. Moreover, any compensation “between a data holder and the data recipient for making data available shall be reasonable and non-discriminatory” (FRAND). There are also provisions defining when contractual terms are considered unfair to ensure a “fair allocation of value in the data economy”.

Public usage of data:

The Data Act lays down a harmonised framework to regulate the obligation to make data available for free under specific circumstances, such as public emergencies. In case of exceptional need, “a data holder shall make data available to a public sector body or to a Union institution, agency or body demonstrating an exceptional need to use the data requested”. Small and micro enterprises are expected to be exempt from this obligation.

Switching between data processing services:

Data processing service providers are obliged to remove obstacles of any kind (commercial, technical, contractual, and organisational nature) to enable switching between services (Cloud, edge or other processing services). Customers must maintain functional equivalence of the services.

International access to data:

With the aim of preventing transfers or governmental access to data held in the Union, where such cases would create a conflict with the legislation of Member States and the EU, providers of data processing services “shall take all reasonable technical, legal and organisational measures, including contractual arrangements”. Additional safeguards are included to avoid any unlawful third-party access to data located in the Union.

Interoperability:

Through implementing acts, the Commission is empowered “to enable the interoperability provided by open standards and open interfaces”. The text establishes minimal requirements regarding smart contracts for data sharing.

Review of the Database Directive:

The proposal includes an amendment to the existing Database Directive which specifies that databases containing machine-generated data are excluded from the protection of sui generis right established in Article 7 of the Directive 1996/9/EC.

Enforcement and penalties:

Competent authorities designated by Member States will be responsible for the enforcement of the Regulation. Member states shall lay down rules on penalties, which must be effective, proportionate and dissuasive.

Next steps

The Council and the Parliament are already working on the proposal. In the Parliament, the Industry, Research & Energy Committee (ITRE) will shepherd the negotiations and draft the main report. The appointed rapporteur is experienced MEP Pilar del Castillo (EPP, Spain). Additionally, the Civil Liberties Committee (LIBE), the Legal Affairs Committee (JURI) and the Internal Market Committee (IMCO) will provide Opinion Reports. More information about the status of the Data Act is available here.