EU Regulatory Data Protection: A first appraisal of the European Commission’s proposal for a ‘Data Act’

By: Heidi Waem, Simon Verschaeve

The European Commission today presented its second instrument in the European Data Strategy; a “Regulation on harmonised rules on fair access to and use of data”, better known as the Data Act. After the adoption of the Digital Governance Act (DGA) at the end of 2021, which essentially defines the data-sharing architecture, this proposal seeks to introduce rules regarding data sharing, access to and reuse of data, contractual terms for data sharing and use, compensation mechanisms, emergency access to data, switching between data processing services, and facilitating data portability. These horizontal rules would apply across all sectors, and especially impact data-driven business and organisations relying on connected products’ data.

In the proposal, “data” is broadly defined and contains both personal and non-personal data. This means that the Data Act would further regulate personal data in addition to the GDPR. It would also extend certain GDPR-like obligations to non-personal data, such as data portability and data transfer restrictions for non-personal data, as well as introduce completely new rules.

The Data Act would apply to all types of enterprises, in principle, including small and micro businesses. That said, for certain obligations, the proposal also takes into account the size of an organisation by exempting or relaxing the obligations for SMEs.

Key provisions of the proposal:

  • Data sharing obligations enabling consumer and business access to “IoT” data

The proposal includes an access by design obligation for connected “products” and all related services and virtual assistants used to access and control these products and services. By default, users must be able to easily, securely and “where relevant and appropriate”, directly access data generated by their use. Before any purchase, rental or lease contract for such products or services is concluded, the user must receive certain information (ie introducing the obligation to provide a kind of “data use and access notice”) which partly overlaps with, but also partly exceeds, the information that needs to be provided for personal data under the GDPR.

Users receive a right of access (insofar the data cannot be directly accessed by the user), use and portability on data generated by connected “products” and all related services and virtual assistants. Data holders can only use such non-personal data based on a contractual agreement with the user. These agreements, and the data sharing agreements with third parties acting on behalf of a user to receive the data, can also contain measures to preserve the confidentiality of trade secrets. Moreover, data holders cannot use such IoT data to derive insights that could undermine the commercial position of the user, or the third party acting on behalf of the user, in the markets in which the user, or the third party, is active.

Unlike the GDPR, the Data Act does not only confer rights upon natural persons. The definition of “user” includes both natural and legal persons that “own, rent or lease” a connected product or receives services.

  • Fairness of B2B contractual terms on data access and use

Additional rules would apply to the contractual terms of such data sharing agreements between data holders and data recipients. These terms must be fair, reasonable and non-discriminatory (FRAND), cannot establish exclusiveness with one data recipient (unless requested by the user) and can only provide for a reasonable compensation to the data holder. Certified dispute settlement bodies will be made available to settle disputes in relation to the terms of these data sharing agreements. Data holders are, under certain conditions, allowed to impose technical measures, such as smart contracts, to ensure compliance with these terms and prevent unauthorised access to the data.

To reduce economic power imbalances, rules are introduced for contractual terms on access to and use of data or certain data related obligations. Where these contractual terms are unilaterally imposed on SMEs, the proposal explicitly states that terms should not be “unfair”.

As an open norm, unfair terms are those that are “of such a nature that their use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing.” Furthermore, the proposal contains a list of terms that are considered (black list) and terms that are presumed (grey list) to be unfair.

Another interesting point is that the Commission will develop and recommend non-binding model contract terms on data access and use.

  • Data transfer restrictions and unlawful third party access to non-personal data

Where international “transfer” or “governmental access” to non-personal data held in the EU “would create a conflict with EU law or the relevant national law”, providers of data processing services shall take all reasonable technical, legal and organisational measures to prevent such transfer or access.

Such obligation to protect the data that can create a conflict under EU or national law may relate, for example, to the protection of fundamental rights (eg right to security and effective remedy), national security or defence interests, protection of commercially sensitive data (eg trade secrets) and the protection of intellectual property.

Furthermore, the proposal also establishes rules for the enforcement and recognition of third country court (or administrative) decisions, depending on whether or not these are based on an international (MLAT) treaty between the EU or a member state and the third country. If possible, under the terms of the third country data access request, the provider of data processing services should notify the customer before complying with the request.

Whether or not these conditions are fulfilled will need to be assessed according to guidelines of the Commission, assisted by the newly established European Data Innovation Board under the DGA.

  • Data sharing obligations with the public sector in case of exceptional data needs

In a case where, due to terrorist attacks, public health emergencies, natural disasters or other public emergencies, an exceptional need exists to use certain data, data holders would be obliged to share their data with public bodies or EU institutions, bodies or agencies upon request.

Such an “exceptional need” exists where the data:

  • are necessary to respond to a public emergency;
  • request is limited in time and scope and necessary to prevent or assist the recovery from a public emergency;
  • the lack of available data prevents the public body to fulfil a specific task in the public interest explicitly provided by law; and
  • could not be obtained by alternative means or the public emergency procedure of the Data Act substantially reduces the administrative burden for the data holders or other enterprises.

The proposal further lays down a procedure for these public emergency data requests containing a number of conditions for such requests. While the data in principle need to be provided free of charge, compensation would be possible in certain instances. The data obtained in this context can be further shared on a not-for-profit basis or in the context of a public-interest mission with organisations conducting scientific research or analytics compatible with the purpose of the request or to official statistical institutes.

  • Cloud switching obligations

Providers of data processing services (including cloud and edge services) must scrutinise their services, contractual agreements and commercial practices and remove certain obstacles of a commercial, technical, contractual and organisational nature to ensure that their customers can switch to another data processing service.

Moreover, to support these goals, minimum requirements for customer contracts are included, a gradual withdrawal of switching charges is foreseen and technical measures to facilitate switching are imposed in some situations.

  • Minimal requirements regarding smart contracts for data sharing

Minimum requirements would apply to smart contracts used in the context of an agreement to make data available. These include, for example, measures offering a very high degree of robustness to avoid functional errors and withstand manipulation. Smart contract providers should also provide for data archiving and audit options and ensure that smart contracts can be reset or can be instructed to stop or interrupt transactions.

Such vendors are responsible for compliance with these minimum obligations and must perform a conformity assessment and issue an EU declaration of conformity.

  • Exemption of database rights on machine-generated data

According to the Explanatory Memorandum, the evaluation of the Database Directive (No. 96/9/EC) pointed out that legal uncertainty remains around the application of the sui generis right to databases composed of machine-generated data.

As the sui generis right of the Database Directive aims to protect the investments in the collection, and not “the creation of data as a by-product of another economic activity”, the Data Act explicitly states that the sui generis database right “cannot be invoked to hinder” the effective exercise of the access and portability rights of IoT-generated data as provided for by the Data Act.

Enforcement and sanctions

As regards to supervision of the rules of the proposed Data Act, the member states can designate an existing or establish a new supervisory authority. These authorities would have the competence to handle complaints, start investigations and impose financial penalties, aside from other tasks such as promoting awareness, monitoring technological developments. Both natural and legal persons would have the right to lodge an individual or collective complaint with the authority.

That said, the Data Act would not impose the powers and tasks of supervisory authorities to be as extensive as those of data protection authorities under the GDPR. In contrast to the GDPR and other recent EU initiatives, the Regulation only states that penalties must be “effective, proportionate and dissuasive” but leaves the determination of the level of fines and availability of other sanctions to the member states. This will likely result in varying levels of potential sanctions across the EU and leaves the door open for sanctions that are either higher or lower than the maximum under the GDPR.

However, insofar personal data and users that are natural persons are involved, it must be noted that EU data protection authorities, competent under the GDPR, would also become responsible for monitoring the application of the Data Act. In those cases, the data protection authorities can also impose GDPR level fines for infringements of the Data Act.

Link with other EU legislation

As announced by the European Commission, the proposed Data Act complements the recently adopted Data Governance Act (DGA) which establishes a framework to facilitate voluntary data sharing by individuals and businesses and harmonises conditions for the use of certain public sector data. In addition, the proposed Digital Markets Act (DMA) which is currently under negotiation, already requires providers of “core platform services” identified as “gatekeepers” to provide portability of data generated to business and end users’ activities on their platforms, in addition to the right to data portability under the GDPR. The Data Act also has considerable links with the proposed (and still pending) ePrivacy Regulation, as that instrument foresees to lay down rules on the processing of machine-to-machine communications data.

Moreover, the Data Act also interacts with the existing Regulation (No. (EU) 2018/1807) on a framework for the free flow of non-personal data in the EU, which already included self-regulatory codes of conduct to facilitate switching and data portability between service providers. The Commission thus deems a more binding regulatory initiative is needed in this respect.

Finally, there are several other areas of law and regulatory instruments which are of relevance to this proposal, including platform regulation, competition law, intellectual property rights.