EU Data Act: new rules for data exchanges between businesses, users and third parties

Out-Law News | 09 Mar 2022 | 9:52 am | 5 min. read

The European Commission has proposed new rules on who can use and access data generated in the EU across all economic sectors as part of wide-ranging plans for a new Data Act.

The European Commission plans to boost innovation and competition in the EU by allowing better use of industrial data in the EU. So far 80% of industrial data in the EU remains unused, the Commission said.

 

The proposed Data Act (64-page / 577KB PDF) is intended to advance the exchange of data between businesses and from companies to the public sector, introduce new data access rights for networked products and at the same time protect data from non-EU governmental access. The Commission said it expects the new rules to add €270 billion to the EU's gross domestic product by 2028.

The rules set out in the draft aim to increase "legal certainty for consumers and businesses to access data generated by the products or related services they own, rent or lease." According to the new rules, manufacturers and designers would have to design products "in a way that makes the data easily accessible by default", the Commission said. They would also "have to be transparent on what data will be accessible and how to access it".

According to the Commission, the outlined provisions will not "affect the possibility for manufacturers to access and use data from products or related services they offer, where agreed with the user". However, the proposal intends to oblige the data holder "to make such data available to third parties upon the request of the user". Thus, users would be able to authorise the data holder to give access to the data to another service provider. The proposal exempts micro and small enterprises from these obligations.

Lauro Fava, data law expert at Pinsent Masons, said that the question of how to unlock data that is generated by connected devices has been debated in the EU for years: "Many advocated softer measures that would promote voluntary industry initiatives, but the proposed regulation shows the Commission’s resolve to mandate data sharing through regulation," he said. "Some might question whether there has actually been a market failure that warrants regulation at this level of detail.”

“The proposal will surely be welcomed by providers of value-added services who need data held by manufacturers in order to develop their services, especially smaller businesses who stand to gain from the rights and protections that would be afforded to them under the regulation. However, manufacturers will be assessing how the loss of control over the data that they hold might impact their market position and any aspirations to commercialise that data," he said.

Fava said it is currently unlikely that the UK will pursue similar regulation. However, any UK business that wants access to the EU market will still need to comply with the proposed Data Act.

The proposal also aims to regulate the way in which businesses would have to make the data available and how they would be compensated for doing so. According to the draft, data holders obliged to make data available to data recipients "shall do so under fair, reasonable and non-discriminatory terms and in a transparent manner". Data holders should also agree with data recipients on the terms for making the data available. But data holders and data recipients would not have to provide "any information beyond what is necessary to verify compliance with the contractual terms agreed for making data available or their obligations under member state or union law". Data holders would not be obliged to disclose trade secrets when making data available, unless EU or member state law provides otherwise.

The proposal clarifies that any compensation agreed between a data holder and a data recipient for making data available should be reasonable.

The proposal aims to provide additional protection for micro, small or medium-sized enterprises. If a data holder agrees with such a business on a compensation for making data available, he may not demand a charge that is higher than the actual costs of making the data available, according to the proposed new rules.

Member states would be obliged to establish a dispute settlement body where data holders and data recipient can file a complaint if they think that the rules of the regulation have been violated.

The proposal also addresses unfairness of contractual terms in data sharing contracts between businesses. When negotiating contractual terms with micro, small or medium-sized enterprise, larger businesses would be prohibited from taking advantage of their stronger negotiating power. The draft introduces an unfairness test. It defines in what cases data sharing-related contractual terms are unfair and is complemented by a list of clauses "that are either always unfair or presumed to be unfair". The Commission expects that this test will protect weaker contractual parties from unfair contracts in situations of unequal bargaining power.

"The EU Commission’s proposals for data sharing are only half-baked," said Ruth Maria Bousonville, data law expert at Pinsent Masons. "On the one hand, one is left wondering why they only apply to data generated by using a tangible product or related service. Data generated by using online or mobile services are of equal economic value, for example data from any app using location data. On the other hand, the proposals cut deep into freedom of contract but don’t resolve the fundamental issues such as data protection concerns which are a major obstacle to data sharing today."

"These proposals will be subject to extensive discussions before they are ready to be enacted, and the EU commission is yet to give evidence why the Data Act would be better suited to foster data sharing than model clauses are, for example those the EU is already funding through the Support Centre for Data Sharing," Bousonville said.    

The proposal also contains a set of rules that would limit the ability of cloud providers to comply with court rulings in other jurisdictions where those courts order them to provide foreign authorities with access to the non-personal data they hold in the EU.

The EU Data Act was trailed in the European Commission's 'shaping Europe's digital future' strategy. It is one piece of a wider puzzle of EU law governing data, which includes existing legislation such as the GDPR, which applies to personal data, and the proposed new EU Data Governance Act, which is designed to encourage the creation of new infrastructure for sharing data, and in turn help build a digital single market for data across EU member states.

"The proposal raises a number of questions that data holders might struggle with, and some of these are likely to be debated extensively in the next stages of the legislative process," said Fava. "One of these relates to the scope of the data that needs to be made available, which may give rise to practical challenges in protecting trade secrets. Other potential issues include how to establish what compensation the data holder may request for making data available, determining what terms are fair, reasonable and non-discriminatory, and drawing the line between personal and non-personal data. The proposal is only the start of what may be a lengthy

legislative process."

As a next step, the member states and the European Parliament will negotiate the Data Act and try to reach an agreement on it.