Stephanie Richter, LL.M. (Torino), CIPP/E


Read More
Gabriel Drewek

Gabriel Danyeli, LL.M. (Köln/Istanbul Bilgi)


Read More

Stephanie Richter, LL.M. (Torino), CIPP/E


Read More
Gabriel Drewek

Gabriel Danyeli, LL.M. (Köln/Istanbul Bilgi)


Read More

28 February 2022

EU Commission's final proposal for the new Data Act published

  • Briefing

More and more everyday objects, buildings, machines and vehicles are being equipped with sensors, chips and data connections. The amount of data produced by the interaction of people and machines with each other, with their environment, but also through self-monitoring, is increasing massively. Accordingly, the data flows of European companies will be fifteen times larger in 2030 than in 2020 (cf. EU Commission study on quantifying data flows in Europe "Study on Mapping Data Flows - Final Report", published on 3 February 2022).

The potential use cases for this data and thus possible business ideas cannot be exhaustively surveyed: traffic control, timely maintenance of machines and health services are just a few examples. With regard to the effective use of these massive amounts of data for the new data economy, the EU Commission believes that there is still room for improvement in light of advancing digitalisation. A regulation for fair access to and use of data is intended to create a single market for data in which start-ups and small and medium-sized enterprises can offer their services under privileged conditions. To this end, it is to be determined who can create value from data and at what costs and contractual conditions the data can be traded. The draft published on 23 February 2022 ("Data Act-Draft") is intended to be the basis of this regulation and will later be supplemented by further regulations on specific data spaces.

The Data Act is designed to enable the legally secure exploitation of data for everyone. To this end, the regulation contains provisions regulating the relationships of the various actors in the internal data market as well as regulations on international data transfer, cloud switching, data interoperability and data sharing processes.

Scope of application

The regulations of the Data Act-Draft apply both to the manufacturers of networked products placed on the market in the Union and to the providers of associated services, as well as to the users of these products or services. It also covers data controllers who transfer data to data recipients in the European Union, data recipients in the Union to whom data are made available, and data processing services that offer their services to customers in the Union.

The Data Act-Draft contains further provisions for public bodies and institutions, agencies or bodies in the European Union, which may request data controllers to provide them with data under certain conditions. The concept of data is very broad. It covers any digital representation of acts, facts or information, as well as any combination of such acts, facts or information, including in the form of sound, images or audio-visual recordings.

Data exchange between B2B and between B2C
Product design

Products and related services shall be designed in such a way that access to data generated thereby is as uncomplicated as possible. Before entering into a contract, users must be informed about the data that may be produced by the use of products or digital services and whether the generation of data is permanent and in real time. Furthermore, the data owner is obliged to inform the user whether and, if so, how he uses the data himself. Finally, the user must be informed of how he can access the data and use it himself or how to pass it on.

Right of access

The user's right of access is of key importance. Users can demand (if access to the generated data is not directly possible) that the data owner makes the data accessible immediately and free of charge. Furthermore, the released data may not be used to develop competing products. The data owner, in turn, may only use the data within the contractually agreed framework.

Disclosure to third parties and their obligations

At the request of the user, data must also be passed on to third parties without delay and free of charge. The sharing of data with a so-called "gatekeeper" is excluded. This concerns large internet companies such as Google, Amazon and Facebook. On the other hand, they are not excluded from sharing data. This is to prevent them from extending their supremacy on the internet to the internal data market. In order to safeguard trade secrets, data owners and users can enter into certain agreements regarding the sharing of data with third parties. The third party who has received the data may only use it in the manner contractually agreed with the user.

Privileging of smaller enterprises

Finally, micro-enterprises and small and medium-sized enterprises (SMEs) are excluded from the above mentioned obligations unless they are dependent on other large enterprises. Micro-enterprises and SMEs include companies that have no more than 49 employees and an annual turnover of no more than EUR 10 million or a balance sheet total of no more than EUR 10 million.

Provision of data

The Data Act-Draft also contains general conditions for the provision of data by a data controller obliged to do so under the Data Act-Draft, EU law or national law. The provision must be made under fair, reasonable and non-discriminatory conditions and with the greatest possible transparency.

Ensuring fair contractual clauses

Furthermore, data holders and data recipients shall contractually determine the conditions for the provision of the data. According to the Data Act-Draft, unfair contractual clauses on data access and use vis-à-vis micro-enterprises and SMEs are always to be considered invalid. Contractual clauses are ineffective, for example, in the case of a general exclusion of warranty. In addition, the unilateral imposition of clauses on data access and use that affect legitimate interests of the other contracting party is invalid. If discrimination is alleged, it is up to the user of the contractual clauses to prove their fairness.

Protective measures

Furthermore, the data owner is entitled to take appropriate protective measures against unauthorised access to shared data. In the event of unauthorised use or disclosure of data, the data recipient is obliged to destroy the data immediately.

Legal framework for the release of data to public sector bodies

A legal framework is created for public bodies, both at European and national and local level, to request the surrender of data from data holders if there is an "exceptional need". Art. 15 of the Data Act-Draft lists circumstances in which such a need can be assumed. Among other things, this is the case if the data is necessary to respond to public emergencies such as natural disasters, terrorist attacks or the Corona pandemic. The public body's request must be proportionate to the exceptional need and, as far as possible, limited to non-personal data. If the public body further transfers the data or makes it publicly available, this must be communicated to the data holder.

The data controller must provide the data without undue delay. If public emergencies form the basis of the request for surrender, the data holder receives no compensation. In other cases, the compensation is limited to the technical and organisational costs for making data available plus reasonable compensation. The calculation basis for this reasonable compensation shall be disclosed upon request. The appropriate compensation shall be determined according to the customary market share of profit. Its amount can only be determined after a market investigation; empirical values from antitrust law suggest values of 5-10% of turnover.

In addition, the data may be passed on by public bodies to other public bodies and for the purpose of scientific research, especially statistics. In the case of disclosure to other public bodies, the owner will also be informed. The receiving body must respect the purpose for which the data was originally made available.

Simplified change of provider in the cloud and increased interoperability

One of the key objectives of the Data Act-Draft is to facilitate the switching of companies from cloud, edge or similar data processing providers to other data processing architectures or providers. This is intended to remove commercial, technical, contractual and organisational obstacles that have so far prevented companies from switching cloud providers.

In doing so, the previous regulatory approach based on voluntariness is abandoned and binding regulatory orders are made for the first time. Although the Data Act-Draft does not directly prescribe any specific technical standards or interfaces, it does require that services - where available - must be compatible with open standards and interfaces. This is intended to increase interoperability between services. The Data Act-Draft also provides that the EU Commission may mandate one or more standardisation organisations to develop European standards for specific types of data processing services. Should no standards emerge or should they be deemed unsuitable by the EU Commission, the Commission can also set interoperability standards through a delegated regulation.

The EU Commission's power to define the technical specifications for the various data spaces in the EU is also likely to become particularly important in practice. As a result data would be stored in such a format and exchanged with such standards that interoperability could be facilitated in the medium term.

The Data Act-Draft also contains contractual requirements that are likely to have a significant impact on the current cloud market. For example, the notice period is limited to a maximum of 30 days. Long-term customer relationships, which are essential for the revenue recognition of many cloud providers, are thus abolished.

In addition, the switch between providers must also be carried out in a maximum of 30 days and the provider must guarantee full service continuity during the transition process. Only in the case of technically unfeasible switches the transition period can be extended to 6 months. After the transition has taken place, a minimum level of functionality (functional equivalence) must be available to the company with the new provider.

The fees for a switch will first be limited to a reduced level, which only includes the actual costs incurred for the switch. In a second step, data holders will no longer be allowed to charge any fees at all three years after the Data Act-Draft enters into force.

Protection against access by third countries

The Data Act-Draft also requires data processing services to take all reasonable technical, legal and organisational measures to prevent international transfers of or access to non-personal data by third countries if this violates European or national law of member states. If a third country wants to use non-personal data from the Union in any way, it can only be done on the basis of an international agreement. If no such agreement exists, a data transfer from the Union to a third country can only take place under certain conditions.

Probably in view of the uncertainties triggered by the GDPR in dealing with third countries, companies should be able to request a decision from a competent authority after a request to find out whether a data transfer is permissible. Furthermore, the EU Commission is to develop guidelines to facilitate an assessment of permissibility.

With the Data Act-Draft, the EU Commission has presented another fundamental building block for the European data strategy. As the basis for many new digital products and services, data will be one of the major growth drivers in the future. With the Data Act, the EU Commission has now presented the basis with which Europe wants to take a leading position in this market of the future. At the same time, the draft means a great challenge for companies, as a fundamental change in the collection, creation and dissemination of data must be carried out.
Call To Action Arrow Image

Latest insights in your inbox

Subscribe to newsletters on topics relevant to you.


Related Insights

highrise office buildings facade
Data protection & cyber

ECJ confirms consumer protection associations' capacity to sue for data protection infringements

2 May 2022

by Dr. Carolin Monsees and Stephanie Richter, LL.M. (Torino), CIPP/E

Click here to find out more