21 March 2022
Radar - March 2022 – 1 of 3 Insights
In February 2019, the European Commission published its European Data Strategy. Its core aim is to create a single market for data, making industrial and commercial data more widely available to foster innovation, improve products and services, and empower individuals.
The first major initiative published under the Strategy was the Data Governance Act, which set out processes and structures to facilitate data sharing. The rules for who can use and access what data across the economy were to be set out separately in a Data Act.
The EC published its draft Data Act in February 2022. The draft Data Act (which takes the form of a Regulation) clarifies who can create value from data (personal and non-personal) and under what conditions.
The Act is intended to unlock industrial data by giving business users access to data they contribute to creating, and giving individuals more control over all their data, not just personal data. This is focused particularly on data created using connected devices and related services, for example voice assistants. It is partially aimed at largescale manufacturers and service providers of IoT products who are likely to lose their data advantage to a degree. Third party business users will not be able to use obtained data to develop directly competing products, but they will be able to use it to create other products and services.
This is EU legislation focused on removing barriers to data sharing and exploitation within the EU, but also between the private and public sectors, large businesses and SMEs, and businesses and individuals. Relevant UK businesses which operate in the EU market will be caught.
There is a clear intention to prevent 'big tech' monopolising data, although there are protections to stop shared data being used to develop competing products. The Act also aims to empower consumers to access, exploit, and in some cases, to move data generated by products or related services they use.
The Act is at the beginning of its legislative process and may yet change considerably. More detail around what compensation may be available for data sharing, and around the restrictions on transfers of non-personal data to third countries are two areas likely to spark intense debate.
The UK has expressed similar aims around exploiting data from outside the EU, not least in its December 2020 National Data Strategy and its 'Benefits of Brexit' White Paper published in January 2022. So far though, it has not published legislation on these issues. It's possible that may change when the 'Brexit Freedoms Bill' is published.
The proposal is intended to be consistent with the GDPR, the ePrivacy Directive, the Free Flow of Non-Personal Data Regulation and the Unfair Contract Terms Directive. "Data" is defined as "any digital representation of acts, facts or information and any compilation of such facts or information, including in the form of sound, visual or audio-visual recording". It therefore covers personal and non-personal data although some provisions in the Act (such as those around international access and transfer) apply only to non-personal data.
Other key definitions
B2B and B2C data sharing
Manufacturers and designers must design products and related services in such a way that by default and design, businesses and individuals involved in generating data through them are able to access, use and share their data free of charge. Data must also be made available to third parties by data holders at the request of the user (except by micro and small enterprises). These provisions do not prevent the manufacturer from accessing and using data from their products or related services where agreed with the user.
Data made available cannot be used to develop competing products, and trade secrets are given protection. Users and third parties may not share data with organisations designated as gatekeepers under the Digital Markets Act. Third parties receiving data may only process it as agreed with the user (and in accordance with the GDPR where the data includes personal data).
Obligations for data holders legally obliged to make data available
Where a data holder is required to make data available, it must do so on fair and reasonable terms and in a transparent manner. Any compensation to a data holder for making data available to a data recipient must be fair and non-discriminatory.
Fairness of contractual terms
Contractual terms unilaterally imposed by one party on a micro, small or medium sized business must be fair, reasonable and non-discriminatory. Unfair terms are defined in general terms but the Act also sets out a list of clauses which will always be or will be presumed to be unfair. The burden of demonstrating that terms are non-discriminatory is on the data holder.
Access to data by public sector bodies and agencies
Provisions are made for public bodies and agencies to be able to access private sector data where there is an exceptional need for it. For example, where the data is necessary to respond to public health emergencies or major natural or human-induced disasters, the data would be made available for free. Where made available in other cases of exceptional need, for example to prevent or recover from a public emergency, there are provisions to allow compensation for data holders. Rules are introduced to provide oversight and ensure the access right is not abused.
Switching and interoperability
Data processing services must ensure their customers can switch to an equivalent service by another provider and may not create obstacles, including by having termination periods longer than 30 days, restricting porting of data, or preventing users from entering into new contracts with other providers. Contractual terms must allow for switching and include assistance and service continuity provisions during the transition period which must not be more than 30 days subject to technical unfeasibility. There is also provision for a gradual withdrawal of switching charges. Specific technical standards or interfaces are not mandated but services must be compatible with European standards or interoperability technical specifications where available.
Safeguards for international transfers of non-personal data
Providers of data processing services are required to take all reasonable technical, legal and organisational measures, including contractual arrangements, to prevent international transfers or governmental access to non-personal data held in the EU where such transfer or access would create a conflict with EU or Member State law. This is subject to exceptions for legal data access requests under international agreements.
Operators of data spaces and data processing service providers must comply with requirements to facilitate interoperability of data, data sharing mechanisms and services. These can be generic or sector-specific and the Commission may adopt further specifications and requirements, but the immediate focus is on cloud service providers and ensuring portability. There are also provisions regarding essential requirements for smart contracts.
Implementation and enforcement
Member States must designate supervisory authorities which will have powers to sanction non-compliance in line with GDPR-level fines for certain breaches.
The legislation now begins the path to approval and is expected to come into effect 12 months after coming into force. See our article for more.