Axel von dem Bussche, Christian Frank, Julia Freifrau von Imhoff, Jonathan Kropp, Stephanie Richter and Alexander Schmalenberger look at the key elements of the recently agreed EU Data Act.
Provisional political agreement on the EU's Data Act was reached on 27 June 2023. This legislation aims to regulate the data economy, focusing on giving users (both businesses and individuals) access to data they help generate, and enabling interoperability and cloud-service provider switching. The Data Act will now be formally adopted and will apply twenty months later, potentially in early to mid-2025.
A Quick Look at the Data Act
The EU's Data Act aims to:
- facilitate data sharing by granting rights to access and regulating the mechanisms under which data can be shared B2C, B2B and B2G, particularly in relation to data generated by connected devices and used by related services
- balance data access and trade secret protection
- give public sector bodies access to private sector data (under certain conditions)
- provide protections from unilaterally imposed unfair contractual terms relating to data ownership
- facilitate switching between cloud service providers to promote consumer choice and competition
- provide for the development of interoperability standards for data sharing and data processing.
What's new?
The final text of the Data Act was not available at the time of writing, however, it will facilitate data sharing across the EU, centred around the following areas:
- Data access for users of connected devices: users of IoT devices – like industrial machines, cars or other smart devices - will be able to access and share data. For example, independent repair shops could monitor their customers' cars and offer maintenance. The Act provides rules for access to and use of data generated in the context of professional activities, including data produced by smart devices and machinery. This aims to ensure that businesses can use and benefit from the data they help generate. Data recipients will need to be established in the EU - it remains to be seen whether designating a legal representative will satisfy this requirement. Any sharing of personal data which takes place as a result of the Data Act will need to comply with the GDPR.
- Data sharing among businesses: the Data Act promotes voluntary, GDPR-compliant data sharing among businesses, especially for small and medium-sized enterprises (SMEs). It aims to foster a fair data economy by ensuring that SMEs have access to data they help generate, which is currently often held by large corporations.
- Data sharing with governments: the Data Act also encourages businesses to share their data with governments in the public interest. This includes data related to climate change, health emergencies, and other societal challenges. In non-emergency cases this data sharing is restricted to industrial data. Personal data may only be requested in compliance with the GDPR and in emergency cases.
- Data Intermediaries: the Act aims to create a top-down data market based on the data intermediaries established under the Data Governance Act (DGA), which will apply from September 2023. This will provide for a framework for data intermediaries - neutral entities that facilitate data sharing between data holders and data users. These intermediaries will be subject to strict requirements to ensure they do not use the data for their own purposes.
What about protection of trade secrets?
Negotiations on the Commission's proposal for a Data Act between the European Council and the Parliament were dominated by the issue of how to protect trade secrets as balanced against the data sharing requirements. The starting position was that in general, data cannot be withheld to protect trade secrets. That position evolved during the trilogue and the final agreement provides that “in exceptional circumstances” and “on a case-by-case basis” a company will be able to refuse to share “the specific data in question.”
Refusal to share data will be allowed if the company “can demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade secrets,” despite “technical and organisational” measures to protect the secrets, which the recipient agreed to use. The alleged “damage” needs to be “duly substantiated” and “based on objective elements” such as “the enforceability of trade secrets” in non-EU countries.
If an individual user is not satisfied with the explanations given, he/she may challenge this decision and file a complaint with the competent national authority which, without undue delay, shall then “decide whether and under which conditions the data sharing shall start or resume.” Safety requirements and the use of “proprietary algorithms” are also grounds for refusing to disclose data. In all other circumstances, companies will be required to let users access data generated by their products and services and to share it with third parties.
The Data Act within its legal framework
The Data Act is a significant piece of legislation that fits into a broader legal framework. It has connections to several other legal initiatives, including the Digital Markets Act (DMA), GDPR, the Free Flow of Non-Personal Data Regulation, the ePrivacy Directive, and the Database Directive. The DMA and the Data Act share common ground in their aim to foster fair and open digital markets. However, the Data Act goes a step further by focusing on the sharing and use of data, which is not explicitly covered by the DMA.
When will the Data Act apply?
The Data Act will apply 20 months after its publication in the Official Journal of the European Union, so from early to mid- 2025. Products that are newly introduced must be designed in such a way that data can be readily accessed after an additional year. Contracts currently in place for Internet of Things products are set to undergo changes after a period of five years.
What does this mean for you?
The Data Act is a complex piece of legislation that will have significant implications for businesses of all sizes. It aims to balance the rights and obligations of various stakeholders in the data ecosystem, including data holders, data users, and data subjects.
As the Act enters into force, businesses will need to carefully review their products, data practices and policies to ensure compliance. This will likely involve making adjustments to their data management systems, updating their contractual arrangements, and implementing security measures to protect data. The facilitation of data access makes it important to maintain robust security measures compliant with the new EU-IT-Security legislation and the new General Product Safety Regulation, as well as the upcoming Product Liability Directive – to protect data from unauthorised access, use, disclosure, disruption, modification, or destruction, whether by companies or users. This includes through the use of encryption, access controls, and secure data transfer methods.
The provisional text agreed has not explicitly eliminated the concerns which companies like SAP, Siemens and others have just recently raised with regard to trade secrets protection, particularly if such data is to be disclosed to third-party competitors operating outside the EU. Companies will have to “adapt” to this uncertainty and want to consider the extent to which their data can be moved outside the scope of the Data Act given the weakened protection of sensitive commercial data, e.g. by taking measures to avoid any “mixed” data packages including specific user data and other data enabling the recipient to learn about sensitive features of the product or services generated while using them.
While the Data Act presents challenges, it also offers opportunities. By facilitating data sharing and use, it should help businesses to gain valuable insights, innovate, and create new business models. However, to fully realise these benefits, businesses will need to navigate the complexities of the legislation and strike a balance between data access and protection.
