29 June 2023
Axel von dem Bussche, Christian Frank, Julia Freifrau von Imhoff, Jonathan Kropp, Stephanie Richter and Alexander Schmalenberger look at the key elements of the recently agreed EU Data Act.
Provisional political agreement on the EU's Data Act was reached on 27 June 2023. This legislation aims to regulate the data economy, focusing on giving users (both businesses and individuals) access to data they help generate, and enabling interoperability and cloud-service provider switching. The Data Act will now be formally adopted and will apply twenty months later, potentially in early to mid-2025.
The EU's Data Act aims to:
The final text of the Data Act was not available at the time of writing, however, it will facilitate data sharing across the EU, centred around the following areas:
Negotiations on the Commission's proposal for a Data Act between the European Council and the Parliament were dominated by the issue of how to protect trade secrets as balanced against the data sharing requirements. The starting position was that in general, data cannot be withheld to protect trade secrets. That position evolved during the trilogue and the final agreement provides that “in exceptional circumstances” and “on a case-by-case basis” a company will be able to refuse to share “the specific data in question.”
Refusal to share data will be allowed if the company “can demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade secrets,” despite “technical and organisational” measures to protect the secrets, which the recipient agreed to use. The alleged “damage” needs to be “duly substantiated” and “based on objective elements” such as “the enforceability of trade secrets” in non-EU countries.
If an individual user is not satisfied with the explanations given, he/she may challenge this decision and file a complaint with the competent national authority which, without undue delay, shall then “decide whether and under which conditions the data sharing shall start or resume.” Safety requirements and the use of “proprietary algorithms” are also grounds for refusing to disclose data. In all other circumstances, companies will be required to let users access data generated by their products and services and to share it with third parties.
The Data Act is a significant piece of legislation that fits into a broader legal framework. It has connections to several other legal initiatives, including the Digital Markets Act (DMA), GDPR, the Free Flow of Non-Personal Data Regulation, the ePrivacy Directive, and the Database Directive. The DMA and the Data Act share common ground in their aim to foster fair and open digital markets. However, the Data Act goes a step further by focusing on the sharing and use of data, which is not explicitly covered by the DMA.
The Data Act will apply 20 months after its publication in the Official Journal of the European Union, so from early to mid- 2025. Products that are newly introduced must be designed in such a way that data can be readily accessed after an additional year. Contracts currently in place for Internet of Things products are set to undergo changes after a period of five years.
The Data Act is a complex piece of legislation that will have significant implications for businesses of all sizes. It aims to balance the rights and obligations of various stakeholders in the data ecosystem, including data holders, data users, and data subjects.
As the Act enters into force, businesses will need to carefully review their products, data practices and policies to ensure compliance. This will likely involve making adjustments to their data management systems, updating their contractual arrangements, and implementing security measures to protect data. The facilitation of data access makes it important to maintain robust security measures compliant with the new EU-IT-Security legislation and the new General Product Safety Regulation, as well as the upcoming Product Liability Directive – to protect data from unauthorised access, use, disclosure, disruption, modification, or destruction, whether by companies or users. This includes through the use of encryption, access controls, and secure data transfer methods.
The provisional text agreed has not explicitly eliminated the concerns which companies like SAP, Siemens and others have just recently raised with regard to trade secrets protection, particularly if such data is to be disclosed to third-party competitors operating outside the EU. Companies will have to “adapt” to this uncertainty and want to consider the extent to which their data can be moved outside the scope of the Data Act given the weakened protection of sensitive commercial data, e.g. by taking measures to avoid any “mixed” data packages including specific user data and other data enabling the recipient to learn about sensitive features of the product or services generated while using them.
While the Data Act presents challenges, it also offers opportunities. By facilitating data sharing and use, it should help businesses to gain valuable insights, innovate, and create new business models. However, to fully realise these benefits, businesses will need to navigate the complexities of the legislation and strike a balance between data access and protection.
by Dr. Jakob Horn, LL.M. (Harvard) and Alexander Schmalenberger, LL.B.
by multiple authors
by multiple authors