What's the issue?

In February 2019, the European Commission published its European Data Strategy.  Its core aim is to create a single market for data, making industrial and commercial data more widely available to foster innovation, improve products and services, and empower individuals.

The first major initiative published under the Strategy was the Data Governance Act, which set out processes and structures to facilitate data sharing.  The rules for who can use and access what data across the economy were to be set out separately in a Data Act.

What's the development?

The EC published its draft Data Act in February 2022. The draft Data Act (which takes the form of a Regulation) clarifies who can create value from data (personal and non-personal) and under what conditions.  

The Act is intended to unlock industrial data by giving business users access to data they contribute to creating, and giving individuals more control over all their data, not just personal data. This is focused particularly on data created using connected devices and related services, for example voice assistants.  It is partially aimed at largescale manufacturers and service providers of IoT products who are likely to lose their data advantage to a degree.  Third party business users will not be able to use obtained data to develop directly competing products, but they will be able to use it to create other products and services.

Proposals include:

• giving users of connected devices access to data they generate and the ability to share it with third parties to provide aftermarket or other data-driven innovative services
• measures to rebalance negotiation power for SMEs by preventing abuse of contractual imbalances in data sharing contracts. There will be protection from unfair contractual terms and the Commission also plans to develop model contractual terms to help companies draft and negotiate fair data-sharing contracts
• provisions for access to private sector data by public sector bodies where necessary for exceptional circumstances, such as public emergency (not routine law enforcement)
• facilitation of switching between cloud and edge service providers through data and cloud interoperability rules
• establishing protection for non-personal data against unlawful data transfer and access by non-EU governments
• clarification that IoT databases should not be subject to additional legal protection (under the Database Directive), thereby allowing data generated by IoT devices to be more easily used.

What does this mean for you?

This is EU legislation focused on removing barriers to data sharing and exploitation within the EU, but also between the private and public sectors, large businesses and SMEs, and businesses and individuals.  Relevant UK businesses which operate in the EU market will be caught.

There is a clear intention to prevent 'big tech' monopolising data, although there are protections to stop shared data being used to develop competing products. The Act also aims to empower consumers to access, exploit, and in some cases, to move data generated by products or related services they use. 

The Act is at the beginning of its legislative process and may yet change considerably.  More detail around what compensation may be available for data sharing, and around the restrictions on transfers of non-personal data to third countries are two areas likely to spark intense debate.

The UK has expressed similar aims around exploiting data from outside the EU, not least in its December 2020 National Data Strategy and its 'Benefits of Brexit' White Paper published in January 2022.  So far though, it has not published legislation on these issues.  It's possible that may change when the 'Brexit Freedoms Bill' is published.

Read more

The proposal is intended to be consistent with the GDPR, the ePrivacy Directive, the Free Flow of Non-Personal Data Regulation and the Unfair Contract Terms Directive.  "Data" is defined as "any digital representation of acts, facts or information and any compilation of such facts or information, including in the form of sound, visual or audio-visual recording".  It therefore covers personal and non-personal data although some provisions in the Act (such as those around international access and transfer) apply only to non-personal data.

Other key definitions

• "user" is any natural or legal person that owns, rents, or leases a product or receives services.
• "data holder" means a legal or natural person who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personal data and through control of the technical design of the product and related services, the ability, to make available certain data.
• "data recipient" means a legal or natural person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a product or related service, to whom the data holder makes data available, including a third party following a request by the user to the data holder or in accordance with a legal obligation under Union law or national legislation implementing Union law.
• "product" means a tangible, movable item, including where incorporated in an immovable item, that obtains, generates or collects, data concerning its use or 72 Regulation (EU) 2021/784 of the European Parliament and of the Council of 29 April 2021 on addressing the dissemination of terrorist content online (OJ L 172, 17.5.2021, p. 79). EN 39 EN environment, and that is able to communicate data via a publicly available electronic communications service and whose primary function is not the storing and processing of data.
• "related service" means a digital service, including software, which is incorporated in or inter-connected with a product in such a way that its absence would prevent the product from performing one of its functions.
• "data processing service" means a digital service other than an online content service as defined in Article 2(5) of Regulation (EU) 2017/1128, provided to a customer, which enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources of a centralised, distributed or highly distributed nature.

B2B and B2C data sharing

Manufacturers and designers must design products and related services in such a way that by default and design, businesses and individuals involved in generating data through them are able to access, use and share their data free of charge.  Data must also be made available to third parties by data holders at the request of the user (except by micro and small enterprises).    These provisions do not prevent the manufacturer from accessing and using data from their products or related services where agreed with the user.  

Data made available cannot be used to develop competing products, and trade secrets are given protection. Users and third parties may not share data with organisations designated as gatekeepers under the Digital Markets Act.  Third parties receiving data may only process it as agreed with the user (and in accordance with the GDPR where the data includes personal data).

Obligations for data holders legally obliged to make data available

Where a data holder is required to make data available, it must do so on fair and reasonable terms and in a transparent manner.  Any compensation to a data holder for making data available to a data recipient must be fair and non-discriminatory.  

Fairness of contractual terms

Contractual terms unilaterally imposed by one party on a micro, small or medium sized business must be fair, reasonable and non-discriminatory.  Unfair terms are defined in general terms but the Act also sets out a list of clauses which will always be or will be presumed to be unfair.  The burden of demonstrating that terms are non-discriminatory is on the data holder.  

Access to data by public sector bodies and agencies

Provisions are made for public bodies and agencies to be able to access private sector data where there is an exceptional need for it.  For example, where the data is necessary to respond to public health emergencies or major natural or human-induced disasters, the data would be made available for free.  Where made available in other cases of exceptional need, for example to prevent or recover from a public emergency, there are provisions to allow compensation for data holders.  Rules are introduced to provide oversight and ensure the access right is not abused.

Switching and interoperability

Data processing services must ensure their customers can switch to an equivalent service by another provider and may not create obstacles, including by having termination periods longer than 30 days, restricting porting of data, or preventing users from entering into new contracts with other providers.  Contractual terms must allow for switching and include assistance and service continuity provisions during the transition period which must not be more than 30 days subject to technical unfeasibility.  There is also provision for a gradual withdrawal of switching charges. Specific technical standards or interfaces are not mandated but services must be compatible with European standards or interoperability technical specifications where available.

Safeguards for international transfers of non-personal data

Providers of data processing services are required to take all reasonable technical, legal and organisational measures, including contractual arrangements, to prevent international transfers or governmental access to non-personal data held in the EU where such transfer or access would create a conflict with EU or Member State law.  This is subject to exceptions for legal data access requests under international agreements.

Interoperability

Operators of data spaces and data processing service providers must comply with requirements to facilitate interoperability of data, data sharing mechanisms and services.  These can be generic or sector-specific and the Commission may adopt further specifications and requirements, but the immediate focus is on cloud service providers and ensuring portability.  There are also provisions regarding essential requirements for smart contracts.

Implementation and enforcement

Member States must designate supervisory authorities which will have powers to sanction non-compliance in line with GDPR-level fines for certain breaches.

The legislation now begins the path to approval and is expected to come into effect 12 months after coming into force.  See our article for more.