In addition to the general rules on access and data transfers, the Data Act introduces specific sharing obligations for data holders with regards to public authorities. This duty applies under certain conditions and aims to support the public interest.
While it used to be public authorities sharing their data, the Data Act establishes a carefully defined reversal: In specific cases, data holders must provide data – along with relevant metadata – to EU institutions like the Commission and the European Central Bank, as well as selected national institutions.
Public authorities can request access to data under two conditions defined by law as “exceptional need”:
(i) Public emergencies: The data is essential for responding to a public emergency (e.g. natural disasters, pandemics, cyber security incidents) and cannot be obtained by other means in time or under similar conditions.
(ii) Public interest tasks: In non-emergency situations involving non-personal data, the request must be:
- based on EU or Member State law, for a task clearly defined by law & serving the public interest
- and when all other means have been exhausted.
What does a valid request look like?
The request must, among others, be in writing and clearly understandable, demonstrate the “exceptional need”, justify why the specific data holder was approached and outline possible penalties for non-compliance. If the request involves personal data, the authority must also detail the technical and organizational safeguards it will use – such as pseudonymization or anonymization - to ensure the data is properly protected.
Upon receipt of the request, the data holder must respond without undue delay, however not later than 5 days in case of a public emergency and 30 days in all other cases
Can you refuse to hand out the data?
A request can be declined or asked to be modified for the following reasons:
- You are not controlling the requested data.
- There is a similar request by another public authority.
- The request does not meet the legal requirements under the Data Act.
Data simply not being available may constitute a valid ground for refusal, since the Data Act doesn’t impose a general obligation to collect data.
If a request involves trade secrets, these must only be disclosed when strictly necessary for the purposes of the request. In such cases, the data holder – or the trade secret holder, if different – must clearly identify which data qualifies as a trade secret, including through relevant metadata.
Is compensation possible?
Compensation for handing out data to public authorities is possible, but only for non-emergency requests. This compensation must be fair and cover at least the technical and organizational costs for providing the data.
No compensation is granted for emergency requests, although public acknowledgment must be given on demand, or when the data is required for official statistics and purchase is prohibited under national law.
If there is a dispute regarding compensation, public authorities can appeal to the national supervisory body.
What should you do?
Now is the time to set up clear internal procedures for handling public data requests. Knowing where your sensitive data and trade secrets reside is crucial to meet legal obligations and to ensure lawful and efficient responses.
Next up in our article series we will explore switching and interoperability obligations for cloud services. Stay tuned!
Need guidance on the Data Act?
