On 23 February 2022, Margrethe Vestager (European Commission’s Executive Vice President for a Europe fit for the Digital Age) unveiled proposals for the EU’s latest legislative development, the EU Data Act. Originally scheduled for publication in December 2021, the draft Regulation stems from the EU’s February 2020 Strategy for Data and sits alongside the EU’s Data Governance Act (as agreed by co-legislators in November 2021).
The press release is available here and the proposed regulation is available here.
Key aims
Hailed by the European Commission (Commission) as the way to unlock the untapped value of data (whether personal or otherwise) across the EU and implement a single market in data, the proposed EU Data Act is a wide ranging, sector neutral proposal. Key aims of the proposed EU Data Act are to:
To achieve those aims, the EU Data Act grants rights and imposes obligations on various parties within the data ecosystem, notably:
However, the proposed EU Data Act looks to differentiate between types of entity, limiting obligations on, and providing protections for SMEs, whilst carving out large gatekeeper entities (as designated under the Digital Markets Act) from other rights under the legislation.
Those familiar with the data legislation more generally will not be surprised to note the extra-territorial angle to the proposed EU Data Act. The location of the manufacturer, data holder or provider of data processing service is not relevant. The EU nexus stems from, for example, the location of the data recipient or recipient of cloud services - being in the EU, or from the fact that connected products and related services used by a consumer or business have been placed on the EU market, or the location of non-personal data held in the EU. As such, entities established outside the EU should also pay due attention to the development of this legislation.
When it comes to the obligations themselves, concepts such as transparency, incorporation of requirements by default, access rights, model clauses, application of technical, legal and organisational measures for example are referenced and familiar to many. More specifically, key aspects of the proposed EU Data Act include, at a high level:
Data, defined very broadly to include any digital representation of acts, facts or information (or their compilation), generated by use of connected products or services, should be accessible. Manufacturers/service providers should not be the only parties to gain the benefit of such data and so must ensure their connected products and services are designed with access to data (easy, secure and where relevant, direct) addressed by default.
Associated transparency and information obligations regarding, among other things, the nature and volume of data, manufacturer/service provider use of data, identity of the data holder, and user access to that data also apply.
Notably the provisions regarding business to business and business to consumer access and sharing under Chapter 2, do not apply to data generated by use of products/services manufactured or provided by SMEs.
Data holders must provide generated data to a user, on request, without undue delay or charge (potentially continuously and in real time) but subject to certain restrictions regarding disclosure of trade secrets and personal data and prohibition on using the data to create competing products. For example, where a business wants to monitor efficiencies of its own machinery or a consumer wants to analyse smart home data across different devices.
The rights of the data holder to use the data itself must be determined by contract with the user, though the data holder is not permitted to use the data in certain ways such that it could undermine the commercial position of the user in the user’s active markets. Of course the GDPR continues to apply to use of personal data.
On the same basis, data holders must also provide the data to third parties upon request by a user (potentially a competitor business), enabling, for example a user to look to a third party to repair a connected product, so supporting the aftermarket. Recipient third parties are subject to various restrictions such as purpose limitations, onward sharing limits, data deletion, non-compete/exclusivity requirements and data protection compliance.
Reflecting on targets of the EU’s other major legislative developments recently, a third party shall not be eligible to receive such information if it, or a member of its group, constitutes a gatekeeper under the Digital Markets Act (with associated prohibitions on activities to incentivise user provision of the information).
Nonetheless, despite contractual protections and regulatory restrictions, some data holders are likely to be nervous about the potential for abuse of this approach, particularly when the likes of trade secrets and confidential information are disclosed. In practice, loss of control of such data or revelation of trade secrets is not always remedied by a contractual damages claim.
More generally, data holders must ensure that when obliged to make data available to a data recipient (under the proposed EU Data Act or other subsequent EU law), it must do so on fair, reasonable and non-discriminatory terms and in a transparent manner, accounting for unfair contract term restrictions and based on reasonable compensation (in the case of SME recipients, subject to a cap at cost).
The proposed EU Data Act looks to protect SMEs further by imposing restrictions on use of unfair contract terms when such a term is unilaterally imposed by the counterparty and relates to access and use of data or liability and remedies for breach or termination of data related obligations. Provisions considered unfair (specified in the proposed EU Data Act on either a black or grey list, and including for example, exclusion of liability for gross negligence of the party imposing the term, or giving that party unilateral right to interpret the contract, or to terminate the contract on unreasonably short notice) will not be binding.
The EU Commission promises to develop non-binding model contract terms on data access and use to support this approach.
Data holders (other than SMEs) are, subject to narrow rights of challenge, bound to make data available without undue delay to Public Bodies in the EU where there is an exceptional need to use the requested data. For example, responding to, preventing or recovering from a public emergency (such as a health emergency or natural disaster) or where the Public Body has not been able to obtain in a timely manner (and is not able to legislate for provision of) data necessary for a specific task in the public interest.
The provisions specify the nature of information that shall be provided by the Public Bodies to demonstrate the exceptional need. The request must be expressed in clear language, proportionate, respect legitimate aims of the data holder, account for trade secrets protection and avoid personal data where possible (with data holders required to make reasonable efforts to pseudonymise personal data where possible). Limits are also imposed regarding purpose of data use, onward sharing of the data by Public Bodies (allowing sharing with certain scientific research and analytics organisations), processing of personal data and disclosure of trade secrets, with payment (cost plus reasonable margin) due to data holders where data is provided other than in the context of a public emergency.
It remains to be seen how Public Bodies will use these rights, how clearly defined the circumstances of request become and whether data holders continue to voice concerns about mandatory data sharing and the interaction with their own customers’ data or conflicting legal obligations.
Data processing services providers, including cloud services providers, are bound to enable customers to more easily switch to another service provider, addressing purported inadequacies of the likes of the SWIPO codes of conduct. Commercial, technical, contractual and organisational obstacles must be removed to allow for 30 day termination, engagement of new providers, porting of data, applications and other assets, and maintenance of function.
Contracts must also address certain provisions to support the same, including regarding transition periods, with a cap of 30 days for transition unless technically unfeasible (when a maximum alternative 6 months for transition is specified). Operational and process changes may therefore be required to ensure that the regulatory and associated contractual obligations can be met.
Despite the potential need for increased investment in switching arrangements, at least initially, over a period of 3 years the right to charge for the switching process will be phased out, moving from an at-cost basis to free of charge.
The proposed EU Data Act also envisages open interoperability standards and specifications, so smoothing the process of porting and retention of functional equivalence.
Providers of data processing services are further obliged to protect the non-personal data held in the EU and prevent international transfer or non-EU governmental access to that non-personal data. All reasonable technical, legal and organisational measures must be put in place to prevent such transfer or access when it would create conflict with Union law or law of the relevant Member State (for example regarding the right to security and effective remedy, or rights of national security or protection of commercially sensitive data).
Where a decision or judgment of a court or tribunal of a third country requires such data, it must only be disclosed under an international agreement or if certain conditions are met (including where a third country system requires that reasons and proportionality of a decision (specific in character) are provided and that reasoned objection of addressee shall be judicially reviewed, accounting for the legal interests of the data provider). In any event, data minimisation and transparency requirements apply.
This is an area of potential complexity for providers of data processing services, especially when considering the interaction with GDPR international transfer restrictions. The promise of guidelines by the European Data Innovation Board (to be established under the Data Governance Act) would seem essential.
To further support effective data sharing, the proposed EU Data Act looks to standardisation of smart contracts. Provisions address specific essential requirements for smart contracts used in the context of data sharing with potential to develop a set of published standards.
By way of clarification, the proposed EU Data Act states that the sui generis database right under the Database Directive 96/9/EU does not apply in relation to data generated by use of a connected product or related service, so avoiding the right being used as justification for not sharing the data.
Setting aside the potentially significant practical and commercial impact of complying with new obligations, those failing to meet requirements will face regulatory enforcement risk. Member States will identify competent authorities to amongst other things, handle complaints and take responsibility for enforcement action. As penalties are set by each Member State so long as they are effective, proportionate and dissuasive, there is clear scope for variation and uncertainty in enforcement risk across the EU. Added complexity arises given, to the extent personal data is involved, data protection authorities are able to monitor compliance with the EU Data Act and impose fines mirroring GDPR levels.
The proposed EU Data Act also contemplates that disputes between data holders and data recipients may be settled through a system of certified dispute settlement bodies.
The proposed EU Data Act is a horizontal, sector neutral regulation and avoids precluding implementation of sector specific legislation. For example, the European Commission has announced that it is planning a public consultation on a regulation that will set conditions for “accessing and using” data that is generated by vehicles, such as traffic and road conditions, engine performance, driver behavior and the speed and location of the vehicle. The European Commission has indicated that it is preparing rules to “enable clear and competition-friendly EU rules for services that are based on access to car data.” These services include “repair and maintenance, car sharing, mobility as a service and insurance.”
The explanatory notes to the proposed EU Data Act clarify that there is no intention to cut across existing sector related data sharing requirements (eg PSD2).
The explanatory notes also address the application of the GDPR and other relevant legislation (such as Regulation on the free flow of non-personal data, the proposed Data Governance Act, the proposed Digital Markets Act).
In particular, recitals of the proposed EU Data Act state that it is consistent with and complements the GDPR, and that personal data should continue to be processed in accordance with the data protection obligations in any event. However, particularly as mixed personal and non-personal data sets will inevitably form part of the subject matter in practice, organisations may fear an increasing complexity and overlay of requirements as the two regimes apply. For example, when addressing data portability under both GDPR Article 20 and connected product data sharing obligations under the proposed EU Data Act. Concern may arise, not least when it comes to international data transfers and implementation of protections necessary - an area already fraught with challenge from a personal data perspective.
Similarly, recital 88 of the proposed EU Data Act states that it should not affect the application of EU competition law.
That being said, there appears to be an underlying tension between the aim to facilitate data sharing (which is at the heart of the proposals) and EU competition law rules and restrictions relating to the exchange of commercially sensitive information. Unfortunately, the Commission’s draft revised Guidelines on Horizontal Cooperation Agreements (published on 1 March 2022) do not specifically address the treatment of data sharing arrangements that occur in the context of the EU Data Act (or other similar EU legislative initiatives). Those Guidelines do, however, consider how data sharing initiatives can result in anti-competitive foreclosure from the market where competitors are denied access to data (or granted access on less favourable terms). For the purposes of any assessment under Article 101 TFEU to determine whether an agreement is anticompetitive, the “nature of the data …, the conditions of the data sharing agreement and the access requirements, as well as the market position of the relevant parties” will all be important factors.
The proposed EU Data Act also sits alongside the forthcoming EU Digital Markets Act, which is expected to enter into force this year and impose similar data access and portability obligations on so-called “gatekeeper” companies. Interestingly, the proposed EU Data Act specifically precludes such “gatekeeper” companies from being able to benefit from the data access rights that it provides – as explained in the recitals, these entities are considered to have an unrivalled ability to acquire data and, therefore, including them within the scope of these rights would not further its objectives.
The journey to date has not been without its challenges – the European Commission’s internal Regulatory Scrutiny Board rejected an earlier version as too burdensome – and some have already expressed concern about the nature and scope of some of the provisions, which have the potential to be onerous. Others cast doubt on whether certain obligations (such as contractual requirements) are necessary at all, potentially interfering with existing good practice. In contrast, some, perhaps in the aftermarket field, are hopeful that new opportunities can open up and business models develop to make use of the greater access to data.
During the legislative process, obtaining European Parliament and Member State government buy-in, the proposed EU Data Act will no doubt change and industry bodies are likely to be keen to share their views on the route to agreement. However, once entered into force, the proposed EU Data Act envisages just a 12 month period to application and so organisations likely to be impacted by the regulation should continue to track its progress and mitigate risk of any late stage surprises.