The volume of data generated by individuals and use of Internet of Things (IoT) connected devices, as well as the volume of data processed via cloud and edge services is constantly growing. By 2025, a data volume of 175 zettabytes is expected to be reached and by 2030, the EU data economy should cross the €1 trillion threshold. Nevertheless, most of data is underused at EU level due to several factors such as lack of clarity on who can use and access data generated by connected products, concentration of data in the hands of big players and inability of small and medium enterprises (SMEs) to negotiate fair data sharing contracts with stronger market players, difficulties in switching between cloud and edge services in the EU, as well as a limited ability to combine data deriving from different areas of economic activities.
Within this context, the European Commission published on 23 February 2022 its proposal for a regulation regarding harmonized rules on fair access to and use of data across the EU (the "Data Act").
What is the Data Act?
The Data Act is a horizontal regulation, being the second main legislative initiative following the Data Governance Act (which was adopted by the European Parliament on 6 April 2022 and shall apply from 24 September 2023), resulting from the February 2020 European Data Strategy.
The European Commission stated that the main objective of the Data Act is to “unlock the value of data generated by connected objects in Europe”, especially for individuals, SMEs and public sector bodies, and to " clarify who can create value from such data and under which conditions".
While the primary scope was to regulate measures intending to leverage the data resources generated by the IoT, the Data Act deals also with several other areas, such as facilitating easier switch between cloud, edge and other data processing service providers.
Very importantly, the Data Act deals with the "big data", meaning both personal and non-personal data.
Similarly to GDPR, the Data Act applies primarily to entities (e.g. manufacturers of connected products and services providers) which, irrespective of their seat, place their products or services on the EU market or make their data available to recipients within the EU.
In order to achieve its envisaged aim, the Data Act includes several key measures addressing mainly the following:
i. Right of users of connected products to access and use data generated by them and to share such data with third parties (the user being the person that owns or rents a connected product or benefits of a related service)
The Data Act acknowledges the user's right to access and use (directly or via third parties) data generated by IoT products and related services. The data holders (e.g. manufacturers of connected products) qualifying as SMEs are exempted from these obligations, presumably as a protection tool and also considering the limited resources these companies could allocate to meet the new compliance requirements under the Data Act. Apart from the user and its proxy holder (i.e. third party), no other person has the means under the Data Act to oblige the data holder to make the data available.
Manufacturers, in their capacity as data holders, are obliged to ensure access by design to data generated using connected devices or related services, respectively such products should be designed and manufactured to allow, by default, easy and secure access by users to data. Also, before concluding a contract (purchase, rent or lease of a connected product or a related service), users must be provided with clear information on what data will be accessible and how to access it.
Where data cannot be directly accessed by the user from the product or related service, the data holder must make available to the user the data generated by such product or related service without undue delay, free of charge and, where applicable, continuously and in real time.
Trade secrets will be disclosed only if confidentiality can be ensured. Moreover, data obtained by users cannot be used to develop products that compete with products from which the data originate.
Manufacturers (data holders) may use the non-personal data generated by a connected product or related service for their own interest only based on (i) a prior information of the user and (ii) a written contract concluded with the respective user.
Also, as noted, apart from using the data directly, users may oblige data holders to make the data generated by connected devices and related services available to third parties of the user’s choice. It is to be noted that companies designated as "gatekeepers" under the EU Digital Markets Act do not qualify as third parties, such exemption being provided in order to restrict gatekeepers from collecting even more data.
The Data Act additionally sets out the data access rules. Where a data holder is obliged to make data available to a data recipient, this must be done based on fair, reasonable and non-discriminatory contractual terms. Data holders can require “reasonable” compensation from the data recipient for making the data available. However, any compensation set for SMEs must not exceed the actual cost of making the data available. Member States are obliged to set up dispute settlement bodies (certified as per Data Act) designated to assist parties that disagree on the compensation or conditions to come to an agreement.
ii. Rebalancing negotiation power for SMEs by preventing unfair contractual terms in data sharing contracts
The Data Act additionally addresses unfairness of contractual terms in data sharing contracts between businesses, in situations where a contractual term is unilaterally imposed by one party on a SME. To this end, the Data Act provides for an unfairness test which includes details on meaning of "unfair" contractual term and a list of clauses that are either always unfair or presumed to be unfair. Subject to the "fairness test" are only contractual terms unilaterally imposed on SMEs, any "unfair" terms being deemed non-binding.
The European Commission will develop model (non-binding) contractual terms to help SMEs draft and negotiate fair data sharing contracts.
It is unclear in our view whether this Chapter of the Data Acts applies to all contracts concerning sharing of data between SMEs and non-SMEs or only to contracts falling under the mandatory supply of data under the preceding chapters (i.e. mandatory supply of data to the user of connected products and its proxy holders).
iii. Conditions under which public sector entities may access and use data held by the private sector
The Data Act sets out a harmonized framework for the use by public sector entities of data held by entities in private sector in situations where there is an exceptional need for the data requested (such as in response to a public emergency, e.g. pandemics or natural disasters), as well as where data is required for "fulfilling a specific task in the public interest that has been explicitly provided by law and cannot be obtained otherwise” (e.g. urban development).
Where the data requested is necessary to respond to a public emergency, access to the data will have to be granted without undue delay and free of charge. In other situations, the data holder is entitled to compensation that includes costs related to making the relevant data available plus a reasonable margin.
Again it seems unclear what is the scope of this data accessible by the public sector, any data or only that generated by the use of connected products.
iv. Framework to enable consumers effectively switching between providers of data processing services
The Data Act contains rules to facilitate users switching between data processing services. Such service providers are required to implement measures by removing any commercial, technical, contractual and/or organizational obstacles related to services in order "to ensure that customers of their service can switch to another data processing service, covering the same service type, which is provided by a different service provider“. The Data Act provides an exception for technical unfeasibility, but the burden of proof in this regard lies with the service provider. Users should be able to switch between providers of data processing services without incurring any costs. However, it is to be noted that switching charges can continue to apply for three years following the entry into force of the Data Act.
v. Rules for interoperability of data processing services and safeguards against unlawful international data transfers
Operators of data spaces and vendors of applications or other persons using smart contracts must comply with essential requirements to facilitate interoperability of data. The European Commission may adopt further implementing acts that specify the interoperability requirements and may also request European standardization organizations to draft harmonized standards.
Additionally, the Data Act includes rules addressing the unlawful third party access to non-personal data held in the EU. The providers of data processing services are required to take all reasonable technical, legal and organizational measures in order to prevent the international transfer of, or governmental access, to non-personal data held in the EU, where such transfer or access would create a conflict with EU or relevant Member State law.
The EDPB-EDPS joint opinion on the Data Act
On 5 May 2022, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint opinion addressing certain concerns on the Data Act, urging European co-legislators to act in this respect and recommending several improvements. EDPB and EDPS stress the necessity to consider additional safeguards in order to avoid lowering the level of protection of the personal data in relation to:
- the rights to access, use and share data under the Data Act, which is likely to extend to entities other than the data subjects, including businesses;
- the lawfulness, necessity and proportionality of the obligation to make data available to public sector entities on the ground of “exceptional need”;
They also consider that the oversight mechanism established by the Data Act may lead to fragmented and incoherent supervision.
So, what does this all mean? What is the expected direct impact?
In our view, the scope of work of the Data Act seems sometimes unclear since some Chapters concern the reuse of data generated by the IoT, while other chapters (e.g. safeguards for SMEs/fairness test, sharing of data with the public sector bodies) seems to apply in general words to all data.
In terms of legislative process, the number of regulations concerning the big data seems quite high, potentially slightly overlapping and the exact scope of each of these seems rather difficult to follow, especially for players that cannot dedicate sufficient resources to understand the impact or the benefits of the various regulations (e.g. the Free Flow of Non-Personal Data Regulation, the Database Directive, the Open Data Directive, the Data Governance Act, etc.)
Thirdly, in terms of business impact, while the scope of the mandatory sharing of data generated by the IoT is limited (sharing to the user and proxy holders of the user), and notwithstanding the fact that the sharing is intended to lead to increased competition (and while protecting the trade secrets), such sharing may in our view lead to an increase in anticompetitive / unfair practices among businesses.
Also, various businesses, especially the holders of data generated by the IoT will most likely experience lots of pressure and costs in implementing the various measures imposed by the Data Act, such as in relation to data access by design and business to business contractual framework for data access.
Article provided by INPLP member: Adelina Iftime Blagean and Nina Lazar (Wolf Theiss, Romania)
Dr. Tobias Höllwarth (Managing Director INPLP)