Data protection

The EU Data Act leaves intact the separate rights and obligations under the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (the EU GDPR) that apply to personal data.

The EU Data Act must be read in parallel with the EU GDPR, but builds on it and provides wider rules that apply to all ‘data’, which covers “any digital representation of acts, facts, or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording”.

The EU Data Act therefore deals with all data, not just non-personal data.

Who does the EU Data Act apply to?

The EU Data Act applies to various persons and entities, including:

• manufacturers and providers of connected products (e.g., IoT devices) and related services in the EU;
• data holders that make such data available to data recipients in the EU;
• businesses that are data recipients in the EU to whom data holders make data available;
• businesses providing data processing services (e.g., cloud services) to customers in the EU; and
• public sector bodies in the EU.

There are some exemptions for small and medium-sized enterprises (SMEs) and micro-enterprises.

What are the key points in the EU Data Act?

Sharing data from connected products and related services

The following obligations apply generally, but not to SMEs:

• Design – connected products and related services should be designed and made to allow, by default, easy and secure access by users (who could be either consumers or business users) to data generated through their use. You can see this as similar to ‘privacy by design’ requirements in data protection law, but here allowing data sharing and accessibility of any data.
• Transparency – before a contract is concluded for the purchase, rent or lease of a connected product or a related service, certain information must be provided to the user in a clear and comprehensible format.
• Right of users to access and use data generated by connected products or related services – where data cannot be directly accessed by the user from the product or related service, the data holder must make available to the user the data generated by the product or related service without undue delay, free of charge and, where applicable, continuously and in real time. Various related provisions govern:
  • how access must be provided;
  • protection of trade secrets and competition; and
  • protection of personal data where the user is not the data subject.
• Protection of users’ commercial interests – data holders may only use non-personal data generated by the use of a connected product or related service if a written contract is in place with users covering certain required terms, including provisions:
  • to allow the switching to another service within 30 calendar days of certain minimum information about the data and the switching, and assistance with the switching (including a minimum 30 calendar day period for data retrieval); and
  • to ensure the data holder does not use the data to derive insights about the economic situation, assets and production methods of, or the use of the data by, the user that could undermine the commercial position of the user.
• Sharing data with third parties in accordance with user instructions – there is an obligation on holders of data from connected products or related services to make the data available to third parties of the user’s choice. Users can authorise data to be given to other third parties and it should be easy for the user to refuse or discontinue access by the third party to the data. However, there are various exclusions and related conditions in Articles 5 and 6 including:
  • various related provisions governing the protection of personal data and trade secrets;
  • various provisions governing the purposes for which the third party may use the data;
  • data cannot be used to develop competing products; and
  • the third parties cannot include ‘gatekeepers’ (certain large, systemic online platforms as defined in the EU Digital Markets Act).
• Contractual terms – the EU Data Act will also help SMEs by requiring that the data holder agree with the data recipient the terms for making the data available where that is required under the EU Data Act. The agreement must be based on use of fair, reasonable and non-discriminatory contractual terms. Any clauses that do not pass a ‘fairness test’ will be not be binding. Not all contractual terms are subject to the test, however, only those unilaterally imposed on SMEs. The Commission will also develop model (non-binding) contractual terms to help SMEs draft and negotiate fair data sharing contracts.
• Compensation for data – data holders can require “reasonable” compensation from the data recipient for making the data available. Compensation must be fair, non-discriminatory and reasonable. For SMEs, it must not exceed the actual cost of making the data available.
• Dispute resolution – the EU Data Act includes provisions to resolve disputes between data holders and data recipients in relation to the determination of fair, reasonable and non-discriminatory terms for and the transparent manner of making data available.
• Sharing data with public bodies – there is an obligation to provide certain data to public bodies in exceptional circumstances, such as in response to a public emergency (e.g., natural disasters, public health emergencies, or terrorist attacks) or to fulfil legal obligations. In the case of information necessary to respond to a public emergency, access to the data will have to be granted without undue delay and free of charge. In other situations, the data holder is entitled to compensation. SMEs are excluded from these dating sharing obligations.

Cloud services and other data processing services: switching

There are new rules on cloud and data processing services to help customers to effectively switch between services (including porting data, applications and other digital assets) without incurring any costs (although the EU Data Act provides that switching charges will be able to continue for three years after the Act is in force). The EU Data Act also includes rules concerning technical aspects of switching.

Cloud services and other data processing services: international transfers or access to non-personal data

Subject to limited exceptions, adopting a similar stance as under the EU GDPR, the EU Data Act requires providers of data processing services to put safeguards in place and take all reasonable technical, legal and organisational measures to prevent the international transfer of or governmental access to non-personal data held in the EU where such transfer or access would create a conflict with EU or relevant member state law.

Interoperability

The EU Data Act:

• requires operators of data spaces and those deploying smart contracts to comply with certain requirements to facilitate interoperability; and
• allows the Commission to adopt further implementing acts that specify such requirements.

How will the EU Data Act be enforced?

Enforcement is at the hands of the competent authorities designated by member states (which may be either existing or new authorities), and any infringements will be sanctioned by administrative fines or financial penalties, also set at the national level.

The EU Data Act also paves the way for new dispute settlement bodies to settle disputes about data sharing and access.

What are the next steps and likely timeframes for implementation?

The Commission has only just submitted its draft legislative proposal to the European Parliament and Council, so the next step is for the text to be approved and adopted (although there is no current indication of when this will be).

In the meantime, the Commission is also looking to put together an expert group on business-to-business data sharing and cloud contracts to assist in developing the model contractual clauses – the deadline for applications is 6 April 2022.

It is important to note that when the EU Data Act is eventually approved, there will only be a 12-month implementation period.

In-depth 2022-063