It may feel like there is a constant stream of new proposed regulations around data in Europe following on from the General Data Protection Regulation back in 2018. There is. The latest is the (rather unimaginatively and vaguely titled) ‘Data Act’ (the Act), which has finally received the green light from the European Commission’s Regulatory Scrutiny Board (having failed the independent review the first time round).
The European Commission has set a date of 23 February 2022 for formally publishing the Act, but a sneak peek has been published in the meantime.
What is this new Data Act?
The Act is one of the various regulatory initiatives which form part of the European Union’s data strategy aimed at making the EU a leader in the data-agile economy. Essentially, with the rising obsession with the value of data, it looks to make data sharing and use/reuse easier and to incentivise such initiatives with a proposed Regulation setting standards at an EU-wide level.
In terms of where it sits as against other laws, the Act complements the Data Governance Act (which focuses on reuse of public sector data in particular) covering business to business and government to business data in all sectors whilst leaving the door open for more sector specific vertical rules along the lines of open banking initiatives. It does not change legal positions around intellectual property rights, trade secrets and competition but does touch on certain rights in respect of databases. It leaves intact the separate rights and obligations under GDPR that apply to personal data, which must be read in parallel, but provides wider rules that apply to all ‘data’, which has a wide definition covering “any digital representation of acts, facts, or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording”.
Who does it apply to?
Manufacturers and providers of connected products and services (e.g., IoT devices) in the EU, users (enterprise or individuals) of such products and services, data recipients, public sector bodies in the EU and providers of data processing services in the EU. There are some exemptions for micro and small enterprises, as is often the case.
What are the key obligations?
- Products and services should be designed to allow easy accessibility by users (remember this could be consumers or business users) to data generated through their use and to be transparent about such data use and access. Data holders have to make the data available and users can authorise data to be given to other third parties. Data can’t be used to create competing products or services.
- It sets out the rules for compensation to data holders, who are required to make the data available, establishing that it must be fair and non-discriminatory, and reasonable. Similar to existing consumer rules, it also requires fairness in contractual terms between businesses in respect of data sharing.
- It sets out specific rules for the provision of data to public bodies in exceptional circumstances, such as in response to a public emergency (e.g., natural disasters or terrorist attacks) or to fulfil legal obligations.
- There are specific rules on cloud and data processing services to further facilitate switching between services.
- The Act also provides for further implementing acts to adopt common specifications which aim to address the lack of harmonised standards in order to improve interoperability. It also sets out minimum, essential requirements for the use of smart contracts, with vendors having to perform a conformity assessment.
- Companies need to take steps to prevent access to data from outside the EU.
- Enforcement is at the hands of the competent authorities designated by member states (which may be either existing or new authorities), and any infringements will be sanctioned by administrative fines or financial penalties, also set at the national level. The Act also paves the way for new dispute settlement bodies to settle disputes about data sharing and access.