The EU is continuing to expand its data laws. After much anticipation and following a sneak peek of a leaked draft of the new data law in February 2022 (see: “What, another EU Data Act?!”), the European Commission has finally presented its formal draft Data Act (the EU Data Act).
Below we answer some key questions about the proposed EU Data Act.
What is the EU Data Act?
The EU Data Act is the second main legislative proposal forming part of the EU’s wider ‘European Strategy for Data’ adopted by the Commission in February 2020, which aims to make the EU a leader in our data-driven society.
In a nutshell, it looks to make data sharing and use/reuse easier for all by setting standards at an EU-wide level. The EU Data Act covers aspects of the use of various business-to-business and government-to-business data across all sectors in relation to the use of various data.
How does the EU Data Act fit with other laws?
Data does not fall neatly into one legal area, so the most pressing question is how these new proposals fit with those that already exist. Key interrelationships are as follows:
Data Governance Act
The EU Data Act complements the recently provisionally approved Data Governance Act (which focuses on the transfer of non-personal data, rules around the reuse of public sector data, and introduces a regime for data intermediaries). While both consider data sharing:
- The Data Governance Act focuses on providing a legal framework, processes and structures to promote data sharing.
- The EU Data Act focuses more on making clear who can create value from data and under what conditions.
Crucially, the EU Data Act generally does not look to change the legal positions around intellectual property rights, trade secrets and competition.
There is one exception, however, in that it does address certain rights in respect of databases; notably, it clarifies that databases containing data from IoT devices should not be subject to separate legal protection under database rights to ensure that they can be accessed and used. In other words, the application of the sui generis right under Directive 96/9/EC (the EU Database Directive) would not apply to databases containing data generated or obtained by the use of IoT/connected products or related services, such as sensors, or other types of machine-generated data.
This is to prevent holders of data claiming exclusivity over data generated by connected products.