Data Act: Overview
B2C and B2B data sharing
The main provisions applicable to business-to-consumer (B2C) and business-to-business (B2B) data sharing are set out in Chapters II and III:
- Chapter II imposes sweeping new obligations on manufacturers of products that collect data to share such data with the users of their products and related services and with third parties at users’ request.
- Chapter III sets out requirements relating to the compensation and other conditions for such sharing.
Manufacturers (other than micro or small enterprises) will have to design and manufacture products and related services so that data they generate will be, by default, easily, securely and directly accessible to the user. Likely inspired by the Commission’s findings on virtual assistants in its consumer IoT sector inquiry, products and related services include virtual assistants insofar as they are used to access or control a product or related service, but the implications of this provision are not clear where the product manufacturer and virtual assistant provider are unrelated companies.
Contracts to purchase, rent or lease products or use related services that collect data will have to include extensive data-related information. Information to be provided includes:
- The nature and volume of the data likely to be generated by the use of the product or related service.
- Whether the data is likely to be generated continuously and in real-time.
- How the user may access those data.
- Whether the manufacturer intends to use the data itself or allow a third party to use the data.
- Whether the seller, renter or lessor is the data holder and, if not, the identity of the data holder.
- How the user can contact the data holder.
- How the user may request sharing with a third party.
Where data cannot be directly accessed from a product, the data holder – e.g., the product’s manufacturer - must make the data available without undue delay, free of charge and, where applicable, continuously and in real-time.
At the user’s request, data holders must make such data available to third parties in the same manner, free of charge to the user. The Data Act does not limit the third parties with whom users may require data holders to share data, except notably to exclude “gatekeeper platforms” subject to the Digital Markets Act. Here the Commission likely has in mind aftermarket service providers and the new category of neutral data intermediaries to be created under the Digital Governance Act.
A third party shall process the data made available to it only as agreed with the user (subject to the rights of the data subject insofar as personal data are concerned) and shall delete the data when they are no longer necessary.
Data holders will enjoy some protections:
- They need only disclose trade secrets subject to specific, necessary protections to ensure confidentiality.
- Users cannot use data to develop a competing product.
Chapter III imposes obligations on data holders required to make data available:
- Data holders obliged to make data available to a data recipient must enter into agreements on fair, reasonable and non-discriminatory terms and in a transparent manner. Any compensation will have to be reasonable, and in the case of SMEs, cannot exceed the costs incurred for making the data available.
- A data holder shall not make data available to a data recipient on an exclusive basis unless requested by the user.
- Data holders and data recipients shall not be required to provide any information beyond what is necessary to verify compliance with the contractual terms agreed for making data available or compliance with their obligations under the regulation or other applicable law.
Data holders may apply appropriate technical protection measures, including smart contracts, to prevent unauthorised access to the data and to ensure compliance with the Data Act and the agreed contractual terms.
However, data holders cannot assert a sui generis right under the EU Database Directive, because the Data Act provides that such rights do not apply to databases containing data obtained from or generated by the use of a product or a related service (essentially, machine-generated data).
A data recipient that has provided inaccurate or false information, deployed deceptive or coercive means or abused evident gaps in the data holder’s technical infrastructure, or used the data for unauthorised purposes or disclosed those data to another party without authorisation, is required to destroy the data made available by the data holder and any copies thereof.
Such a data recipient can also be required to end the production and marketing of goods, derivative data or services based on knowledge obtained through such data and destroy any infringing goods (except where the use of the data has not caused significant harm or such a remedy would otherwise be disproportionate).
Unfair contractual terms imposed on SMEs
Chapter IV prohibits unfair contractual terms unilaterally imposed in data sharing contracts on micro, small or medium-sized enterprises. Chapter IV includes a list of clauses that are either always unfair or presumed to be unfair, relating (among other things) to limitations of liability or restrictions on remedies or data usage.
Public sector data access for exceptional needs
Chapter V allows for the use by public sector bodies of data held by businesses in cases of exceptional need:
- In public emergencies, such as public health emergencies or major disasters, data would be made available for free.
- In other cases of exceptional need, including to prevent, or assist with the recovery from, a public emergency, a data holder would be required to make data available but would be entitled to compensation covering costs related to making the relevant data available, plus a reasonable margin.
Switching between data processing services
Chapter VI introduces new contractual, commercial and technical requirements for providers of cloud, edge and other data processing services to enable switching between such services.
In particular, providers of data processing services will be required to remove commercial, technical, contractual and organisational obstacles inhibiting customers from:
- Terminating their agreements.
- Concluding new agreements with a different provider covering the same service type.
- Porting its data, applications and other digital assets to another provider of data processing services.
- Maintaining functional equivalence of the service in the IT-environment of the different provider or providers of data processing services covering the same service type.
Contracts with data processing service providers will be required to set out the parties’ rights and obligations in relation to switching. These will include clauses allowing the customer, to request:
- To switch to a data processing service offered by another provider of data processing service or to port all data, applications and digital assets generated directly or indirectly by the customer to an on-premise system on no more than 30 days’ notice (during which a data processing service provider shall assist and, where technically feasible, complete the switching process and ensure full continuity).
- An exhaustive specification of all data and application categories exportable during the switching process, including, at minimum, all data imported by the customer at the inception of the service agreement and all data and metadata created by the customer and by the use of the service, including, but not limited to, configuration parameters, security settings, access rights and access logs.
- A minimum 30-day period for data retrieval.
Data processing service providers will initially be able to charge customers for costs directly linked to the switching process, but such charges must be phased out within three years.
Providers of data processing services that concern infrastructural elements, such as servers, networks and related virtual resources, but that do not provide access to the operating services, software and applications that are stored, otherwise processed, or deployed on those infrastructural elements, shall ensure that the customer enjoys functional equivalence in the use of the new service after switching.
Other data processing service providers shall make open interfaces publicly available free of charge, ensuring compatibility with open interoperability specifications or European standards for interoperability under Chapter IX (see below).
Where open interoperability specifications or European standards do not exist, data processing service providers must export all data generated or co-generated, including the relevant data formats and data structures, in a structured, commonly used and machine-readable format.
Safeguards for non-personal data transfers outside the EU
Chapter VII addresses unlawful third party access to non-personal data held in the EU by data processing services offered in the EU.
The Data Act will require data service providers to take all reasonable technical, legal and organisational measures to prevent access to non-personal data that conflicts with competing obligations to protect such data under EU law, unless strict conditions are met.
More specifically, any decision or judgment of a non-EU governmental body requiring a provider of data processing services to transfer from or give access to non-personal data held in the EU may only be recognised or enforceable if based on an applicable international agreement, such as a mutual legal assistance treaty.
Absent such an agreement, a provider of data processing services:
- That is required to transfer from the EU, or give access to, non-personal data held in the EU, and compliance with such a decision would conflict with EU or Member State law.
- May provide such access only where:
- The requirement is specific, reasoned and proportional.
- It is subject to court review.
- The non-EU body or reviewing court is empowered to take into account the legal interests of the data provider under EU or Member State law.
Interoperability for data spaces and data processing service providers
Chapter VIII provides for essential requirements for interoperability for operators of European data spaces, data processing service providers and smart contracts for data sharing.
Operators of data spaces will have to facilitate interoperability of data, data sharing mechanisms and services. More specifically:
- The dataset content, use restrictions, licences, data collection methodology, data quality and uncertainty shall be sufficiently described to allow the recipient to find, access and use the data; the data structures, data formats, vocabularies, classification schemes, taxonomies and code lists shall be described in a publicly available and consistent manner.
- The means to enable the interoperability of smart contracts within their services and activities shall be provided.
Data processing service providers will also be subject to essential requirements in relation to interoperability. Open interoperability specifications and European standards for the interoperability of data processing services shall:
- Be performance-oriented towards achieving interoperability.
- Enhance portability of digital assets.
- Guarantee, where technically feasible, functional equivalence between different data processing services.
- Address the cloud interoperability aspects of transport interoperability, syntactic interoperability, semantic data interoperability, behavioral interoperability and policy interoperability.
- Address the cloud data portability aspects of data syntactic portability, data semantic portability and data policy portability.
- Address the cloud application aspects of application syntactic portability, application instruction portability, application metadata portability, application behaviour portability and application policy portability.
Smart contracts for data sharing: A different set of essential requirements will apply
Smart contract application providers shall comply with the following essential requirements:
- Safe termination and interruption.
- Data archiving and continuity.
- Access control.
Such providers must perform a conformity assessment and issue an EU declaration of conformity. A smart contract that meets harmonised EU standards shall be presumed to be in conformity with the essential requirements.
Similarly, operators of European data spaces that meet EU harmonised standards shall be presumed to be in conformity with the essential requirements.
The Commission may request one or more European standardisation organisations to draft harmonised standards that satisfy the essential requirements. Where harmonised standards do not exist, or the Commission considers them insufficient, the Commission shall adopt common specifications.
The Commission may also adopt guidelines laying down interoperability specifications for the functioning of common European data spaces, such as architectural models and technical standards implementing legal rules and arrangements between parties that foster data sharing (such as regarding rights to access, and technical translation of consent or permission).
Implementation and enforcement
In line with many other EU regulatory frameworks, but unlike the Digital Markets Act, the Data Act will be enforced at the Member State level by designated national authorities.
The Data Act, as proposed, would apply one year after adoption and publication in the EU Official Journal. Two years later, the Commission will conduct an evaluation of the regulation, in particular as regards the inclusion or exclusion of categories or types of data or the exclusion of gatekeeper platforms as beneficiaries of the data transfer right.