Overview
On February 23, 2022, the European Commission (the Commission) published the proposal for a Regulation “on ensuring fairness in the allocation of value across the data economy” (Data Act). With the Data Act, the Commission essentially proposes a cross-sectoral governance framework, which establishes the right for users to access their data, rules to foster non-personal data sharing, as well as safeguards to prevent third countries from accessing EU data in the absence of an international agreement.
The Data Act sits neatly with the EU’s ambition to create a “genuine single market for data,” as stated in the European Data Strategy, by facilitating and securing access, use and transfers of data, and by better allocating and maximizing the data’s value to actors in the data economy. The draft Data Act is the latest addition to a flurry of data initiatives resulting from the Commission’s active and ambitious legislative pace. The key elements of the Data Act are provided below, along with some important definitions allowing to identify who’s who.
Who’s Who in the Data Act’s Ecosystem?
The Data Act Who’s Who has at least four awardees: users, data holders, data recipients and data processing services.
- Users, both individuals or companies, are those who generate data from using a manufactured product or service.
- Users may overlap to some extent with data holders, who do not always generate the data, but hold the data and are required to make the data available.
- A third party is another company to which the data may be transferred, and is, therefore, the data recipient, upon the user’s request - as the user has generated the data.
- A data processing service technically operates the transfer – those could be cloud services for example.
Better Control over Self-Generated Data: From Empowering Users to Limiting Data Recipients
The Data Act empowers the users by providing a set of rights to better control their data. It establishes a cornerstone principle by which users are to be given access, in an easy and timely fashion, to the data they have generated from using a manufactured product or service. The draft Data Act goes a step further in providing that users should also be allowed to request the sharing of their data with a third party. This is a significant step forward, as data holders have resisted sharing data with a third party, often perceived as competitors if operating in a similar market.
On the other hand, data recipients are subject to obligations. In particular, they can only use the data received for the purpose for which it was shared, and they are required to delete the data when it is no longer necessary to achieve the purpose for which it was received. They are also prevented from competing against the entity they got the data from, as well as from transferring it onwards to other third parties. The Data Act also prevents third parties from coercing users into sharing data.
The Data Act brings about what could be defined as data information/or communication duties. For instance, manufacturers of products are required to set up direct communication channels with the users, and to draft contracts including information on how data is collected, used, and accessible among others. Data processing services would also be required to inform users when access is being requested by a third country to verify the presence of a potential legal conflict. Actors in the data economy should therefore consider how to best fulfil their information duties.
Compensation for Making Data Available
The Data Act establishes that data holders may receive “reasonable” compensation for making data available such as when data sharing is required at the user’s request. Here, the data holder must explain to the data recipient how the costs were calculated. However, the Commission makes clear that such right to compensation is not to be understood as paying for the data itself, but rather to cover costs incurred and investments required for collecting and making the data available. These include costs for data reproduction, dissemination via electronic means and storage. This provision would likely be an item that will undergo significant discussions in the course of the legislative process.
Ensuring Fair Data Access: The Unfairness Test
The Data Act established an unfairness test, which seeks to ensure that SMEs, recognized as being in a weaker bargaining position, can free themselves of unfair data sharing contract terms. The test only applies to the terms of a contract unilaterally imposed and that relate to making data available. These include the access to and use of data, or the liability and remedies for the breach or the termination of data related obligations. Relevant authorities will then be guided by the list of indicators in the Data Act to determine what constitutes an unfair contractual term.
Gatekeepers Can’t Benefit from EU Data
The Data Act provides that so-called gatekeepers cannot be considered as a third party. Gatekeepers, as defined in the draft Digital Markets Act (DMA), are companies operating a core platform service and hold market power that has the capacity of undermining competition in the internal market. The DMA, therefore, establishes a list of ex-ante obligations determining what such companies can and cannot do. The Data Act preclude gatekeepers to benefit from EU data, another element that might be actively discussed in the course of the legislative process and impact the EU/US data relationships on top of the existing (personal) data tensions.
Preventing Unlawful Third Country Access and Transfer of EU Data
Data processing services could have an important role to safeguard against third countries unlawfully accessing or transferring EU non-personal data. The Data Act requires data processing services to prevent international transfers or governmental access to non-personal EU data when the access or transfer in question conflicts with EU or national law. Importantly, it also establishes that third country requests to transfer or to access non-personal EU data will only be valid, or enforced by legal authorities if based on an international agreement. The Data Act further clarifies that in the absence of such international agreement, the third country’s request to transfer or access data that may conflict with EU law may only occur under a set of conditions defined in the Data Act. This sounds almost like importing (another) GDPR concept into the non-personal data sphere.
Businesses to Share Data with Public Sector Bodies
The Data Act determines that in situations of exceptional need, such as public emergencies, and in situations where public sector bodies have an exceptional need to use certain data that cannot be otherwise obtained in a timely manner, data holders are obliged to share data. This comes hand in hand with some protective measures and the ability to challenge the requests made in certain circumstances.
The Commission may issue non-binding guidance specifying the technical arrangements for making the data available in an attempt to reduce the costs of making the data available and to promote common practices for data sharing between the private and the public sector.
Upcoming Sector Specific Data Sharing Rules
The Data Act, which would apply cross-sector, if adopted, contemplates additional sector-specific rules at a later stage, for more tailored data sharing rules for a specific sector. Two key examples currently being reviewed concern specific data sharing rules for health and vehicles. Experts working on the “Towards the European Health Data Space (TEHDAS) Joint Action” for the European Health Data Space found that the secondary use of health data cannot be governed by horizontal legislation due to the sensitive nature of the data. Therefore, the group is currently developing principles for the secondary use of health data that will complement the Data Act’s rules. Further, the Commission is expected to propose sector specific legislation in Q3 or Q4 this year to access car data. The Commission will start a public consultation on the sector specific rules before the end of March.
Next Steps
The European Parliament and the Council of the EU will work on reaching their respective positions on the Commission’s proposal, after which they will negotiate to finalize the legal text. The Commission’s proposal, if adopted in its current shape, would lead to a robust governance framework with extraterritorial reach. It further establishes principles that will be applicable under future EU legislation – such as for data access, and conditions for compensation. According to the proposal, the Data Act will apply 12 months after the date of its entry into force.
Lastly, additional measures will be adopted by the Commission under its implementing powers to harmonize technicalities to ensure, for example, the interoperability of smart contracts and to facilitate data sharing standards. The Commission may also draft voluntary model contract terms to facilitate business-to-business data sharing.
The Data Act contemplates new ways to generate value out of non-personal data by promoting a wide use/sharing across numerous actors. Balancing trade secrets or confidentiality (to protect companies’ assets) with open access and fostering innovation is a complex task.