EU data legislation stays firmly in the news recently, with a leak of the new EU Data Act finally providing some highly sought-after insight into the EU’s overall digital strategy. The leaked draft of the proposal has now become available in advance of the Commission’s formal publishing date of 23 February 2022.
The EU Data Act will be a fundamental resource in furthering the EU Commission’s aim to build a single market for data by facilitating data sharing between businesses and the public sector, while respecting rights in relation to such data and investments made into their collection.
The specific objectives of the proposal are to:
- Increase legal certainty regarding data sharing in relation to connected products and services.
- Promote access to data by public sector bodies and Union institutions in specific circumstances where there is a justification, such as public emergencies.
- Facilitate easier switching between cloud and edge data processing services (often referred to as ‘interoperability’).
- Provide for safeguards against unlawful data transfer without notification by the cloud service provider.
- Provide for the development of interoperability standards for data to be reused between sectors.
- Promote consistency with existing policy provisions in the policy area.
How will this look in practice?
New rights for individuals and businesses
- A new right for users or third parties authorised by users is introduced to access data generated from the use of an IoT object. Perceived benefits to IoT users are improved user experience and a wider range of services, e.g. repair and maintenance services.
- Smaller businesses will benefit from a system of protection against unfair contractual clauses in data sharing arrangements. This aims to help rebalance the playing field for smaller, weaker bargaining parties who often experience having terms unilaterally imposed on them. This shows consideration of the stakeholder consultations which revealed that in the business-to-business context, despite data sharing between businesses being a common practice, respondents that experienced difficulties identified obstacles such as those of technical nature (formats, lack of standards – 69% of respondents), outright refusal to grant access not linked to competition concerns (55%) or abuse of contractual imbalance (44%).
- Public sector bodies and Union institutions will get a right to use data held by enterprises in some limited circumstances, such as public emergencies and in situations where public sector bodies have an exceptional need to use certain data that cannot be obtained in a timely manner through enacting new legislation, by means of existing reporting obligations or on the market.
New obligations for service providers, manufacturers and designers
- Manufacturers and designers will have to design products in a way that the data is easily accessible by default in a transparent manner.
- Data holders will be required to make data available upon request to the user or their authorised third parties. Small and micro enterprises would be exempt from these obligations.
- Where a data holder is obliged to make data available to another enterprise as required by the proposed Act or other applicable legislation, conditions may apply and compensation may be available. Any conditions will have to be fair and non-discriminatory, and any compensation must be reasonable. Any compensation set for SMEs cannot exceed the costs incurred for making the data available.
- Businesses and individuals will be able to change processing provider more easily by introducing minimum regulatory requirements for cloud & other data processing services. The proposal suggests minimum levels of functionality unless this would be technically unfeasible, which the service provider would have to prove. This is good news for buyers looking to switch cloud providers.
Other proposed changes
Implementing acts may be passed to adopt common specifications and standards for interoperability and compliance with the essential requirements for the use of smart contracts.
Individuals’ data rights are preserved. Providers will have to take all reasonable technical, legal and organisational measures to prevent unlawful access to data by third parties in breach of individuals’ data rights.
The proposal also clarifies the legal protection of databases under the sui generis right in the IoT context, which aims to protect the investments in the collection of data as a by-product of another economic activity.
Interaction with other EU legislation
The proposal is said to comply with the GDPR and other data protection legislation and foresees additional safeguards for data rights as well as intellectual property rights. However, it remains to be seen how interoperability will work in practice. This will of course add another task to the list for compliance teams within companies affected by the legislation, but is an overall positive step towards a more fair digital economy.
Plans for enforcement, timelines and monitoring
- Enforcement: penalties will apply for infringements of the Regulation (to be covered within Chapter 9). This will include administrative fines or financial penalties (amounts are not yet prescribed) to be set by the relevant Member State to reflect the severity of the respective infringement. In addition, a complaints mechanism is intended to serve the unfair contract terms right added by Chapter 4.
- The Commission will recommend voluntary model contract terms on data access and use.
- Timelines: the Act is not in force as of yet, however with the final draft expected to be officially released on 23 February, businesses should be factoring this in to their product roadmaps and general compliance planning in order to avoid being caught out in a rush to comply.
- Monitoring: The effects of the Data Act will be reviewed every four years and appropriate further action will be taken.