Yesterday, the EU Commission proposed a new regulation called the Data Act. It contains extensive obligations for B2C, B2B and B2G data sharing, as well as rules requiring providers of cloud services to facilitate switching and interoperability between service providers. We’ve set out below our key takeaways.
- Personal or non-personal data? The Data Act applies to both personal and non-personal data and, in certain cases, supplements data subjects’ right to portability under Article 20 GDPR. We expect the interplay between the Data Act and the GDPR to be a topic of much discussion as the proposal makes its way through the EU legislative process, particularly given the difficulty in interpreting the EU’s anonymisation standard.
- B2B and B2C data sharing: providers of connected products and any related services (including voice assistants used to control those products and services) must make data generated by their use available to users (both businesses and consumers). Users can also ask these providers to make that data available to third parties (so that they can e.g. access a wider range of after-sales services, such as repair and maintenance). Access must be given for free, without undue delay and, “where applicable“, continuously and in real time, which could require significant infrastructure outlay for in-scope providers. These provisions are expected to have a particular impact on the market for connected cars.
- Unfair contract terms: where data holders are required to make data available to third parties acting in a professional capacity (either under the Data Act or other EU legislation), they must do so on fair, reasonable and non-discriminatory terms. Any terms concerning data that are unilaterally imposed on micro-, small- and medium-sized enterprises will be subject to a fairness test, similar in some respects to the fairness test for terms in consumer contracts under the Unfair Contract Terms Directive. This marks further “consumerisation” of B2B relationships at the EU level, which began in earnest with the P2B Regulation.
- B2G data sharing: data holders must make data available to public sector and EU bodies where those bodies can demonstrate an exceptional need to use the data requested (e.g. in case of public emergencies such as natural disasters, pandemics or terrorist attacks). We expect a strong push from industry for greater clarity on the circumstances in which data can be requested here, since the provisions as drafted are relatively broad.
- Switching cloud services: providers of cloud services must take measures to ensure customers can switch to another data processing service of the same type offered by a third party provider, ensuring continuity of service during transition. Switching costs will be gradually phased out over a three year period. There are also additional obligations depending on whether the provider is offering IaaS, PaaS or SaaS. These proposals will present many practical challenges for in-scope providers and we anticipate significant lobbying to mitigate, or at least clarify, their impact.
- International transfers: cloud services providers must take reasonable steps to prevent international transfers of non-personal data where it would create a conflict with EU or national law. Legal teams dealing with the fallout of Schrems II will shudder at the thought of another set of “supplementary measures”, so will be looking to the Commission to confirm whether existing protections in place for international transfers of personal data could be leveraged here, too.
- Interoperability: “operators of data spaces” must comply with certain requirements to facilitate interoperability of data, data sharing mechanisms and services. The Commission will work to promulgate harmonised standards, compliance with which would ensure conformity with these requirements. However, the Data Act proposal does not define “operators of data spaces“, so it’s difficult at this stage to determine precisely which organisations might be within the scope of these provisions.
- Sui generis database right: under the proposal, the sui generis database right set out in Article 7 of the Database Directive will not apply to databases containing data obtained from, or generated by, the use of a connected product or related service. From our perspective, this is overkill on the Commission’s part. A leaked version of the proposal simply provided that the sui generis database right could not be used to hinder the access rights provided for under the Data Act. However, the final proposal would prevent an organisation from invoking the sui generis database right at all in relation to these databases – even where that organisation hasn’t received any legitimate request to access the relevant data under the Data Act.
- Next steps? It’s still early days. The Commission’s proposal marks the start of the EU’s legislative process, which will see the Data Act reviewed and amended by Council and Parliament respectively before being debated in trilogues between the three institutions. Once adopted, the Commission has provided for a relatively short implementation period of 12 months (which could be reduced or increased at a later stage, depending on the outcome of trilogue negotiations).
Thierry Breton, Commissioner for Internal Market, added: “Today is an important step in unlocking a wealth of industrial data in Europe, benefiting businesses, consumers, public services and society as a whole. So far, only a small part of industrial data is used and the potential for growth and innovation is enormous. The Data Act will ensure that industrial data is shared, stored and processed in full respect of European rules. It will form the cornerstone of a strong, innovative and sovereign European digital economy.”Data Act: measures for a fair and innovative data economy (europa.eu)