Latest Posts
Search for:
In Data Privacy

Trilogue agreement reached on The Eu Data Act: What this means

by , and 4 Mins Read

The European Data Act is part of a comprehensive package of data-focused regulations proposed in February 2020 to achieve Europe’s data strategy. The strategy recognises that individuals are at the centre of data generation and that the use of personal data must prioritise its data subject’s protection but it also identifies that much of the data created is non-personal and represents an untapped source of growth and innovation. This is why the EU seeks to strike a balance between responsible data access, sharing and re-use, and EU values connected to personal data protection. Within this framework, the Data Act aims to foster a competitive data market by widening the wealth of industrial data, opening up prospects for data-driven innovation, and making data more available to all.

On 27 June 2023, the EU Council, Parliament and Commission (often known as the trilogue) reached an agreement on the Act’s provisions on the crucial issues of data sharing, trade secrets, contractual considerations, interoperability and cloud switching. The EU Parliament’s Committee for Industry, Research and Energy (ITRE) voted in favour of this provisional agreement during its 19 July 2023 session. We consider these aspects below and what the agreement means for the Internet of Things (IoT) and industrial data in the EU.

Key areas of consensus:

  • Data access and sharing: The Act entitles users of IoT devices to share their data with other parties or access it for free. Additionally, EU public sector organisations can use private sector organisations’ data in the event of a public emergency, such as a natural disaster, health emergency or to fulfil a legal obligation when the relevant information is not easily accessible through other channels.
  • Trade secrets protection: Users who contribute to data generation would be able to access and share their data with certain third parties. However, a source of contention had been the extent and form to which the organisation that holds the data can exclude the disclosure of sensitive commercial information that might harm its economic interests. It was agreed that the Act would protect trade secrets under limited circumstances, to ensure that manufacturers continue to be incentivised to engage in high-quality data generation.
  • No more barriers to cloud switching: It will be easier to switch from one cloud service provider to another. There will be greater data mobility allowing data subjects to effectively move between multiple cloud data-processing service providers. For context, the EU GDPR contains a similar concept known as ‘data portability,’ but this only applies to personal data, but with the Data Act a customer can request to transfer even non-personal data assets to competing or third-party providers.
  • Level playing field for contract negotiations: Small businesses (SMEs) will enjoy greater protection from unfair contractual terms in data sharing contracts through the use of non-binding model contractual terms.
  • Interoperability:  The European Commission will be empowered to develop common specifications to encourage data-processing service interoperability (which is the ability of computer systems to exchange information), data pooling, and simpler switching between providers.

What’s next for the Act:

The trilogue’s agreement concludes the legislative process. The agreement may now be formally adopted — it has already passed the EU Parliament’s ITRE Committee, with formal adoption by EU Parliament to follow within weeks. Once passed, it is reported that the Data Act will enter into force on the 20th day following its publication in the Official Journal and will become effective 20 months thereafter.

What this means for data-powered businesses operating in the EU:

The Data Act introduces some hurdles for enterprises and platforms that fall under its scope. The Act may have far-reaching consequences: 

  • Users would have broad access to the volume of data collected by internet of things (IoT) devices such as domestic appliances, health items such as fitness watches, networked autos, and others.
  • Although manufacturers can still use generated data and pass it on to third parties, they must notify users and obtain their permission first.
  • Users now have greater autonomy to request data they generated or port their data to a third party or another platform of their choice for free.

These looming developments may require changes to a company’s technological and functional frameworks, and data powered businesses should begin preparing to comply with the introductions in the proposed Act as soon as possible by reviewing existing policies and procedures to identify gaps between their current practices and the new requirements, identifying potential commercial considerations (such as trade secret sharing), reviewing standard contractual terms and implementing processes to enable data access and sharing in accordance with the proposed Act.

Categories:
Tags:
Author

Vin leads our London Data Privacy practice and is also a member of our Global Privacy & Security Leadership team bringing his vast experience in this specialist area for over 22 years, advising clients from various data-rich sectors including retail, financial services/fin-tech, life sciences, healthcare, proptech and technology platforms.

Author

Chiemeka works as a privacy specialist in Baker McKenzie's Intellectual Property & Technology Practice Group and is based in the firm's London office. He is a Nigerian-qualified lawyer who focuses in data protection, privacy, and technology transactions.

Author

Tamara is an associate in the Data Protection and Cyber team. She has experience advising clients across online media, music, e-commerce, financial services, technology, education and other sectors on a variety of data protection, privacy, product counselling and direct marketing matters.

Related Posts