The European Commission published its long-awaited draft regulation on harmonised rules on fair access to and use of data (Data Act) at the end of February. The aim of the Act is to provide a new regulatory framework for the European data economy and promote innovation and competition in this regard. This article provides an overview of the regulatory areas covered by the proposal.
Background
The EU sees data as a core component of the digital economy and an essential resource to secure the digital transition. The draft Data Act (hereinafter the “Draft Act”) is a key pillar of the European strategy for data of February 2020 and the second major initiative after the draft Data Governance Act.
There is at present no provision for ownership of or other exclusive rights to data in the EU. Data protection law only regulates the handling of personal data and this only from the point of view of protecting the data subject’s right to privacy. Answers to the question of who should be entitled to make commercial use of data can at best be derived indirectly from the General Data Protection Regulation (GDPR) and other data protection laws. Therefore, until now, control over data has been vested in those who had factual access to the data. In the case of devices connected to the Internet of Things (“IoT products”), this is usually the manufacturer (see also our article on data pooling between companies). According to the EU Commission, this de facto control exercised by device manufacturers impedes fair competition when it comes to aftermarket services for IoT products. This is because access to data generated by IoT products is essential for the development and provision of such services. The Data Act now aims to change this.
The aim of the Draft Act is not only to ensure a fairer distribution of data, but also to promote access to and use of data. The Draft Act does not create “data ownership”, but is instead geared towards making it easier for third parties to gain access to data.
The Draft Act addresses a large number of unresolved issues concerning the industrial use of personal and non-personal data. In doing so, it deals with the following:
- Right of users of IoT products to access the data generated by the use of those products or related services
- Prohibition of “unfair” standard contractual clauses in data use contracts
- Right of public sector bodies to access data
- Facilitating switching between data processing services
- Requirements for interoperability between data processing services
In cases where (also) personal data are involved, the Draft Act takes its place alongside the GDPR and other data protection laws and does not restrict their applicability and scope. Stringent restrictions will therefore continue to apply to the commercial use of personal data even after the Data Act has come into force.
Right to access data generated by the use of products or related services (Articles 3 to 7 Draft Act)
According to Article 4 Draft Act, users who use a product that generates data can demand that the data holder grant them access to the data generated by the use of such product or any related service. In this context, “data holder” means any legal or natural person who has the ability, through control of the technical design of the product and related services, to make data available. “User” means any natural or legal person who owns, rents or leases a product or receives a service. According to the broad definition of “user”, several persons can be considered as having a right to the data, especially in the case of multiple-person scenarios (e.g. car sharing services). If the user is not at the same time the data subject as defined in data protection law, he or she may only be granted access to personal data if there is a legal basis for this under the GDPR as well (usually consent of the data subject or a contract between data subject and user).
The generated data must be made available without undue delay, free of charge and, where applicable, continuously and in real-time.
Although uninvolved third parties who are not users do not have a direct claim against the data holder for access to the generated data, users may, pursuant to Article 5 Draft Act, authorise such third parties to assert the right of access on their behalf. This provision expands the existing right of data subjects to “data portability” under Article 20 GDPR, i.e. the right to demand that a controller hand over their personal data to another controller. This means that the Data Act has enormous potential to open up the market for connected and aftermarket services to new market participants and promote competition. For example, in the automotive sector third parties could in future access the data generated by connected cars via the cars’ users – data which has to date mainly been available to the manufacturer – and thus offer new services such as new types of insurance plans or repair services.
Third parties may only process the data transmitted by the data holder for the purpose agreed with the user and must delete the data when they are no longer required for that purpose. This applies to both personal and non-personal data.
Chapter III Draft Act lays down the regulations governing the provision of data by data holders to third parties. In particular, the data must be made available under fair, reasonable and non-discriminatory terms (Article 8 Draft Act). The exact prerequisites for exercising the data access rights laid down in the Data Act as well as what this means for the economy will be examined in detail in a separate article in this series.
The user’s right of access goes hand in hand with the manufacturer’s obligation to design IoT products in such a manner that data are easily, securely and, where relevant and appropriate, directly accessible to the user (Article 3 Draft Act). Some changes may be required as a result of this. Before concluding a contract, customers must also be informed about the data generated by the device, how they may access the data and whether such data will be passed on to third parties. This means that the obligation to provide information on the collection and processing of personal data, which already exists under Articles 13 and 14 GDPR, will be extended to include non-personal data and expanded considerably.
Prohibition of “unfair” contractual terms in standard data licensing agreements with micro, small or medium-sized enterprises (Article 13 Draft Act)
Another key component of the Data Act is the prohibition of “unfair” contractual clauses in standard data licensing agreements with micro, small and medium-sized enterprises (SMEs). This is to ensure that smaller enterprises or start-ups can also develop innovative digital business models through the use of data, avoiding the “take-it-or-leave-it” situations in which such enterprises usually find themselves (recital 52).
Based on the law governing general terms and conditions, Article 13(2) Draft Act stipulates that a standard clause is “unfair” if its use grossly deviates from good commercial practice in data access and use.
In addition, Article 13 Draft Act distinguishes between standard clauses that are always considered unfair (Article 13(3)) and clauses that are presumed unfair (Article 13(4)). The latter include clauses that allow the party that imposed the term to unilaterally access and use data of the other contracting party in a manner that is significantly detrimental to that party’s legitimate interests. Similarly, a clause preventing the other contracting party from obtaining a copy of the data contributed or generated by that party during the period of the contract is presumed to be invalid. The numerous requirements listed in Article 13 Draft Act to be met by contractual clauses may be of considerable importance for existing and future contracts in a data context.
The EU Commission also plans to develop and provide non-binding model contractual terms on data access and use to assist parties in drafting and negotiating contracts (Article 34 Draft Act).
Right of public sector bodies to access and use data in cases of “exceptional need” (Articles 14-22 Draft Act)
Moving away from a commercial context, the Data Act also stipulates that data holders must make their data available to a public sector body upon the latter’s request if exceptional need is demonstrated. According to Article 15 Draft Act, such an exceptional need is deemed to exist where the data is necessary to respond to or prevent a public emergency or where the lack of available data prevents the public sector body from fulfilling a specific task in the public interest. A further prerequisite for the right of access is that the public sector body was unable to obtain the data by alternative means, for example by purchasing the data on the market or by relying on other statutory provisions under which data can be obtained and there is no longer time to adopt new legislative measures in this regard. This restricts the scope of application. If a request is made for personal data to be made available, the public sector body should, according to the recitals of the Draft Act, demonstrate that the requirements under data protection law have also been met.
The Data Act also lays down the prerequisites for asserting and fulfilling this right of access as well as the legal remedies available to a data holder which has received a request for data. The data holder is generally entitled to compensation for the technical and organisational costs incurred to make the data available.
Micro and small enterprises are to be exempt from the obligation to provide data in such cases.
Facilitating switching between providers of data processing services (Articles 23-26 Draft Act)
The Data Act further aims to facilitate switching between data processing services such as cloud and edge services to counter lock-in effects on this market.
Pursuant to Article 23 Draft Act, providers of data processing services must ensure that their customers can easily switch to another provider of the same service. In particular, providers of data processing services must remove commercial, technical, contractual and organisational obstacles which inhibit customers from
- terminating the contract after a maximum notice period of 30 days;
- concluding a new contract with another provider;
- porting data, applications and other digital assets to another provider;
- maintaining functional equivalence with the previous service after switching to another provider.
Article 25 Draft Act bans the imposition of charges for the switching process; this ban is to apply after a transitional period of three years following the entry into force of the Act.
The provisions on facilitating switching may make it necessary for cloud and edge providers to change their business models and may at the same time strengthen competition in this area.
Interoperability requirements (Articles 28-30 Draft Act)
Finally, the Data Act also deals with the interoperability of data processing services.
Article 28 Draft Act stipulates that operators of data spaces must fulfil a number of essential requirements (such as making information on the data formats used and the application programming interfaces required for data access publicly available) to facilitate interoperability of data and data sharing mechanisms. The Commission is also empowered to further specify these essential requirements in legislation, to publish guidelines in this regard and to instruct European standardisation organisations to develop harmonised standards for interoperability.
As far as the interoperability of data processing services and smart contracts is concerned, Articles 29 and 30 Draft Act provide for specific aspects to be addressed by future public interoperability specifications. The aim of the otherwise general provisions in this context is to establish interoperability in various sectors and areas of application of the data economy on the basis of the law. This could pave the way to unrestrictedly interoperable data services, making it possible to network different services in future and thus develop new types of data services.
Outlook
The response to the Data Act so far already points to a paradigm shift regarding access to and use of data. The introduction of the Data Act could mean that manufacturers of networked products and providers of data processing services, in particular, will have to make significant changes to their business operations and models. While the Data Act has not opted to introduce “data ownership”, it has strengthened the user’s power of disposition of the data generated by IoT products, regardless of whether such data are personal data, and at the same time restricted the rights of whoever has de facto control over the data (usually the manufacturer).
Although the Data Act could therefore promote innovation and competition in the data economy, it is not expected to enter into force before 2023.
Forward