EU Data Act proposals

On 23 February 2022, the European Commission (EC) published its proposals for a regulation to harmonise rules across the EU regarding fair access to and use of data, referred to as the ‘Data Act’. This proposal is part of a growing landscape of legislation that is supposed to implement the concepts highlighted by the EC in its “European data strategy” of 2020. Amongst other things, the draft Data Act sits alongside the Data Governance Act (which was approved by the European Parliament on 6 April 2022) (also see our article here on the draft of the Governance Act).

The Data Act will operate as an EU regulation i.e. would become directly applicable to EU member states without a need to transpose it into national law. It aims to challenge the constitution of data monopolies across various sectors, by reshaping existing power structures that favour large data incumbents and moving to solidify data as a non-rival good.

The EC states that the Data Act is intended to “unlock the value of data”, in particular for individuals, SMEs and public sector bodies. The regulation therefore (i) is designed to ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all; and (ii) is a “building block of the Commission's data strategy” and “will play a key role in the digital transformation, in line with the 2030 digital objectives”.

Scope

The proposed Data Act scope is broad and will impose a range of obligations on a range of groups, including:

• producers of connected devices (or ‘internet of things’ devices);
• providers of cloud or edge computing services; and
• public sector bodies.

Data under the Data Act is similarly broad and is defined as “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording” meaning, unlike the EU General Data Protection Regulation (EU GDPR), the Data Act will not just be limited to personal data.

However, quite similar to the EU GDPR, the Data Act does not only apply to companies that have their seat in the EU, but rather to any company (irrespective of their seat) that places its products or services on the EU market or makes its data available to recipients in the EU.

The Data Act will have an impact on many areas previously regulated by other EU legislation, such as the Free Flow of Non Personal Data Regulation, the Platform to Business Regulation or the Digital Markets Act. While the EU GDPR and the ePrivacy Directive shall take precedence over the Data Act, the Data Act is intended to be consistent with and expand on the EU GDPR, in particular expanding on the right to data portability that allows data subjects to move their data between controllers who offer competing services. Under the EU GDPR, this right is limited to personal data but the Data Act will enhance this right for connected products so that consumers can access and port any data generated by the product, both personal and non-personal.

Key objectives of the Data Act

Some of the key objectives listed by the EC are to:

• “Facilitate access to and the use of data by consumers and businesses, while preserving incentives to invest in ways of generating value through data”. This includes increasing legal certainty around the sharing of data obtained from, or generated using, products or related services and improving fairness in data-sharing contracts. The EC’s proposal also seeks to clarify the application of relevant rights under the Database Directive (96/9/EC) on the legal protection of databases to its provisions.

• “Facilitate switching between cloud and edge services”. The EC notes that access to competitive and interoperable data processing services is a “precondition for a flourishing data economy”, in which data can be shared easily within and across sectoral ecosystems. The Data Act will make it easier for parties to move data and applications from one provider to another without incurring any costs.

• “Put in place safeguards against unlawful data transfer without notification by cloud service providers”. This is based on concerns raised about non-EU/European Economic Area (EEA) governments’ unlawful access to data.

• “Provide for the development of interoperability standards for data to be reused between sectors”. The EC notes that this is to remove barriers to data sharing across domain-specific common European data spaces, consistent with sectoral interoperability requirements, and between other data that are not within the scope of a specific common European data space. The EC’s proposal mentions the setting of standards for smart contracts.

The Data Act allows member states to devise the penalties for infringements of the Data Act, which must be “effective, proportionate and dissuasive”. Breaches of Chapters II, III and V of the proposed Data Act also entitles data protection authorities to issue fines in line with Article 83(5) of the EU GDPR (i.e. up to EUR20m, or up to 4% of the total worldwide annual turnover of the preceding financial year). Natural as well as legal persons shall have the right to lodge a complaint – also collectively – with the competent supervisory authority, if they consider their rights under the regulation to have been infringed.

Next steps

The EC’s proposals must pass through the normal EU legislative procedure, meaning that both the European Parliament and the Council will review before it can be formally adopted and enter into force.

Providers of connected devices and cloud / edge computing service providers should monitor the progress of the Data Act, particularly when the comments from the European Parliament and the Council on the Data Act are published. Any businesses who receive or have access to data given to them by users/customers as part of the provision of their goods or services outside of these stakeholders should also monitor this space in case the EU legislative bodies agree to expressly expand the scope of the Data Act further.

The EC’s proposal currently states that the Data Act will apply within 12 months of it being passed.