EU Data Act (Part 2): unfair terms in data sharing agreements

Context

The Data Act Proposal (available here) is a fundamental necessary step towards the digital transformation journey of the EU Member States. Together with the Data Governance Act (available here), both regulations establish the framework of a standardised set of European rules on fair access and use of data.

The proposed Data Act aims to guarantee that a certain level of fairness is reached throughout data legislation in the EU by setting rules regarding the use of technological devices and the data originated therefrom. It is a reality that rights in that matter are often imprecise, even being sometimes impossible for users or companies to realise and exploit the full potential of the devices or digital gadgets they use and the data they collect. The Data Act Proposal tries to solve this situation and provides a stronger and more consistent right to share data (personal and non-personal). The list of cases where this happens is endless: from virtual assistants, health devices, industrial equipment, vehicles, home equipment, consumer goods, telephone networks, television cable networks, satellite-based networks and near-field communication networks. The Data Act will be transversal to all business sectors in the EU economy.

In the first post of the Data Act series (available here), we addressed the right to data sharing that is created in the Data Act Proposal. The scope of this sharing right includes the obtention of the data generated by the use of products or related services by any user (individual or company) from the manufacturer; or designer of a product or related service; or the relevant rightsholder of the service (broadly, the data holder).

Data Sharing Contract: starting point for all cases

The Data Act Proposal has the aim of making data available to all users of services that produce data, in particular micro, small or medium-sized enterprises (as an exception, gatekeepers under the Digital Markets Act (DMA) cannot exercise their data sharing right under the Data Act). From this perspective, the European Union further reinforces the vision of a cohesive and strong Europe in its willingness to establish a European data space. A first step in this direction had already been taken under Regulation 2019/1150 (P2B Regulation), which mandated online intermediation services to include in their terms and conditions a description of the technical and contractual business users' right, or absence thereof, to access data processed in the context of the service.

As a guiding principle for the purposes of the Data Act, the parties should remain free to negotiate the precise conditions for making data available in their contracts, within the framework of the sharing right. However, when drafting the data sharing contract, the following shall be taken into account:

1. Before concluding a contract, the user shall be provided with some mandatory and comprehensive information, for instance:

(a) the nature and volume of the data likely to be generated by the use of the product or related service (e.g. data that measures user´s engagement with the product – the most frequently accessed features, the average time spent taking a specific action or a map of user´s journey through the product);

(b) whether the data is likely to be generated continuously and in real-time (e.g. data generated by wearable devices in healthcare sector);

(c) how the user may access those data (e.g. by contacting the data holder or through the product´s settings);

(d) whether the manufacturer/service provider intends to use the data itself or allow a third party to use the data and, if so, the purposes for which those data will be used;

(e) whether the seller, renter or lessor is the data holder and, if not, the identity of the data holder.

2. The data provided shall have the same quality as is available to the data holder and, where applicable, it shall be shared continuously and in real-time (e.g. through the product´s or application's settings).
3. Contractual terms shall be fair, reasonable, transparent and non-discriminatory. A data holder shall not discriminate between comparable categories of data recipients.
4. The user or third party recipient cannot use the data to develop a product that competes with the product from which the data originates.
5. The data holder shall not use such data generated by the use of the product or related service to derive insights about the economic situation, assets etc of the user or third party recipient (e.g. analyse the type of device from which the user connects to an app to make predictions about his or her economic status).
6. Where the user is not the data subject, the user or the third party recipient (as data controllers) shall have an appropriate legal basis of processing.
7. Trade secrets shall only be disclosed to the extent that they are strictly necessary to fulfil the purpose agreed between the user and the third party and all specific necessary measures are taken to preserve confidentiality. The nature of the data as trade secrets and the measures for preserving the confidentiality shall be specified.
8. The data holder may apply appropriate technical protection measures, including smart contracts, to prevent unauthorised access to the data and to ensure compliance with the  sharing right as well as with the agreed contractual terms.
9. Data holders and data recipients shall have access to dispute settlement bodies.

Unfair contractual terms imposed on SMEs

Very often data holders have a strong negotiation position, which is usually the case with major tech companies, and may want to reduce as much as possible the sharing rights or include favourable contractual terms in data sharing agreements. Therefore, the Data Act Proposal addresses the unfairness of contractual terms in data sharing contracts between businesses in situations where a contractual term is unilaterally imposed by one party on a micro, small or medium-sized enterprise. That could be regarded as a paradigm shift in European contract law. So far European law on controlling not individually negotiated contractual terms was limited to B2C agreements, while some EU-Member States applied the rules to control the fairness of B2B agreements.

The Data Act Proposal guarantees that contractual agreements on data access and use do not take advantage of imbalances in negotiating power between the contractual parties. In situations of unequal bargaining power, the fairness test protects the weaker contractual party in order to avoid unfair contracts. Data Act Proposal refers to two requirements to identify clauses to which the fairness test should apply. On the one hand, the Data Act Proposal demands that the relevant clauses is "unilaterally imposed" by one party. The other party must not have been able to influence the clause despite an attempt to negotiate it. Therefore, if a party simply accept the relevant contract term without any opposition, it will not benefit from the fairness test. On the other hand, the fairness test only applies to micro, small or medium-sized enterprises (SME).

The rules on the contractual terms level the fairness test should only apply to those elements of a contract that are related to the sharing right, that is contractual terms concerning the access to and use of data as well as liability or remedies for breach and termination of data related obligations. Other parts of the same contract, unrelated to making data available, should not be subject to the fairness test.

A clause will be considered unfair if:

1. it is of such a nature that its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing;
2. exclude or limit the liability of the party for intentional acts or gross negligence; or exclude the remedies available to the party in case of non-performance of contractual obligations;
3. give the data holder the exclusive right to determine whether the data supplied is in conformity with the contract.

A clause will be presumed unfair if (among others):

1. it inappropriately limits the remedies in case of non-performance of contractual obligations or the liability;
2. the sharing right is included in a way that is significantly detrimental to the legitimate interests of the party;
3. it prevents the party to make use of the data during the period of the contract or not allow the  use, capture, access or control of such data or exploit the value of such data in a proportionate manner;
4. it includes an unreasonable short notice taking into account alternative and comparable services, except where there are serious grounds to do so.

The limitation of the manufacturer’s or designer’s freedom to contract and conduct a business is mitigated by its unaffected ability to also use the data, insofar it is in line with the applicable legislation and the agreement with the user. Furthermore, the manufacturer or designer will also benefit from the right to require compensation for enabling third party access.

In any case, the Commission will publish a non-binding data sharing agreement that could be useful as a benchmark of what is considered to be “balanced” in terms of the right to data access for the purposes of the Data Act.

Right to obtain compensation

Data holders have the right to obtain “reasonable” compensation from third party recipients (i.e. not the own user) for making data available. They shall provide the data recipient with information setting out the basis for the calculation of the compensation in sufficient detail so that the data recipient can check it out.

In case of large companies, or when the data holder is a small or medium-sized enterprise and the data recipient a large company, the parties are considered capable of negotiating any compensation if it is reasonable.

However, when the data recipient is a micro, small or medium enterprise, any compensation agreed shall not exceed the costs directly related to making the data available to the data recipient and which are attributable to the request (i.e. the operational cost of handling the query). Direct costs for making data available should be limited to the share attributable to the individual requests, taking into account that the necessary technical interfaces or related software and connectivity will have to be set up permanently by the data holder.

Data Protection Content

When the data to be shared between companies qualifies as “personal data” under the GDPR, the contractual terms shall also address this situation and contain the necessary clauses:

• Where the data holder and the user are joint controllers (art. 26 GDPR) they shall enter into a joint controller agreement, with the mandatory content of art. 26 GDPR, local data protection laws of Member States and the guidance issued by regulators.
• Where the data holder and the data recipient are independent controllers, there is no obligation to include any specific data protection wording. However, it is extremely advisable to include the proper clauses regarding the protection of personal data, depending on the interests of each party.

If the user is a data subject, data holders should be obliged to provide them access to their data and to make the data available to third parties of the user’s choice. The Data Act Proposal complements the portability right under the GDPR to the extent that it covers (i) not only personal data, but also non-personal data; (ii) data that is actively provided and passively observed data; and (iii) any data regardless of the legal basis of processing by which personal data was collected and processed.

In addition, access to any data stored and accessed from terminal equipment is subject to the E-Privacy Directive and requires the consent of the subscriber or user within the meaning of that Directive.

Next steps

• Businesses should start including favourable provisions in their data sharing contracts to have a stronger position when the Data Act becomes applicable.
• Keep an eye on our Engage publications as we will publish more posts in relation to Data Act!
• Once approved, there is only a twelve month envisaged period prior to the direct application of the Data Act, so companies should have in mind the necessary implementations to be carried out.

Authored by Juan Ramón Robles, Joanna Rozanska, Valerio Natale and Jasper Siems