The EU Data Act and its Legislative Process
On 27 November 2023, as the final step in the legislative process, the EU Council formally adopted the Data Act (see press release here). Not long before, the EU Parliament had passed the final text of the Data Act by an overwhelming majority on 9 November 2023 (see press release here). The Data Act will now enter into force following its publication in the EU’s Official Journal (which is expected in the coming weeks). The final text of the Data Act can be found here.
The Data Act aims to create the regulatory framework for a flourishing data economy in the European Union by reducing barriers to data access and imposing data sharing obligations, removing obstacles to switching of data processing services, and facilitating interoperability of data from different domains. Data is identified as a key economic asset that should be harnessed for the benefit of the economy, fostering innovation and growth. In the following, we will take a closer look at the two central regulatory topics of the Data Act: (1) Data use and data sharing as well as (2) cloud switching.
Data Use and Data Sharing under the Data Act
There is no doubt that the core provisions of the Data Act regarding data access, use and sharing (Art. 3 - 13 Data Act) will completely reshape the existing landscape of B2C and B2B relationships governing data use and data sharing. The Data Act primarily relates to Internet of Things (IoT) products (so-called connected products (cf. Art. 2(5) Data Act) and related services (cf. Art. 2(6) Data Act). Under the current legal regime, the party exercising actual control over data can generally exclude third parties from accessing data generated by use of connected products or services. The Data Act pursues a user-centric approach and aims to put the user of a connected product or related service in control of his/her data. The “user” is any natural or legal person who owns or has a temporary right to use a connected product or receives a related service (cf. Art. 2(12) Data Act). This includes the following main rules:
- Data use agreement: A data holder can no longer freely use any data generated by the use of the connected product or related service but will need a contract with the user (often called a data license) as the basis to make use of such data. The “data holder” may be the manufacturer of a connected product, a provider of a related service, or another person entitled or obliged under the Data Act, applicable EU law, or national legislation to use and make available data (cf. Art. 2(13) Data Act).
- Data access by design: Manufacturers of connected products and providers of related services are obliged to ensure that (1) any data generated by the use of a connected product that the manufacturer designed to be retrievable (product data, cf. Art. 2(15) Data Act) and (2) any data recorded intentionally by the user or generated as a by-product of the user’s action during the provision of a related service (related service data, cf. Art. 2(16) Data Act) are, by design, directly accessible to the user, where relevant and technically feasible (Art. 3 Data Act). This obligation is supported by pre-contractual information obligations. Access to such data, including relevant metadata, must be simple, secure, and free of charge, and data must be accessible in a structured, commonly used and machine-readable format; or
- Data access rights: Whenever product data or related service data are not directly accessible by design, the user has a right to request the data holder to make such data accessible – but only "readily available data, as well as the relevant metadata necessary to interpret and use those data" (Art. 4 Data Act). This means all product data and related service data that the data holder can lawfully obtain from the connected product or related service without disproportionate effort.
- Data sharing obligations: In addition, the Data Act goes beyond mere access and provides the user with the right to request the data holder to share “readily available data” with a third party (data recipient) (Art. 5 Data Act). To this end, the data holder must enter into an agreement with the data recipient that may not contain unfair terms. For this data access, the data recipient may have to compensate the data holder appropriately.
The following graphic illustrates the described new data economy situation under the Data Act:
The data holder only has certain limited veto rights against such access and data sharing by the user and third parties. In particular, the disclosure of trade secrets cannot be generally refused but only in certain cases, e.g., if the user or data recipient do not agree to or do not comply with agreed confidentiality measures or in exceptional circumstances if serious economic damage from disclosure is demonstrably highly likely.
Personal data is generally covered by the Data Act but applicable data protection law requirements (including the GDPR) remain unaffected and apply in addition to the Data Act. In particular, personal data may only be made available to a user who is not the data subject (i.e. the natural person identified or identifiable by the personal data) if there is a valid legal basis.
Consequently, data holders will need to ensure to know whether and which trade secrets and personal data are part of data generated by the use of connected products or related services, and thus are potentially subject to data access and sharing obligations.
The work ahead
The various new requirements and potentially severe implications under the Data Act require timely and thorough preparation by companies affected by the new rules (e.g., as manufacturer of connected products, provider of related services or in general as a data holder).
- Impact Assessment and Gap Analysis: The first step in preparing for the Data Act is to analyze the impact of the Data Act on the business model and carry out a compliance gap analysis and risk assessment.
- Data Governance: For companies affected by the Data Act, developing an appropriate data governance program (including appropriate policies, standards, and procedures) is one of the essential elements not only to ensure compliance with the legal requirements under the Data Act (and other legal regimes) but also to secure the continued fruitful use and exploitation of data for the benefit of future business strategies.
- Design & Development: New access by design obligations require companies to rethink their strategies concerning the design and development of connected products and services.
- Data Strategies: The Data Act will impose new rules that need to be taken into account as part of a future data use and compliance strategy when preparing and executing data use agreements, defining the strategies on how to handle or exercise data access/sharing requests, and protecting own data related assets (including trade secrets).
To prevent a lack of competition and lock-in effects in the area of cloud services, the Data Act will make it easier for customers to switch cloud services. Economic, technical, or organizational obstacles shall be minimized through the Data Act. Therefore, Chapter VI of the Data Act provides detailed specifications and restrictions for data processing service agreements regarding switching of cloud services. For example, agreements with data processing services shall contain a maximum notice period for initiating the switching process, which shall not exceed two months (Art. 25(2) lit. d) Data Act). The provider of related services must also ensure that all "data, applications and digital assets" can be transferred to a new provider within 30 days following this notice period (Art. 25(2) lit. a) Data Act). Finally, switching charges may only be imposed for a transitional period of three years from the date of entry into force of the Data Act and will then be completely prohibited (Art. 29 Data Act).
The Data Act will enter into force the twentieth day following the publication in the EU’s Official Journal (which is expected in the coming weeks), and will apply after 20 months from the date of its entry into force. However, while the main obligations will be effective from this date, certain obligations will only become applicable at a later stage (in particular, the access by design obligations under Art. 3(1) Data Act which will apply to connected products and the related services placed on the market after 32 months from the date of entry into force of the Regulation):
Authored by Martin Pflüger, Sarah-Lena Kreutzmann, and Jasper Siems. Supported by Michael Niehaus.