Following consultation and intensive internal discussions in 2021, the European Commission on 23 February released its proposal for a “Data Act”. If adopted by EU lawmakers, this regulation will introduce a far-reaching legal regime on access to and use of non-personal data in the EU. Forming part of the Commission's “European strategy for data”, the Commission expects the Act to play a key role in the digital decade, helping to shape the rules for the digital economy and society, and to unlock “a wealth of industrial data in Europe, which should benefit businesses, consumers, public services and society as a whole.”
The basic idea underlying the Commission’s proposal is that industrial data – 80% of which are not used to date – constitute untapped potential. With the Data Act, the Commission aims at overcoming the legal, economic and technical obstacles responsible for the underuse of data and clearing the path for more data use. For this purpose, the Commission is proposing a set of rules on who can use and access various forms of data for purposes across all economic sectors in the EU. Under the Draft regulation, wide parts of the data collected by industries and consumers in the context of connected devices and digital services will have to be made accessible, technically and legally, to users who can further share the data with third parties. Contractual relationships between companies sharing data will become regulated, including the introduction of a FRAND standard. Moreover, users of data processing services, such as cloud computing services, will have the possibility of easily switching their service providers. Regarding all aspects of the regulation, attention is given to the protection of trade secrets and the specific needs of micro-, small- and medium-size enterprises.
The Data Act proposal is a horizontal regulation (i.e. it applies across sectors) and includes five areas of rules for access and use of non-personal data in the EU:
- Rules allowing users of connected devices (IoT products and services, virtual assistants) to gain access to data generated by them and to share such data with third parties (B2C and B2B data sharing).
- Rules on conditions for data access, under the Data Act or other EU legislation, introducing in particular the FRAND standard (data access conditions).
- Rules preventing abuse of contractual imbalances in data sharing contracts with SMEs (Prohibition of unfair terms).
- Means for public-sector bodies to access and use data held by the private sector that is necessary for exceptional circumstances, particularly in the case of a public emergency (B2G data sharing).
- Rules allowing customers to effectively switch between different cloud data-processing services providers and putting in place safeguards against unlawful data transfer (portability and standard setting).
1. Pillar 1: B2C and B2B data sharing
According to the Commission, data generated by connected devices is currently often exclusively harvested by manufacturers and only a small part of industrial data is used, while IoT users and third parties have no access to this data. To address this perceived market failure, the Data Act proposal contains rules allowing users of connected devices (e.g. IoT products and services, virtual assistants) to access to data generated by them and to share this data with third parties. To enable this data access, manufacturers have an obligation to make data generated by the use of IoT products or related services accessible “by design” (and directly accessible by the user where relevant and appropriate). The user must also be provided in advance (before concluding a contract for the purchase, rent or lease of a product or service) with information on what data will be generated, how the user can access and share it, and for what purposes the manufacturer or service provider intends to use or share this data.
Users have a new general right to access and use data generated through IoT products and services. Data must be made available to them without undue delay, free of charge and “where applicable” continuously and in real time. To protect the data holder, trade secrets must only be disclosed if all necessary measures are taken to preserve confidentiality. One further important exception: the user must not use the data to develop a product that competes with the product from which the data originate. Data holders on the other hand will only be allowed to use the data generated by the product on the basis of a contractual agreement with the user.
Users may share data with third parties or allow them to request data from the data holders (i.e. the manufacturers or service providers) on their behalf. However, companies designated as gatekeepers under the upcoming Digital Markets Act (i.e. tech giants) do not qualify as eligible third parties, meaning they cannot use the Data Act as means to collect even more data by asking IoT users to share data with them.
To protect micro and small businesses, data access and sharing obligations do not apply to them.
2. Pillar 2: Data access conditions
The Data Act proposal further regulates how data is to be made available by data holders that are under an obligation to provide data to users or third parties. It is noteworthy that this obligation may not only follow from the Data Act itself, but from any other EU regulation or national regulation implementing EU law. However, as a matter of principle, data holders are not obliged to disclose trade secrets.
Where they are obliged to make data available, data holders must do so at fair, reasonable and non-discriminatory (FRAND) terms and to enter into corresponding agreements with the entitled recipients. It falls upon the data holder to prove that the terms offered are non-discriminatory.
Although pursuant to that principle the compensation requested by the data holder must be reasonable, the Data Act proposal provides regarding requests by micro, small and medium companies that compensation may not exceed the costs directly related to making the data available to the data recipient attributable to the request (i.e. the data must be provided at cost).
For disputes in relation to the determination of FRAND terms or whether data has been made available transparently, member states are obliged to set up, in addition to the respective state court system, a dispute settlement system consisting of dispute settlement bodies to be certified by the respective member states in accordance with the requirements of the Data Act – (i) necessary expertise, (ii) fair procedure, (iii) easy accessibility and (iv) quick decision. In case there is no dispute settlement body meeting such requirements, the member state must establish the body itself. The dispute settlement bodies must issue their reasoned decision within 90 days in writing or on a durable medium. The decision becomes binding on the parties only if the parties have explicitly agreed to it prior to the start of dispute-settlement proceedings. Otherwise, the right of access to state courts remains unaffected by the Data Act.
3. Pillar 3: Prohibition of Unfair Terms
The Data Act proposal also provides for external control of contractual terms in the B2B area similar to the one under the Unfair Contract Terms Directive (93/13/EEC), which is applicable in B2C relations only. A contractual term, concerning the access to and use of data or the liability and remedies for the breach or termination of data-related obligations, which have been unilaterally imposed by an enterprise on a micro-, small- or medium-sized enterprise, is not binding on such an enterprise if it is unfair. A contractual term is unfair if it is of such a nature that its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing. A contractual term is considered unilaterally imposed within the meaning of this article if it has been supplied by one contracting party and the other contracting party has not been able to influence its content despite an attempt to negotiate it.
Similar to the Unfair Contract Terms Directive (93/13/EEC), the Data Act proposal contains a list of presumptions whereby contract terms are to be considered unfair. However, this control of contractual terms does not apply to terms defining the main subject matter of the contract or to contractual terms determining the price to be paid. Where the unfair contractual term is severable from the remaining terms of the contract, those remaining terms remain binding.
4. Pillar 4 - B2G data sharing
The Data Act proposal also contains rules on making data available to public sector bodies and union institutions, agencies or bodies. While this B2G data sharing was a central element of the Commission’s initial proposal of last year, its scope was significantly limited following criticism from stakeholders and the Commission’s internal review board. In the final Commission proposal, obligations for companies to make data available to governmental bodies only apply based on exceptional need. Exceptional need will be deemed to exist where the data is necessary to respond to a public emergency or where the lack of data prevents the public sector body from fulfilling a specific task in the public interest, and it is not possible to obtain the data otherwise.
In case of a public emergency, data must be provided for free.
5. Pillar 5 – portability and standard setting
Moreover, the Data Act proposal further provides a framework to enable users to switch more easily between providers of data processing services (e.g. cloud, edge and other computing and data storage services). The user will have an explicit right to switch providers, which will be enhanced by portability and compatibility obligations, termination prerequisites favouring the user. The data-processing service providers must remove commercial, technical, contractual or organisational obstacles and will even have to assist in the switching process. As of a specified date in the future, switching charges for the user will first be reduced and at a later stage be dropped and will no longer be allowed. Data processing service providers also are under an obligation to take reasonable measures for the protection of data against international transfer or governmental access.
The Data Act proposal further prescribes requirement and standards for open interoperability of data, data-sharing mechanisms and services, data spaces, data processing services and requirements for smart contracts for data sharing. The Commission will be empowered to further specify interoperability requirements by delegated acts and may also request European standardisation organisations to draft harmonised standards. The interoperability will in particular determine technical aspects of switching between data processing providers.
Infringements of the Data Act will be subject to 'effective, proportionate and dissuasive' fines determined by the competent authorities as designated by the member states for the enforcement of the Data Act. These authorities will accept complaints, conduct investigations, monitor technological developments and cooperate with competent authorities of other sember states. In line with the GDPR, fines may reach up to EUR 20 million or in the case of companies up to 4 % of the total worldwide annual turnover (whichever is higher).
For more information on the Data Act proposal and how it could affect your business, contact your CMS client partner or CMS experts: Dr Björn Herbers, Tilman Niedermaier, Markus Häuser, Moritz Pottek.