In February 2022 the European Commission presented its proposal for the EU Data Act, which – if adopted - will introduce a far-reaching legal regime on access to and use of non-personal data in the EU and will, similar to the GDPR, be applicable to businesses established outside the EU. The proposed regulation contains a set of rules defining how various forms of data can be used and by whom for purposes across all economic sectors with the aim of creating a new data-agile ecosystem. While the new law will bring new opportunities, it will also create legal challenges for all actors in the economy. The EU Data Act proposal has therefore been the subject of intense discussion. Now the Co-Legislators European Parliament and Council of the European Union, who must jointly adopt the act, have defined their respective positions (European Parliament on 14.03. and Council 24.03.). This means that the legislators' final negotiations, which are therefore called a "trilogue" since the European Commission will also be consulted, are now ready to start. Both the European Parliament and the Council call for a series of changes to the Commission proposal, in particular regarding its relation to privacy law, the protection of trade secrets, business-to-government data requests or international data transfers. However, the two legislators are not so far apart on most points and a speedy agreement therefore seems likely.
What is the EU Data Act about?
According to the European Commission, 80% of industrial data collected are never used. Against this background, the draft EU Data Act aims to boost innovation by removing barriers for access by consumers and businesses to data. Under the proposed regulation, much of the data collected by industries and consumers in the context of connected devices and digital services will have to be made accessible, technically and legally, to users who can further share the data with third parties. In addition, access of governmental authorities to such data in specific circumstances, such as emergencies, is regulated. Contractual relationships between companies sharing data will also become regulated, including the introduction of a FRAND standard. Moreover, the draft introduces regulation for data processing services, such as cloud computing. Data processing services will be obliged to ease the process of switching to competing service providers. Regarding the overall regulation, attention is given to the protection of trade secrets, the protection of personal data and the specific circumstances where there is an imbalance of negotiation powers, as is the case, for example, if micro, small and medium-sized enterprises are involved.
The Data Act proposal is a horizontal regulation (i.e. it applies across sectors) and includes the following five areas of rules for access and use of non-personal data in the EU:
- Rules allowing users of connected devices and services (e.g. IoT products and services, virtual assistants) access to data generated by them and to share such data with third parties (B2C and B2B data sharing).
- Rules on conditions for data access by third parties under the Data Act or other EU legislation, and in particular introducing the FRAND standard (data-access conditions).
- Rules preventing abuse of contractual imbalances in data sharing contracts with SMEs (Prohibition of unfair terms).
- Means for public-sector bodies to access and use data held by the private sector that is necessary for exceptional circumstances, particularly in the case of a public emergency (B2G data sharing).
- Rules allowing customers to effectively switch between different cloud data-processing service providers and putting in place safeguards against unlawful data transfer (portability and standard setting).
The Data Act is subject to ordinary legislative procedure, meaning that both the Council and the Parliament need to adopt the legislative proposal for it to become law. Both institutions have welcomed the Commission's proposal but have, nevertheless, intensely discussed it over the last 12 months. This also reflects the fact that the Commission is breaking new ground with its proposal. While EU law in data has so far focused on data protection (and thus, in case of doubt, against use), the Data Act proposal aims in the other direction: on the usability of data. Discussions in the Council and Parliament have focused on the industry's concerns that access claims, which are too far reaching, could allow competitors to spy on their products. There have also been discussions on the relationship to data protection law, access rights of the public sector and data transfers.
European Parliament position of 14 March
The European Parliament was first to adopt its position. On 14 March, MEPs voted in favour of the proposed changes to the EU Data Act proposal in the final report of rapporteur Pilar del Castillo Vera. The Parliament generally endorses the Commission proposal and points out that the new law could contribute to the development of new services, particularly in artificial intelligence where huge amounts of data are needed for algorithm training, and could also lead to better prices for after-sales services and repairs of connected devices. However, MEPs have demanded several changes to the text proposed by the Commission. Notable changes concern central definitions, the further strengthening of the user's position while at the same time restricting the data owner's rights of use and the scope of the data-access right, which gives manufacturers control over the data they want to make available "by design" (rather than prescribing access to any data collected by products or services). Furthermore, in the Parliament position MEPs enforced the protection of trade secrets addressing in particular the risk of competitors using data access to reverse-engineer-engineer products or services. MEPs also call for stricter conditions on data requests by the public sector. Finally, the Parliament proposes additional safeguards against unlawful international data transfer by cloud service providers
Council position of 24 March
On 24 March, shortly after the Parliament's decision, member states also agreed on its position on the Data Act Proposal in the Council of the European Union. Like Parliament, the Council supports the objective of "making the EU a leader in our data-driven society" and the overall concept of the proposed law. Member states, however, are asking for several changes to the law in their negotiating mandate to the Council. These changes in particular concern a more focused scope of the law, clarifications on the interplay between the proposed law and the data protection law, the protection of trade secrets, data sharing requests by public sector bodies based on exceptional needs and the rules on switching between data processing services.
Table set for final negotiations
Council and Parliament call for amendments on the same issues. At the same time, the negotiating positions of the co-legislators are not far apart. Hence, the trilogue negotiations, which could start as early as this week, are likely to proceed quickly and an agreement might be reached before the summer recess or immediately thereafter.
The final negotiations will cover the following important topics:
- Scope of application: The Council wants to limit data-access rights to data generated by IoT devices and related services that is "readily available" to the data holder, and not any data generated by the device/service. This significantly reduces the burden on companies. Similarly, Parliament wants to give access only to data that is available to data holders or data recipients. In this respect, it will be important to find a solution that is as clear and practical as possible.
- Protection of trade secrets: Both the Council and the Parliament demand a stronger protection of trade secrets. For this purpose, the Council proposes a veto against data access claims for the data holder, but only in exceptional circumstances and where the data holder can show a high risk of serious damage (e.g. risk of insolvency). According to the Parliament's position, the data holder should have the right to suspend the provision of data in case of non-compliance with protective measures agreed upon between data holder and recipient. Both co-legislators recognise that trade secrets require special protection to avoid undermining incentives to innovate. However, neither approach appears to be fully developed. This will be (and must be) a focus of the discussions.
- Gatekeeper: Both Council and Parliament maintain the "gatekeeper ban" under which companies designated as gatekeepers by the Commission under the Digital Markets Act (DMA) cannot make data-access claims. This applies not only to their respective core platform services, but in general. This far-reaching restriction will continue to be the subject of discussion, especially since, according to the legislative materials, the Data Act is not intended to regulate gatekeepers, but to strengthen the data economy of which gatekeepers are important elements.
- Compensation for making data available: According to the Commission proposal, a data holder may demand compensation for sharing data with third parties, so long as such compensation is reasonable and non-discriminatory. The Council wants to clarify that the compensation may also provide for a margin not only taking into account the costs for providing the data but also on investments made for the collection of data. The Parliament, however, demands free-of-charge data sharing with consumers and only cost-based compensation for SME and non-profit organisations. In addition, according to the Parliament's proposal, the Commission should develop guidelines for the calculation of reasonable compensation. In a B2G context, both the Parliament and the Council want to grant the data holder the right to demand reasonable compensation, which "at least cover the costs" (Parliament) or "with a margin" (Council) and each with the right of the public-sector body to challenge the amount before the competent authorities. The Commission, however, prefers solely cost-based compensation.
- Role of the user: While the Council basically adopts the Commission proposal regarding the user’s role, the Parliament's position significantly strengthens the user’s position by requiring the user’s consent for the data holder to use the data (including a right to withdraw such consent), which gives the user the right to share data with third parties, including granting the right to transfer the data to other third parties, demand remuneration for data sharing and limiting the data holder’s right to make use of its product dependent on the user’s consent. In addition, the data holder is not allowed to use the data for other purposes than its own internal processes or to share the data directly with third parties. The user is also allowed to develop competing products as long as such products are not in direct competition with the product the data derives from. In addition, the scope of data governed by these rules is extended to derived data unless the derived data consist of "information derived or inferred from this data by means of complex proprietary algorithms".
- Unfair terms: Both the Council and the Parliament extended the provisions on unfair contractual terms to all B2B relationships (as opposed to relationships with micro, small and medium enterprises). The Parliament added further examples of unfair terms and broadened the scope of applicability by introducing unspecific concepts such as the impairment of the ability to protect its "legitimate commercial interest in the data in question" or "a significant imbalance between the rights and the obligations of the parties in the contract". Notably, Parliament also provides for a retroactive effect of such rules making it necessary to assess and potentially amend all existing agreements accordingly.
- Cloud Switching: Additional regulations for Cloud Providers (e.g. maintaining the secrecy of data during the "porting process"; metadata as customer data; contractual obligation to ensure the full erasure of all data, including metadata, once the porting is completed). Notably, additional language regarding the switching to on-premise systems has been added by the Council. The Parliament added a refined definition of the concept of "functional equivalence", maintaining that the "destination service delivers comparable outcome in response to the same input". This definition is shorter than the Commission’s proposal and omits the requirement that the destination service must also deliver the same level of security, operational resilience and quality of service.
- International data transfers: Parliament calls for even tighter safeguards on third-country transfers. In the absence of an international agreement on data transfers, this should only be possible after an assessment by the competent authority in the event of a conflict with EU law. The Council added additional language to safeguard transfers, if data transfers impinge on national security or the defence interests of the EU or a member state.
For more information on the EU Data Act proposal and data regulations in the EU, contact your CMS client partner or these CMS experts:
Björn Herbers, Philippe Heinzke, Michael Kraus, Julia Dreyer, Tom de Cordier, Ian Steven, María González Gordon, Beatriz Alegre Villarroya