On 27 June 2023, the European Parliament and Council resolved the remaining open points and reached a political agreement on the EU Data Act, paving the way for a new law that will introduce comprehensive new data legislation for Europe with far-reaching rules on access to and use of non-personal data in the EU.
The EU Data Act aims to boost the EU's data economy by unlocking industrial data, optimising its accessibility and use, and fostering a competitive and reliable European cloud market. To achieve these aims, the EU Data Act contains a set of rules defining how the various forms of data can be used across all economic sectors and by whom. The Act is a key element of the EU's data strategy, which aims to position the EU as a frontrunner in creating a data-driven society. While the law will bring new opportunities, it will also create legal, technical and financial challenges for many actors in the economy.
In this article, we summarise the EU Data Act and explore its key features in detail. We will also consider what is expected to happen next and when affected businesses will need to begin complying with it.
What is the EU Data Act about?
The Internet of Things (IoT) creates vast amounts of data, and data volumes are expected to skyrocket over the next few years. At the same time, the European Commission believes that 80% of industrial data collected is never used. Against this backdrop, the EU Data Act aims to boost innovation by removing barriers for access by consumers and businesses to data. Under the new regulation, much of the data collected by industry and consumers in the context of connected devices and digital services will have to be made accessible, technically and legally, to users who can then further share the data with third parties. In addition, the EU Data Act regulates access by governmental authorities to data in specific circumstances (e.g. emergencies). Contractual relationships between companies sharing data will also be regulated, including the introduction of a fair, reasonable and non-discriminatory (FRAND) standard. The EU Data Act also introduces regulations for data processing services, such as cloud computing.
The EU Data Act is a horizontal regulation (i.e. it applies across sectors) and includes five areas of rules for access to and use of non-personal data in the EU:
- rules allowing users of connected devices and services (e.g. IoT products and services, virtual assistants) access to data generated by them and to share such data with third parties (B2C and B2B data sharing);
- rules on conditions for data access (i.e. data-access conditions) and rules preventing abuse of contractual imbalances in data sharing contracts with SMEs (i.e. prohibition of unfair terms);
- methods for public-sector bodies to access and use data held by the private sector that is necessary in exceptional circumstances, particularly in the case of a public emergency (e.g. B2G data sharing);
- rules designed to facilitate customers switching between different cloud data-processing service providers (or bringing them back ‘in-house’) and new safeguards around data transfers (i.e. portability and standard setting); and
- measures to promote the development of interoperability standards for data-sharing and data processing (i.e. interoperability of data spaces).
The EU Data Act explicitly does not interfere with the EU General Data Protection Regulation (GDPR) or the EU e-Privacy Directive, preserving the powers of the supervisory authorities and the rights of data subjects under that legislation. In situations where the EU Data Act and the GDPR or e-Privacy Directive conflict, the provisions of those laws take precedence.
B2C and B2B data sharing
The main element of the B2C and B2B data sharing section of the EU Data Act are rules allowing users of connected devices (e.g. IoT products and services, virtual assistants) access to data generated by them and permission to share this data with third parties. To enable this, manufacturers have an obligation to make product data (i.e. data generated by the use of a connected product that the manufacturer designed to be retrievable) accessible “by design”. The data must be directly accessible by the user where relevant and technically feasible. The user must also be provided in advance, before concluding a contract for the purchase, rent or lease of a product or service, with information on what data will be generated, how the user can access and share it, and for what purposes the manufacturer or service provider intends to use or share this data.
Users also receive new general right to access and use data generated through IoT products and services. To protect the data holder (or other trade secret holders), the data holder and data recipients must agree on proportionate measures to preserve confidentiality. This aspect was highly controversial in the legislative process. While companies expressed concerns about an erosion of their know-how and feared severe economic damage, others argued that too strict know-how protection rules would make data access rights worthless.
The solution that has now been found represents a compromise that takes into account the protection interests of companies, particularly by ensuring that where there is no agreement on the necessary measures or if the user fails to implement the agreed measures or undermines the confidentiality of the trade secrets, the data holder may withhold or suspend the sharing of data identified as trade secrets. The withholding is subject to review by an authority to be appointed by the respective EU member state. Furthermore, a data holder has a veto right in exceptional cases where it is highly likely that – despite technical and organisational measures taken by the user – the data holder would suffer "serious economic damage" from the disclosure of trade secrets. Important elements in the assessment of whether a veto is justified are the enforceability of trade secret protection in third countries, the nature and level of confidentiality of the data requested and the uniqueness and novelty of the product. Again, the veto right is subject to review by an authority.
A user must not use the data they access to develop a product that competes with the product from which the data originates. Whether a product is in fact a competing product is determined by using the relevant EU competition law principles.
Users may share data with third parties or allow them to request data from the data holders (i.e. the manufacturers or service providers) on their behalf. However, companies designated as gatekeepers under the Digital Markets Act (DMA) do not qualify as eligible third parties, which means they cannot use the Act to collect more data by asking IoT users to share data with them.
To protect micro and small businesses, data access and sharing obligations do not apply to them.
Conditions for Data Sharing
The EU Data Act also establishes detailed rules for the terms and conditions for data holders to make data available to third parties.
Users will be able to decide that data holders share the data generated by the use of a product or related service with authorised third parties, without undue delay, free of charge to the user, of the same quality as is available to the data holder, easily, securely, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time. Data holders on the other hand will only be allowed to use the data generated by the product on the basis of a contractual agreement with the user.
Authorised third parties can process data only for the purposes and under the conditions agreed upon with the user and must delete such data when it is no longer necessary for the agreed purpose. The data holder is not permitted to transfer the data to another party unless contractually agreed upon with the user and can only do so on the proviso that the third party takes all necessary measures agreed between the data holder and the third party to preserve the confidentiality of trade secrets. While data holders are required to provide adequate technical data protection, such protection should not make legitimate access to data more difficult.
The Act sets out specific measures to prevent third parties from coercing or manipulating consent to data sharing. The conditions for accessing data should follow the FRAND standard, and the data holder bears the burden of proof for their non-discriminatory nature. In particular, the data holder may not discriminate between comparable categories of recipients (e.g. by providing data of a different quality to its partners or linked enterprises).
The same applies to any data-related compensation. In B2B relations, data holders have the right to request compensation from third party recipients provided that it is non-discriminatory and reasonable. The compensation may include a margin and both parties should take into account the costs the data holder incurs for making the data available and the investment the data holder made in the collection and production of the data. Data holders must inform recipients of the basis for the calculation of such compensation. However, the Act does not provide any more specific criteria for this calculation except that, when the data recipient is a micro, small or medium enterprise or a non-profit research organisation, the compensation must be limited to the costs the data holder incurred for making the data available.
Government access (B2G)
The EU Data Act further regulates the availability of data to public sector bodies and to EU institutions, agencies or bodies in cases of exceptional need and where the required data is not available through other means. With the aim of ensuring legal certainty and minimising the administrative burdens placed on businesses, the EU Data Act requires data requests by public sector bodies and institutions to be specific, transparent and proportionate in terms of scope and content and to respect the legitimate interest of the business to whom the request is made. This approach is designed to ensure the protection of the data while allowing appropriate flexibility for the requesting body to perform their tasks in the public interest.
The new legislation introduces an obligation on data holders to make data available without undue delay. It also gives them the right to decline or seek modification of the request within a given timeframe if they do not have control over the data requested, if a similar request has already been submitted for the same purpose or if the request fails to meet the requirements set out by the regulation. Additional safeguards are also provided when the request to the data holder concerns personal data. To this end, the EU Data Act indicates that in case of exceptional need related to public emergencies, public sector bodies should use non-personal data wherever possible. In addition, there is a general prohibition on requesting personal data for matters not related to public emergencies. The burden of demonstrating the strict necessity and limited purpose for processing personal data lies with public sector bodies and EU institutions.
The EU Data Act will also impact the EU cloud services industry by placing new obligations on cloud service providers (CSPs). Broadly, these rules relate to customers switching between different CSPs or to on-premise infrastructure, transfers of data and digital assets, restricting access to data by foreign (non-EU) governments, and interoperability and data portability between data processing services. Many of the new obligations have been the subject of significant debate and changes throughout the legislative process, including during the recent trilogue. (See here for our articles discussing some of the key concerns/discussion areas).
The new obligations on CSPs are designed to make it easier for customers to switch between them or to on-premise infrastructure. They include removing obstacles to switching, specifying switching-related contractual terms that must be included in agreements between CSPs and their customers, provisions mandating the gradual withdrawal of switching and data egress charges, requirements on the technical aspects of switching and a specific switching regime for certain data processing services.
CSPs will also be required to implement adequate technical, legal and organisational measures to prevent international/third-country governmental access to and transfer of non-personal data held in the EU, where the access/transfer would conflict with EU law or the national law of the relevant member state. There are also provisions regarding what CSPs should do in the event of a third-country court judgment, namely that they would only be recognised/enforceable if based on an international agreement between the third country and EU and/or member state. In the absence of an international agreement and where the CSP is requested to give access to or transfer data covered by the EU Data Act, the access/transfer can only take place where certain conditions in relation to the third-country system and court are met.
The EU Data Act contains essential requirements for the interoperability of data spaces and data processing services (including requirements relating to the in-parallel use of data processing services). The requirements on interoperability of data processing services set out what European interoperability standards must include and how they can be introduced. The standards are also required to address data portability, including in relation to cloud data (and application) portability aspects of data syntactic portability, data semantic portability and data policy portability.
We will soon be publishing another Law-Now article discussing the principal changes made and positions reached in the final text regarding the obligations on providers of data processing services and the implications for the European cloud services industry.
What will happen next?
The political agreement reached on 27 June 2023 by the European Parliament and Council is now subject to formal endorsement by the two institutions. Currently the agreed-upon text is undergoing a legal-linguistic revision. Both co-legislators have announced that they will adopt the final text as quickly as possible. Once adopted, the EU Data Act will enter into force on the 20th day following its publication in the Official Journal and will become applicable 20 months after its entry into force – a relatively long implementation period, but one that is certainly necessary to give businesses time to prepare for the far-reaching changes that this new EU data law will bring.
For more information on the EU Data Act and how it could affect your EU-based business, contact your CMS client partner or these CMS experts:
Tom de Cordier, Italo de Feo, María González Gordon, Philippe Heinzke, Björn Herbers, Johannes Juranek, Michael Kraus, Christina Schwaiger, Ian Stevens, Caroline Callaby, Jake Sargent