The Data Act is intended in particular to promote the flow and use of data. This article provides an overview.
On 27 November 2023, the Data Act was adopted by the Council of the European Union after the European Parliament had already approved the legislative proposal on 9 November 2023. This means that only publication in the Official Journal of the European Union is required for it to enter into force (this took place on 22 December 2023 and the final text is available here).
The Data Act can be roughly divided into three sets of regulations:
- Data access and data sharing rights
- Switching between data processing services/interoperability
- Smart contracts
The user's right to access and share data holders' data has undoubtedly received the most attention to date. However, the articles on switching between data processing services also deserve attention.
Objective of the Data Act: Creating a single market for data and breaking down data silos
Data are fundamentally different from physical objects. Unlike a screw, for example, they can be used multiple times for a wide variety of purposes. Data can also be reproduced indefinitely without wear and tear. The European legislator states this essential characteristic of the digital good "data" right at the beginning in the first recital.
At the same time, use of data is expected to have great potential for innovation and long-term economic growth. Against this background, the Data Act pursues the goal of "optimal allocation of data to the benefit of society" (Recital 2).
Broad scope of application, as known from other regulations
The scope of application of the Data Act is far-reaching and is regulated in particular in Article 1 of the Data Act.
In substantive terms, IoT data from connected products and related services are covered with regard to data access and data sharing rights. The corresponding definitions can be found in Article 2 (5), (6), (15), (16) of the Data Act. It is important to note that the Data Act expressly applies not only to non-personal data, but also to personal data, Article 1 (2) of the Data Act. Unfortunately, there is no clear distinction between this and the EU General Data Protection Regulation (GDPR), which means that there are still many uncertainties in this respect.
As in the GDPR, the far-reaching market place principle applies in terms of territorial scope in accordance with Article 1 (3) of the Data Act.
Data access by design required in future
Although there are certain transitional periods for the Data Act (see below), Article 3 (1) of the Data Act basically triggers an immediate need for action for companies with multi-year development cycles and for research and development departments.
According to Article 3 (1) of the Data Act, connected products and related services must be designed in such a manner that the relevant data (including required metadata)
are, by default, easily and securely accessible to the user free of charge in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, directly accessible.
This data access by design must be guaranteed for all connected products and services related to them that are placed on the market 32 months after the Regulation comes into force. Roughly speaking, the requirements must therefore be met from Q1/27. With this in mind, the exact requirements should be worked out now in consultation with the research and development departments.
However, there is no obligation to collect data under the Data Act itself.
Data access as essential regulatory content
The Data Act provides for two essential requirements to promote the data economy. Firstly, the user should be given access to "their" data from the data holder (Article 3 (1) and Article 4 (1) of the Data Act). Secondly, the user may request that the data be shared with a third party* ("data recipient") directly (Article 5 (1) of the Data Act). This is intended in particular to promote follow-up and ancillary services – such as insurance or external/independent repair services, etc.
In this context, it is interesting to note that in accordance with Article 4 (13) of the Data Act, the data holder itself may only use the non-personal data generated by the customer on the basis of a contractual agreement (data licence agreement). In addition, there are (far-reaching) pre-contractual information obligations towards the (future) user of a connected product or related service pursuant to Article 3 (2) and (3) of the Data Act.
Data provision is subject to certain framework conditions
Articles 8-12 of the Data Act regulate the obligations for the data holder, who is obliged to make data available. It is regulated, for example, that – at the request of a user – data may also be made available to a data recipient on an exclusive basis (Article 8 (4) of the Data Act). With regard to consideration, Article 9 (1) of the Data Act, for example, stipulates that the data holder may request consideration with a reasonable margin from the data recipient. In accordance with paragraph 4, however, this does not apply if the data recipient is a small or medium-sized enterprise (SME) or a non-profit research institution. In addition, a dispute settlement procedure is regulated in detail in Article 10 of the Data Act.
In accordance with Article 41 of the Data Act, the Commission will draw up corresponding model contractual clauses. This has not yet happened, but is expected to take place within 20 months of the Act's entry into force.
"Review of general terms and conditions" for data licence agreements if an attempt was made to negotiate a clause
The Union legislator expects the Data Act to lead to a large number of contracts being entered into on data access and data use. Article 13 of the Data Act therefore regulates the circumstances under which contractual clauses are considered unfair and thus have no binding effect. Unlike the classic "law governing general terms and conditions" of sections 307 ff. German Civil Code (BGB), Article 13 of the Data Act applies directly to companies. In contrast to the first draft, which would have protected micro-enterprises and SMEs in particular, the current text provides for application to the entire B2B sector. It is noteworthy here that it is specifically necessary for a content review that a clause has been (unsuccessfully) negotiated (Article 13 (6) of the Data Act).
Data provision for public authorities as a lesson from the coronavirus pandemic
Articles 14-22 of the Data Act can probably be described as a lesson learnt from the coronavirus pandemic. They regulate data access rights for public bodies on the grounds of exceptional necessity. However, the request for provision is subject to strict limits and requires, for example, the existence of a public emergency and the impossibility of obtaining the data in a timely and equivalent manner by other means (see Article 15 of the Data Act).
As a kind of counterpart, Article 32 of the Data Act regulates protection against unlawful governmental access and unlawful governmental transfer.
Switching between data processing services will be simplified and free of charge in the medium term
The provisions in Articles 23-31 and 33-36 of the Data Act are also worth noting. The aim is to reduce the lock-in effect that can currently be observed in many cases. This can be seen, for example, in the fact that switching from one large hyperscaler to another is associated with legal, technical and economic hurdles. The Data Act seeks to remove these hurdles: short notice periods, technical support services, gradual withdrawal of switching charges.
The topic of interoperability is also addressed in the Data Act. In accordance with Article 2 (40) of the Data Act, this is "the ability of two or more data rooms or communication networks, systems, connected products, applications, data processing services or components to exchange and use data to perform their functions;". This possibility of collaboration is also intended to reduce lock-in effects.
Smart contracts are regulated
If smart contracts are used for the execution of data transfer agreements, certain requirements must be met in accordance with Article 36 of the Data Act. In accordance with Article 36 (1) b) of the Data Act, secure termination or interruption mechanisms are required.
Penalties are based on the GDPR and can amount to up to 4 % of annual global turnover depending on the offence
"The penalties provided for shall be effective, proportionate and dissuasive" – as stipulated in Article 40 (1) sentence 2 of the Data Act. Accordingly, infringements of the data provision and data transfer obligations are subject to the GDPR fines in Article 83 (5) GDPR. Depending on the offence, fines of up to 4 % of the annual global turnover can be imposed.
Transition periods, but hardly any protection of the existing conditions in the Data Act
Article 50 of the Data Act provides for a staggered entry into force of the individual provisions:
- Entry into force: 20 days after publication in the Official Journal of the European Union
- Application of principle: 20 months after entry into force
- Application of special rules:
- Article 3 (1) of the Data Act ("Data access by design"): Application for placing on the market as of 32 months after entry into force
- Chapter 3 ("Obligations of the data holders"): Application as of 20 months after entry into force for data provision obligations under Union law
- Chapter 4 ("Data T&C law"): Application on conclusion of contract as of 20 months after entry into force
- Chapter 4 ("Data T&C law"): Application under certain circumstances also to old contracts as of 44 months after entry into force
In other words: The Data Act does not provide for any fundamental protection of existing conditions of "old products" or "old contracts".
For more information on the Data Act contact your CMS client partner or these CMS experts:
Philipp Etzkorn, Björn Herbers, Philippe Heinzke, Michael Kraus, Tom De Cordier, Italo de Feo, María González Gordon, Johannes Juranek, Christina Maria Schwaiger, Ian Stevens.