The European Commission's proposal for a regulation on harmonised rules on fair access to and use of data (the "Data Act"), originally published on 23 February 2022, was revised and adopted by the European Parliament last month, with the European Council submitting its proposed amendments shortly thereafter, thereby paving the way for negotiations on the final shape of the legislation.
Unlocking the potential of data
The European Commission, now backed by the European Parliament and the European Council, has recognised the ever-increasing importance of data within the digital economy. At present, data generated within the economy remains largely unused or lies under the control of only a few entities. The proposed Data Act aims to unlock the full potential of data and the innovation fuelled through its use, by eliminating barriers to the development of the data economy, while still preserving the European Union's privacy, security and ethical values.
Data availability
The Data Act would impose an obligation on manufacturers and designers to design products in a way which renders data easily accessible by default, while also being transparent as to access and accessibility of the data. Users who own, rent or lease a product or receive a service would be afforded a number of rights under the proposed legislation, allowing them to access and use data generated by the use of such products or services, including the right to request data holders to give access to the data to third party service providers. The data holder would be bound to make the data available to the data recipient under fair, reasonable and non-discriminatory terms, subject to reasonable compensation.
Terms related to data access and use between businesses
The Data Act addresses unfairness of contractual terms unilaterally imposed on SMEs in data sharing agreements with other businesses, rendering terms which do not pass this "unfairness test" unenforceable against SMEs, thereby protecting them as the weaker contractual party. The European Commission will also be formulating and recommending non-binding model contractual terms intended to assist SMEs in negotiating fair and balanced terms in data sharing agreements.
Use of data by public sector bodies and EU institutions, agencies or bodies
The Data Act would grant public sector bodies (including EU institutions, agencies and bodies) the right to request data from a data holder, subject to an exceptional need to use such data, and to specifying the data required and the manner in which it will be used, thereby holding them accountable and preventing them from making requests which are disproportionate or abusive.
Switching between data processing services
The Data Act aims to facilitate the process of switching from one data processing services provider to another for customers. Data processing services providers, such as cloud and edge providers, would be obliged to enable their customers to switch to the same service type provided by a different service provider, without facing commercial, technical, contractual and organisational obstacles to do so. This includes ensuring that a minimum level of functionality of the service can be maintained after the switch from one provider to another. The Data Act also sets out a number of terms to be included in customer contracts to safeguard the customer's right to an effective switching process.
Safeguards for non-personal data
Under the proposed Data Act, data processing services providers would also be obliged to take all reasonable technical, legal and organisational measures to prevent the international transfer or governmental access to non-personal data where such transfer or access would conflict with other EU laws or with the national laws of the EU Member State concerned.
Interoperability
The Data Act lays down a number of essential requirements to be met by operators of data spaces and data processing service providers with respect to interoperability, as well as essential requirements with respect to smart contracts for data sharing. The Act also promotes the smooth operation of a multi-vendor cloud environment by means of open interoperability specifications and European standards for the interoperability of data processing services.
Competent authorities and penalties for infringement
Under the proposed Data Act, each EU Member State would be required to assign responsibility for the application and enforcement of the Act to one or more competent authorities and establish penalties for infringements. The independent authorities responsible for monitoring the application of the GDPR (in Malta, the IDPC) would assume responsibility for monitoring the application of the Data Act insofar as it concerns the protection of personal data. The designated authority responsible for the application of the Data Act as a whole would have the competence to receive, handle and resolve complaints on alleged infringements.
Sui generis protection for databases
The Data Act would disapply the sui generis right established in Directive 96/9/EC (the "Database Directive") to databases containing data obtained from or generated through the use of a product or related service. The European Commission has clarified that the rationale behind this policy follows the Court's decision in British Horseracing Board Ltd v William Hill,1 stating that the sui generis right introduced under the Database Directive to protect databases was intended to protect investments in the collection of data, as opposed to the creation of data as a by-product of another economic activity.
Way forward
On 24 March, shortly after the Parliament's adoption of the proposed Data Act, the European Council submitted its own position thereon. While the Council supports the overall concept of the proposed legislation, EU Member States have asked for several amendments to the law, particularly relating to a more focused scope, clarifications as to the interplay between the Data Act and data protection law, the protection of trade secrets, data sharing requests by public sector bodies on the basis of exceptional needs, and the rules on switching between data processing services. The proposal is now set to enter the stage of trilogue negotiations between the European Parliament, Council and Commission, with the aim of reaching a provisional agreement which must then be formally adopted by each of these institutions.
Footnote
1. C-203/02, The British Horseracing Board Ltd and Others v William Hill Organization Ltd [2004] ECR I-10415
Originally published 27 April 2023
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
