The EU Data Act will regulate how to access, share and port data in the EU – and beyond. The main aim of the EU Data Act is to make industrial data accessible, although also personal data can fall within the scope of the Act. There are mainly three sections of the Act:
– access rights of private bodies to data generated by IoT devices;
– access rights of public bodies in the public interest;
– switching of cloud service providers.
The European Parliament has adopted the EU Data Act on 9 November 2023. The adopted version reads as follows (status: 9 November 2023):
https://www.europarl.europa.eu/RegData/commissions/itre/inag/2023/07-14/ITRE_AG(2023)751822_EN.pdf
The EU Data Act still needs to be adopted by the EU Council. However, this is a mere formality. Political consensus amongst the EU institutions had already been achieved on 27 June 2023 in the Trilogue negotiations. Since then, the agreed text has been amended only with regard to linguistic and editorial points.
The following corner stones should give a flavour of the core contents of the Act:
1. Access rights by private bodies re. data from connected devices
At a Manufacturer-to-Customer (customers can be both businesses, consumers and public sector bodies) level, users of connected devices have a right to access the data they contributed to. Connected devices can reach from smart home appliances to smart industrial machinery. The manufacturer or the service provider is in many cases the data holder. The customer is the user; that can be both an individual and a company. Data means the digitalisation of the respective user’s “actions and events” that result from the use of the device.
At a Manufacturer-to-Third-Party level, the user can also request the data to be shared with a third party, usually a company. This data sharing would then be based on contractual relationships between the third party on the one hand and both the user and the data holder on the other hand. As a result, both the user and the data holder can monetise their data. Companies can request from the data holder a data sharing agreement at FRAND conditions (fair, reasonable and non-discriminatory). The data holder would be still entitled to a margin, unless the third party is a SME.
Not all data are to be shared, but only those being “readily available”, i.e. no disproportionate efforts should be required to provide the data. Only raw data or pre-processed data fall within the scope of the EU Data Act.
Data processed by “proprietary algorithms” do not fall within the Act’s scope, neither do content or any inferred data.
Once the data are not purely non-personal, but also contain personal data, i.e., once a so called mixed dataset is subject to storage and potential data sharing, the conditions of the GDPR or other appicable data protection rules have to be met. One
2. Access rights vs. protection of trade secrets
Agreement has now been reached in particular on the sensitive point of trade secrets:
Industry was and still is concerned that commercially sensitive information has to be disclosed to other companies when granting access to data. However, the rule is that the trade secret needs to be disclosed. This requires that the data recipient, be it the user, be it the third party, takes the necessary steps to keep the data secret. This includes legal regulations like a Non-disclosure Agreement as well as technical and organisational measures. To this end, the so called “trade secret holder”, which is not necessarily the data holder, has to identify the data qualifying as trade secrets. As a rule, only if theses measures are not being implemented, the data holder is allowed to stop granting access to the data.
There is just one exception to this rule: the data holders may deny data access requests in exceptional circumstances, namely where the holder “is highly likely to suffer serious economic damage”. In such cases the competent respective national authority is to be notfified for review of the denial in a timely manner.
3. Access to data by public bodies
Public bodys can request private companies for their data under certain circumstances; this concerns also small and micro enterprises. Personal data also have to be shared – but only if it is required for responding to a public emergency.
4. Cloud portability
The Act eases switching from one cloud service provider to another, aiming to prevent a “lock-in effect”. Unbundling different cloud services must not be restrained and there must be no technical limitations. In addition, cloud providers have to provide transparent information about the switching conditions and related technical limitations.
5. Territorial scope of the Act
The Act will be applicable only if both the user and the data recipient are located in the EU. This means that data holders can decline access requests from parties established outside the EU. However, it is of paramount importance that the EU Data Act applies to manufacturers of connected devices and providers of related services worldwide, irrespective of their seat, provided that the device and service, respectively is placed on the EU market.
6. Exemptions for Micro and Small Enterprises
Manufacturers of connected devices and providers of related services are, in general, exempted for the obligation to share data if they have less than 50 employess AND not more then 10 Mio. euros turnover per year. However, there are exceptions to this examptions, in particular of the undertaking is part of a larger entity.
7. Enforcement
There won’t be a single point of contact at the national level to enforce compliance with the Act. There will be established so called “competent authorities” in the respective Member States. In addition, certified “dispute resolution bodies” will be set up. Beyond, the courts and tribunals of the national states have still jurisdiction, unless the parties agree otherwise. Parties can also agree on traditional arbitration.
8. Further steps
The Data Act is to become applicable after 20 months after coming into force. Regarding the necessity to design connected devices and related services in a way that generated data are directly available from them, there is a grace period of an additional 12 months. As an EU Regulation, the Act will be directly applicable. For adoption, further formal steps are necessary over the next weeks. Once adopted, the Data Act will enter into force on the 20th day following its publication in the Official Journal.