On February 23, 2022, the European Commission published its proposal for the EU Data Act, a sweeping regulation which aims to provide a harmonized framework for data sharing, cloud switching, and international transfers of non-personal data, The Data Act is intended to “form the cornerstone of a strong, innovative and sovereign European digital economy” according to the Commission’s press release. One main idea behind the proposal is the notion that every actor that contributes to the generation of data should be able to freely access that data. As such, the proposal touches upon both data protection and competition aspects.
Once adopted, the Data Act will have significant impact on the data economy in the EU. It will primarily affect providers of connected products and related services as well as cloud providers, but it will potentially also concern any company that holds any data – personal and non-personal – as a result of offering its services in the EU. The Commission proposal will now be debated in EU Parliament and Council and can be expected to enter into force by mid-2024.
The Data Act aims to regulate all “data”, which it defines as “any digital representation of acts, facts, or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording”. This broad definition includes both personal and non-personal data.
The scope is similarly broad in terms of who the Data Act will affect because it is likely to impose obligations and/or confer rights upon a host of stakeholders, in particular:
The proposed Data Act establishes a broad catalog of obligations for the different categories of stakeholders. On that basis, the Data Act can be expected to have a significant impact on the data economy across the EU. It may foster the inception of new IoT business models through easier access to IoT data. It contains provisions intended to facilitate switching between cloud services, which may increase competition among cloud providers and reduce any potential lock-in effects.
However, the Data Act’s obligations will also entail a significant compliance burden for IoT manufacturers and service providers, cloud services, and other data holders – and particularly for those relying on international data access and transfers.
To protect the data holder’s rights, data recipients must not make the data available to other third parties or use it to develop IoT products or services that compete with those of the original data holder. At the same time, data that is subject to trade secrets are only required to be disclosed under specific confidentiality arrangements (but the data must still be disclosed). It is unclear how compliance with these restrictions will need to be monitored. In practice, data holders will have limited means to prevent further uncontrolled sharing or use of data from their services.
Other areas that the proposal addresses are data access requests by public sector bodies across the EU, “smart contracts” in the context of data sharing, and the adoption of harmonized interoperability standards for data sharing. SMEs are exempted from certain of the above obligations.
The Commission draft is designed as an EU Regulation, i.e., the Data Act would become directly applicable without a need for Member States to transpose it into national law. The new provisions will be enforced by the individual EU Member States, which will each be required to designate one or more responsible authorities. This approach is similar to the EU General Data Protection Regulation (GDPR), for example, but different from the Digital Markets Act, where the Commission is intended as the sole enforcement authority.
Infringements will be sanctioned by “effective, proportionate, and dissuasive fines” – but without proposing any GDPR-style revenue-based penalties. The Data Act also foresees new dispute settlement bodies to solve disagreements about data sharing and access. In addition, many of the rights and obligations introduced by the Data Act will be subject to private enforcement before civil courts, and litigation can be expected, e.g., by customers trying to pursue the Data Act’s new data access or cloud switching rights.
Based on its current catalog of obligations and requirements, the draft Data Act will particularly touch on data protection and competition laws:
However, the Commission’s proposal evidently borrowed extensively from the GDPR regarding many of the Data Act’s key concepts: for example, the need to have a contractual agreement that justifies the use of non-personal data resembles the GDPR’s notion of requiring a valid legal basis for any processing of personal data. The provisions on switching cloud providers closely resemble the GDPR rules on data portability. Similarly, the proposal’s restrictions on international transfers of non-personal data are apparently modeled after the ones that apply to transfers of personal data under the GDPR. It is highly questionable whether such more or less direct transpositions of existing data protection rules to the realm of non-personal data are actually justified.
Data access and portability obligations can also be imposed upon companies designated as “undertakings with paramount significance for competition across markets” (UPSCAM), and they apply to dominant companies or to those with relative market power under the revised German competition law. Unlike these competition-specific obligations, the obligations under the Data Act will apply regardless of the competitive relationship between the data holder and recipient.
Beyond that, the proposed Data Act does not seem to interfere with other legal positions regarding in-scope data in terms of intellectual property rights or trade secrets.
Many aspects of the Commission’s draft are still unclear, e.g., its specific scope and details regarding its substantive obligations. These issues will now be addressed in the upcoming legislative discussion in the other EU bodies, i.e., the European Parliament and the EU Council, which will kick off as of today. Both can be expected to come up with their proposed amendments to the Commission’s draft by late 2022 or early 2023. The three EU bodies will then enter into “trilogue” discussions to find a political compromise and to eventually adopt the Data Act by mid-2023. Per the implementation period as currently suggested by the Commission, it will then become binding for all in-scope companies within twelve months.
At the same time, the Commission’s draft will likely put Member State initiatives for national “Data Acts” on hold or at least significantly limit their scope. For example, the new German government had planned to introduce its own statute to strengthen the access of anyone involved in the generation of data to their data. It remains to be seen what will happen with these plans.