Image source: Unsplash
On 23 February 2022, the European Commission presented its Proposal for a Data Act, a Regulation aimed at maximizing the value of data in the European Union economy “by ensuring that a wide range of stakeholders gain control over their data and that more data is available for innovative use.”
The Data Act will lay down harmonized rules on: (i) making data generated by the use of connected products or related services available to the user of these products or services; (ii) making data available by data holders to data recipients; and (iii) making data available by data holders to public sector bodies or EU institutions, agencies or bodies in cases of exceptional need (e.g., in cases of emergencies).
The proposed Data Act complements the Data Governance Act (expected to be adopted in the coming months), which aims at facilitating voluntary data sharing, without however setting out any new rights or amending existing rights on access to and use of data.
The (draft) Data Act regulates the sharing of personal and non-personal data and applies to a wide range of stakeholders, including (i) manufacturers of connected products or related services (that is, services incorporated in or inter-connected with a connected product in such a way that their absence would prevent the product from performing one of its functions); (ii) data holders (defined broadly as legal or natural persons having the right or obligation, in accordance with the Data Act, applicable EU law or national legislation implementing EU law to make available certain data), and (iii) cloud and edge service providers.
Consequently, the Data Act includes a variety of obligations that are applicable to these different categories of stakeholders.
Rules for manufacturers of connected products and related services
Chapter II of the Data Act sets out rights and obligations regarding access to and use of data generated from the use of connected products and related services. Amongst others, it introduces an obligation for manufacturers of connected products and services to provide certain information about access to data generated through the use of these products and services. It also imposes the obligation to design those products and services in a way that data are “by default, easily, securely and, where relevant and appropriate, directly accessible to the user” (Article 3). Furthermore, the draft Data Act introduces a right for consumers to access and use data generated by their use of a connected product or service (Article 4), as well as a right for third parties (except for designated gatekeepers as per the Digital Markets Act) to access, upon the user’s request, such data (Article 5).
Rules on mandatory business-to-business (“B2B”) data sharing
Chapter III of the Data Act lays down rules that will apply where data holders are under a legal obligation (under the Data Act or other EU or national legislation implementing EU legislation enacted after the Data Act becomes applicable) to make data available to a data recipient. Voluntary data sharing, therefore, remains unaffected by the rules set out in the Data Act.
In cases of mandatory data sharing, the data holder must make data available under fair, reasonable and non-discriminatory (“FRAND”) terms and in a transparent manner (Article 8). The data holder shall agree with the data recipient on the terms for making the data available, including the compensation for access to the data. Data holders have the burden of demonstrating that the terms relating to the availability of data are non-discriminatory. Data holders and data recipients would have access to dispute settlement bodies to settle disputes in relation to the determination of FRAND terms for and the transparent manner of making data available (Article 10).
The “unfairness test”
While freedom of contract remains the underlying principle of B2B data sharing, Chapter IV of the Data Act Proposal provides that unfair contract terms relating to data access that have unilaterally been imposed by an enterprise on a micro, small or medium-sized enterprise would not be binding. An “unfairness test” is set out, with the Data Act providing that a term will be deemed unfair if “it is of such a nature that its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing.” The Act further lists clauses that are either always unfair (e.g., if their object or effect is to exclude the remedies available to the party upon whom the term has been unilaterally imposed) or are presumed to be unfair (e.g., to prevent the party upon whom the term has been unilaterally imposed from using the data contributed by that party during the period of the contract).
The Data Act, furthermore, requires the Commission to “develop and recommend non-binding model contractual terms on data access and use to assist parties in drafting and negotiating contracts with balanced contractual rights and obligations” (Article 34).
Rules on business-to-government (“B2G”) data sharing
The Data Act Proposal provides that, upon request, a data holder should make data available to a public sector body or to an EU institution, agency or body where they demonstrate an exceptional need to use the data requested. Such an exceptional need is deemed to exist, for instance, where data is necessary to respond to a public emergency or where the lack of available data prevents a public body from fulfilling a specific task in the public interest that has been explicitly provided by law and it has been unable to obtain such data by alternative means (e.g., on market rates).
The Proposal sets out the procedure and conditions for requiring data to be made available to public authorities. For example, it is necessary to specify the data required, to explain the purpose, intended use and duration of the use, and to respect the principle of proportionality (Article 17).
Rules to facilitate switching between data processing services
Chapter VI sets out rules aimed at removing commercial, technical, contractual and organizational obstacles which may inhibit customers from effectively switching between cloud and edge service providers. It, inter alia, requires providers of data processing services to clearly include in their contracts clauses that support switching (Article 24), to gradually withdraw switching charges (Article 25), and to respect interoperability requirements (Article 26).
The proposed Data Act, furthermore, places restrictions on international data transfers of non-personal data by data processing service providers, requiring them to take all reasonable technical, legal and organizational measures to prevent international transfer or governmental access to data held in the EU where such transfer or access would create a conflict with EU or national law (Chapter VII). Moreover, it lays down requirements regarding data interoperability and smart contracts for data sharing (Chapter VIII).
It is clear, therefore, that the Data Act is a complex piece of legislation that will have an impact on the day-to-day operations of many companies doing business in the EU. Many questions are expected to arise during the legislative process and the implementation of the instrument, including the definition of “market rates” that would determine whether a public body is entitled to access data held by companies and the “fairness” test governing mandatory B2B data sharing.
The interplay between the Data Act and other regulatory initiatives
The draft Data Act is the latest addition to a number of existing legislative instruments and regulatory initiatives dealing with data. It remains to be seen how these various instruments will interact with one another. We illustrate this point by referring to the examples of the Digital Markets Act and the Platform-to-Business Regulation.
The Digital Markets Act (“DMA”)
The Data Act Proposal (Article 8(1)) lays down that “where a data holder is obliged to make data available to a data recipient under Article 5 or under other Union law or national legislation implementing Union law, it shall do so under fair, reasonable and non-discriminatory terms.” The term “other Union law” clearly also includes the DMA, which is expected to impose on gatekeeper platforms the obligation to share data with other service providers. More particularly, gatekeeping search engines should share with other search engines ranking, query, click and view data on FRAND terms. However, other categories of gatekeepers (e.g., app stores, e-commerce marketplaces) should share with their business users data free of charge. How will that inconsistency between the DMA and the Data Act be addressed? Will the Data Act prevail, thereby freeing gatekeepers other than search engines from the obligation to provide data for free? The answer is found in Article 12(3) of the Data Act, which lays down that the Chapter on B2B data sharing “shall only apply in relation to obligations to make data available under Union law or national legislation implementing Union law, which enter into force after [the date of application of the Data Act]”. In other words, the data sharing obligations introduced by the DMA are expected to remain intact. Though no explicit references to the DMA are made in the proposed text, Recital (87) mentions that the Data Act would be “without prejudice to rules addressing needs specific to individual sectors.”
The Platform-to-Business (“P2B”) Regulation
The Data Act proposal (Article 8(1)) further lays down that the data holder should make data available to a data recipient “in a transparent manner”. The text of the proposal does not explain what it means by “transparency”. Guidance on this matter seems to be provided by the P2B Regulation, which imposes on platforms a transparency obligation in relation to access to data. Article 9 of the P2B Regulation establishes that platforms “shall include in their terms and conditions [“T&Cs”] a description of the technical and contractual access […] of business users to any personal data or other data, or both, which business users or consumers provide for the use of the online intermediation services concerned or which are generated through the provision of those services”. The P2B Regulation further includes examples of data that might be included in the T&Cs.
Nevertheless, it should be noted that Article 9 of the P2B Regulation only applies to providers of “online intermediation services” (e.g., social networks, app stores) whereas the term “data holder” is arguably broader and perhaps not fit for purpose (will all “data holders” falling under the scope of the Data Act have unilaterally determined T&Cs within the meaning of the P2B Regulation)? Even if all data holders had unilaterally determined T&Cs, the P2B Regulation might not prove useful because it merely lays down that T&Cs should be drafted in “plain and intelligible language” (Article 3(1)) without, however, specifying what qualifies as such.
In sum, the Data Act is another complex legislative piece implementing the Digital Single Market Strategy. Many issues are expected to arise in the course of the legislative process and its implementation, including the “fairness” test it establishes and its interaction with other (equally complex) regulatory initiatives that govern data sharing.
Co-authored by Konstantina Bania and Theano Karanikioti