Quick Law Review: EU Data Act

Quick Law Review: EU Data Act

The final text of the Data Act was adopted on 27 November 2023.[1] The Data Act applies to a narrow set of data, data generated by and access to Internet-connected devices (IoT). Examples of such products include vehicles, household appliances and consumer products, medical and healthcare devices, and agricultural and industrial machinery,[2] and also covers virtual assistants. The Data Act unlocks ecosystems that lock customers into aftermarket services e.g. an internet-connected lift cannot be repaired by a service provider independent of the manufacturer if it does not have real-time access to the technical status of the lift.

The Act is based on the recognition that, when using certain products and related services, at least two actors are involved in the creation of the data generated by the use of the product: the manufacturer (designer) of the product and the person using it (user).[3] Without users, the data would not be created, while the legal status of the data generated by IoT devices, including access by users and third parties they authorise,[4] is currently uncertain. The regulatory concept does not take a position on the legal basis of data holders and does not create new rights of access.[5] The Act is based on the de facto or de jure position of the data holder's actual rights over the data generated by the products or related services. According to the Commission, 80% of the data generated by IoT devices, for example, remains completely unused.[6]

The Act contains rules on six topics:[7]

  • making product and related service data available to the user;
  • the provision of data by data holders to data recipients independent of the user;
  • the provision of data by data holders to public sector organisations, the Commission, the European Central Bank and Union bodies, where there is an exceptional need for that data in order to perform a specific task carried out in the public interest;
  • facilitate switching between data processing services;
  • introducing safeguards against unlawful access to non-personal data by third parties;
  • the development of interoperability standards for data access, transmission and use.

Data sharing

The Act distinguishes three levels of data sharing, two of which apply to the user and one to a third party authorised by the user. SMEs are exempted from the regulatory burden of complying with the data sharing obligation.[8]

The first level of user access is access-by-design. This means that connected products should be designed and manufactured and related services should be designed and provided in such a way that product data and related services data are by default easily, securely, free of charge, in a comprehensive, structured, widely used and machine-readable format, and, where relevant and technically feasible, directly accessible to the user. [9]

The second level, where the user cannot directly access the data from the connected product or service. Data holders shall make readily available data, accessible to the user without undue delay, in a quality equivalent to that available to the data holder, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time.[10]

The third level is the obligation of the data holder to provide to third parties, at the request of the user, data generated by the use of the product or related service in the same quality as that available to the data holder and, where applicable, continuously and in real time. [11]

Gatekeeper companies under the DMA are not qualified third parties for the purposes of the Act, i.e. they cannot request users to provide data to them; they cannot ask a user to make a request to the data holder to provide data to one of their services; they cannot receive data from a user that the user has requested.[12] Furthermore, the third party may not disclose the data it has provided to a gatekeeper. [13]

The Data Act distinguishes between user and third party access to data. The data holder provides access free of charge to the user, and to third parties for reasonable and non-discriminatory compensation, which may include a margin.[14]

Unfair conditions

The regulation addresses unfair terms in business-to-business data sharing contracts where one party unilaterally imposes a term. The rules on unfair contract terms apply only to those elements of the contract that relate to the provision of the data, i.e. the contractual terms on access and use of the data, and liability or remedies in case of breach and termination of data obligations.[15] A contractual term relating to access to and use of data or to liability and remedies for breach or termination of data obligations is not binding if it constitutes an unfair contractual term.[16]

The Data Act distinguishes between per se and presumptively unfair contract terms, in which case the undertaking that has established the contractual term must be able to rebut the presumption of unfairness.

Providing access to data for public sector, EU bodies

Where a public sector body, the Commission, the European Central Bank or a Union body demonstrates an exceptional need to use certain data for the performance of its statutory tasks in the public interest, the data holders that are legal persons, other than public sector bodies, which hold such data shall be obliged to make them available upon a duly justified request.[17] The Data Act distinguishes between two cases of exceptional needs:

(i) In emergencies such as public health, natural disasters, and human-induced major disasters such as cybersecurity incidents. In such cases, the public sector entity must demonstrate that the data covered by the request cannot be obtained in a timely and effective manner by other means.

(ii) Exceptional needs may also arise from situations that do not constitute an emergency. In such cases, only non-personal data may be requested by a public sector body, the Commission, the European Central Bank or a Union body, except for micro and small enterprises, which may not be the addressees of such a request.[18] In cases of exceptional need (unlike in cases of emergency response), which may occur more frequently, data holders should be entitled to reasonable compensation, not exceeding the technical and organisational costs incurred in complying with the request and a reasonable margin required to make the data available to the public sector body, the Commission, the European Central Bank or a Union body.[19]

It is important to note that these provisions do not apply to the detection and prosecution of criminal and administrative offences, the execution of administrative penalties, tax and customs matters.[20] Nor, of course, does the Act affect other data sharing and reporting obligations otherwise imposed on businesses.[21]

Data provided on the basis of an exceptional need may be used only for the purposes for which they were requested, unless the data holder providing the data has explicitly consented to the use of the data for other purposes.

Switching between data processing (cloud) services

The Data Act introduces minimum business and technical regulatory requirements to allow switching between such services or, as the case may be, to allow customers to use more than one data processing service provider at the same time, while maintaining a minimum level of functionality.[22]

The maximum notice period to start the switching process must not exceed two months,[23] followed by a minimum data recovery period of at least 30 calendar days.[24] From 12 January 2027, the providers of data processing services will not be allowed to charge customers any switching fees for the switching process.[25] From 11 January 2024 until 12 January 2027, the providers of data processing services may charge customers reduced switching charges for the switching process.[26]

Unlawful international governmental access to non-personal data

Third countries may adopt laws, regulations and other legal acts to directly transfer or provide governmental access to non-personal data located outside their borders, including within the Union. Judgments handed down by courts and judicial forums in third countries and decisions by other judicial or administrative authorities, including administrative authorities, which provide for such transfer or access to non-personal data may be enforced if they are based on an existing international agreement, such as a mutual legal assistance treaty, between the third country requesting the data and the Union or one of its Member States.[27] In the absence of international agreements regulating such matters, the transfer of or access to non-personal data is only allowed (as it may, for example, raise the risk of harming the right to security and to an effective remedy or the fundamental interests of a Member State in terms of national security or defence) if it is proven, that the legal system of the third country requires the reasons and proportionality of the decision to be set out, the specific nature of the court order or decision, and that the addressee's reasoned objection be reviewed by a competent court or tribunal in the third country which is competent to take due account of the relevant legal interests of the provider of such data.[28] 

Before executing the request, the provider of data processing services should be able to inform the customer that a third country authority has made a request for access to those data, unless the request is for law enforcement purposes and for as long as it is necessary to preserve the effectiveness of law enforcement activities.[29]

The providers of data processing services shall make available on their websites the jurisdiction under which the ICT infrastructure installed for the purposes of their processing falls and the technical, organisational and contractual measures taken by the providers of data processing services to prevent international governmental access to and transfer of non-personal data stored in the Union where such transfer or access would lead to a conflict with Union law or the national law of the relevant Member State.[30]

 

[1] https://www.consilium.europa.eu/en/press/press-releases/2023/11/27/data-act-council-adopts-new-law-on-fair-access-to-and-use-of-data/

[2] Recital 14 Data Act

[3] Recital 6 Data Act

[4] For example, when they need to use an after-market service (typically repair or maintenance) related to the product.

[5] Recital 7 Data Act

[6] European Commission, Press release IP/22/11 13, 23.02.202.

[7] Article 1(1) Data Act

[8] Article 7(1) Data Act

[9] Article 3(1) Data Act

[10] Article 4(1) Data Act

[11] Article 5(1) Data Act

[12] Article 5(3) Data Act

[13] Article 6(2)(d) Data Act

[14] Article 9(1) Data Act

[15] Recital 60 Data Act

[16] Article 8(2) Data Act

[17] Article 14 Data Act

[18] Recital 65 Data Act

[19] Recital 75 Data Act

[20] Article 16(2) Data Act

[21] Article 16(1) Data Act

[22] Recital 78 Data Act

[23] Article 25(2)(d) Data Act

[24] Article 25(2)(g) Data Act

[25] Article 29(1) Data Act

[26] Article 29(2) Data Act

[27] Article 32(2) Data Act

[28] Article 32(3) Data Act

[29] Article 32(5) Data Act

[30] Article 28 Data Act