The new EU Data Act: European Commission proposes measures for a fair and innovative data economy

• Europe

• Competition, EU and Trade
• ESG
• Privacy, data protection and cybersecurity
• Technology
• Financial services - Digital Financial Services
• Technology, Media and Telecoms

10-03-2022

Overview

On 23 February 2022, the European Commission (“Commission”) announced a new addition to its digital rulebook in the form of a proposal for a new Data Act, and accompanying sector-specific regulations. The proposal has significant implications for both holders and users of data (whether personal data or otherwise). Accordingly, the scope of the Act goes far beyond the boundaries of GDPR.

Background and context

These proposed rules will set out who can use and access data generated by connected devices, primarily in relation to industrial data, across all economic sectors in the EU. It forms part of the Commission’s wider Data Strategy which focuses on ideas and actions to enable digital transformation (and is also closely linked to the wider EU Industrial Strategy).

The Data Act is the second proposal, alongside the Data Governance Act, aimed at making the EU a leader in the data-sharing space. As part of this, the EU has new initiatives on an EU federated cloud, an industry alliance for cloud architectures, and is seeking to create both a horizontal and vertical i.e. sector specific data segments.  Together, these proposals are hoped to “unlock the economic and societal potential of data and technologies” and create a single market for the free flow of data the EU.

This Data Act looks to harness the potential power which data has as a “non-rival good”, which means that it can be used at the same time by many individuals, and consumed over and over again without impacting the quality of the data or depleting the supply.

This makes data a hugely valuable resource which everyone can benefit from; according to the Commission, however, only 20% of industrial data which exists in the EU is currently used. The Data Act, therefore, hopes to remedy the under-use of data by providing new rules to make data available for reuse, and to address the legal, economic and technical barriers that currently exist and reduce data use.

The Purpose

The purpose of the Data Act is to:

• ensure fairness in the digital environment, through enabling consumers and companies to have more control over their data, clarifying who can access it and on what terms;
• stimulate a competitive data market, through “unlocking a wealth of industrial data”;
• open opportunities for data-driven innovation; and
• make data more accessible to all.

The Commission hopes that the Data Act will also aid the development of new and innovative services, and produce more competitive prices for aftermarket services and repairs of connected objects.

The Proposals

The proposals for the Data Act include:

• Measures which will allow users of connected devices to gain access to the data generated by them, free of charge, which at present is often exclusively harvested by manufacturers. It is hoped that this will both enable users to share the data with third parties and maintain incentives for manufacturers to invest in high-quality data generation.                                                                                                                                        For example, users and consumers such as farmers, airlines and construction companies could use the data to make better and more informed decisions including purchasing higher quality, more sustainable products and services; e.g. farm machinery including combine harvesters contain valuable data which would assist others in competing for after-care services, whilst data relating to crops and usage may also assist farmers and other ancillary suppliers to develop and adjust their products, services and level of supply and time to market);

• Measures to encourage a more level playing field in terms of contract negotiation and licensing by removing or reducing the imbalance of negotiation power which is a challenge often faced by small and medium enterprises (“SMEs”) and prevent the abuse of contractual imbalances in data sharing contracts. In particular, SMEs will be protected from unfair contractual terms and the Commission plans to develop non-binding model contractual terms to help SMEs draft and negotiate fair data sharing contracts;
  • this will undoubtedly be of relevance to competition authorities and, in turn, the UK Competition and Markets Authority in assessing any potential prejudice to competitive markets and/or any abuse of market power in the context of (i) merger control or (ii) by those who either have dominance in a particular market or who are entering into arrangements which may result in anti-competitive behaviours.

• Measures to enable public sector access and use of data held by the private sector in relation to exceptional circumstances. In particular, in the case of a public emergency (floods or wildfires) or to implement a legal mandate; and

• Measures allowing customers to switch effectively between different cloud data-processing services providers, therefore enabling greater data mobility;
  • This concept already exists in EU (and UK) GDPR and is otherwise known as data portability, but which only applies to data which constitutes personal data (i.e. one’s personal information) and the right is exercisable only by the data subject to whom such personal data relates.
  • the Act goes further in this regard, in that it requires that, when a user wishes to transfer data services to a competing provider, the holder of that data (or applicable platform) should ensure that data are shared in fair, reasonable and non-discriminatory (FRAND) conditions. In general, this adopts the approach taken in the Second Payment Services Directive (PSD2), where banks were obliged to transfer data to third party providers through an open application programming interface (API), with the consumer’s consent.
  • In addition, platform or application providers are required to ensure that outgoing customers maintain functional equivalence after switching to a new supplier.

• promotes interoperability by empowering the Commission, with the support of standardisation organisations, to intervene with common specifications to promote the interoperability of data processing services, to facilitate the pooling of data (e.g. in data spaces, or data provision ‘for good’) and promote easier switching across providers.
  • This provision will apply also to smart contracts for data spaces (as set out in the Commission’s Strategy on Standardisation)

The Data Act will also review certain aspects of the Database Directive which was created in the 1990s to protect investments in the structured presentation of data. Notably, it clarifies that databases containing data from Internet-of-Things (IoT) devices and objects should not be subject to separate legal protection: under Article 35  the sui generis right provided for in Article 7 of the Database Directive will not apply to databases containing data obtained from or generated by the use of a product or a related service. This will ensure such data (and the devices themselves) can be accessed and used for the benefit of the wider economy.

Penalties

For breaches of the proposed EU Data Act, the supervisory data protection authorities in each Member State may impose administrative fines, for the following categories of infringements:

For breaches to Chapter II (B2C and B2B Data Sharing), III (Data Holders to Make Data Available) and V (Making Data Available to Public Sector Bodies) of the Act, the supervisory authorities referred to in GDPR (Article 51) may impose administrative fines in line with GDPR (Article 83) i.e. maximum fines up to the greater of 4% of global annual turnover or EUR 20m. Accordingly, the fines for these breaches are significant and appear to be on a par with the sanctions and level of enforcement available under GDPR.

It will also be interesting to see how the level of fines and sanctions develops in relation to Chapter 4 (Unfair Terms in Data Sharing) and the extent to which Member States may be free to set their own penalties in this regard.

Implications

The Commission is hoping that the Data Act will increase data-driven innovation across the EU and that more data being available for reuse will create EUR 270 billion of additional GDP by 2028. It is also hoped that better access to real-time data will help the EU achieve climate goals and shrinking carbon emissions.

The Data Act awaits backing from the EU’s co-legislators, however the proposals demonstrate the Commission’s growing awareness of the competitive power of data and the need for data transparency. A recent European case is indicative of this new understanding and focus, whereby a company was fined by the relevant competition agency for an anti-competitive use of data in the energy sector. One of the penalties handed down was a requirement for the company to make customer data available to all rivals. Not only does this demonstrate that there is a growing interest in data and its value, but also that data issues are not limited to the digital space.

Comment

The requirements and legal framework set out in the EU Data Act are no doubt beneficial for a fairer and competitive market and also to maximise the benefits of the wider data economy. However, despite good intentions, it remains to be seen how the EU authorities will be able to enforce its provisions. That said, it would be unwise to ignore its potential scope and ambit. For example, Article 4(1) of the proposed Act provides:

“Where data cannot be directly accessed by the user from the product, the data holder shall make available to the user the data generated by its use of a product or related service without undue delay, free of charge and, where applicable, continuously and in real-time.”

Platforms that are covered by the proposed Data Act should consider therefore building in features and functionality, including reviewing existing APIs and user-request processes to prepare for such data requests. It could be particularly costly to retro-fit such functionality.

Notably, to seek to provide a fair balance, Article 13 does allow a data holder to apply appropriate technical protection measures, including smart contracts, to prevent unauthorised access to the data and to ensure compliance with Articles 5, 6, 9 and 10, as well as with the agreed contractual terms for making data available. This is only on condition that these technical measures are not used to hinder the user’s right to effectively provide data to third parties.

A key focus will also be to review the specific terms which are deemed to be unfair pursuant to Article 13 where imposed on SMEs. These include terms (amongst others) which:

• is of such a nature that its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing; or
• gives the party that unilaterally imposed the term the exclusive right to determine whether the data supplied are in conformity with the contract or to interpret any term of the contract; or
• allow the party that unilaterally imposed the term to access and use data of the other contracting party in a manner that is significantly detrimental to the legitimate interests of the other contracting party

The actual list of terms which are unfair is much wider than this however, and it will be important to review any licensing or access terms against this black list to identify, remove and/or amend any terms which may otherwise put a data holder in breach of the Act.

Along with the Digital Markets Act and Digital Services Act, there continues to be a significant amount of flux in the regulatory landscape for data in the immediate and foreseeable future. Please do get in contact with the member of the team should you have any queries.

Return to the article series>