Summary of the Data Act: EU’s proposed legislation for increasing access to and use of data

Imagine you’re running a factory and one of the robots breaks down. In today’s world, it’s most likely that only the manufacturer can access the data, forcing you to call them to repair the machine. But if the proposed data-sharing legislation in the European Union comes into fruition, this will change because you could request the manufacturer to share the required data with a repair service that may be cheaper and more immediately available. This is one of the many examples that the European Commission has given to highlight the benefits of the Data Act.

The Data Act proposed by the Commission on February 23 looks to regulate who can use and access data generated in the EU across all economic sectors. It is part of the overall European strategy for data and complements the Data Governance Regulation of November 2020.

“Data is a non-rival good, in the same way as a streetlight or a scenic view: many people can access them at the same time, and they can be consumed over and over again without impacting their quality or running the risk that supply will be depleted.” – European Commission

Dear reader, we urgently need to build capacity to cover the fast-moving tech policy space. For that, our independent newsroom is counting on you. Subscribe to MediaNama today, and help us report on the policies that govern the internet.

What are some benefits of the Data Act?

In a fact sheet, the European Commission laid out the following benefits of the Data Act:

1. Better access to data for consumers: Suppose a bar owner wants to serve better coffee, and the coffeemaker company wants to improve its product;
   • Today: Only the company can access the data produced by the machine to design the next generation of coffeemakers but the bar owner cannot access information such as the quantity and temperature of water or coffee strength.
   • With the Data Act: Both parties can access all data collected by the machine.
2. Making better use of data: Suppose a farmer has equipment from different manufacturers (tractor, automatic irrigation system);
   • Today: He cannot outsource the data analytics of the various equipment because the data is locked with each manufacturer.
   • With the Data Act: He could receive customised advice from a company gathering data from the different equipment.

Who does the Data Act cover?

The Data Act is applicable to the following EU market participants:

1. Manufacturers of products and suppliers of related services and the users of such products or services
2. Data holders that make data available to data recipients
3. Data recipients to whom data are made available
4. Public sector bodies and EU institutions, agencies or bodies that request data holders to make data available to carry out tasks in the public interest
5. Providers of data processing services like cloud services and edge computing providers

Enabling consumers to access data generated from the use of products they own or rent

Chapter II of the Data Act lays down measures that increase legal certainty for consumers and businesses to access data generated by the products or related services they own, rent, or lease.

1. Design products to make data easily accessible: The Data Act stipulates that products and related services should be designed and provided in such a manner that data generated by their use are easily, securely, and directly accessible to the user. In case the user cannot directly access data from a product, the data holder should make available this data without undue delay, free of charge and, where applicable, continuously and in real-time, based on a simple request through electronic means where technically feasible.
2. Transparency on what data will be accessible to users and how to access them: The Data Act further adds that before providing a product or a service, the user must be made aware of what and how much data is likely to be generated by the use of the product and how the user may access that data.
3. Users’ right to share with third parties: The user of the product has the right to ask the data holder to make available the data generated by the use of a product or related service to a third party such as an aftermarket service provider, without undue delay, free of charge to the user, of the same quality as is available to the data holder and, where applicable, continuously and in real-time. However, those companies designated as gatekeepers by the proposed Digital Markets Act cannot be third parties. Furthermore, the third parties must use the data only for purposes and under the conditions agreed with the user and cannot use it for profiling people, manipulating the user, or developing products to compete with the original product from which the data was derived.
4. Not applicable to micro or small enterprises: In order to reduce compliance costs for smaller companies, the Data Act states that the above provisions are not applicable to data generated by the use of products manufactured or related services provided by enterprises that qualify as micro or small enterprises.

Obligations of data holders to price data reasonably and be non-discriminatory

1. Data should be made accessible in fair, reasonable, and non-discriminatory terms: Chapter III of the Data Act states that the data holder has to make data available to data recipients under fair, reasonable, and non-discriminatory terms and in a transparent manner. A data holder should not discriminate between comparable categories of data recipients and cannot make data available to a data recipient on an exclusive basis unless requested by the user.
2. Compensation for data will have to be reasonable: “Any compensation agreed between a data holder and a data recipient for making data available shall be reasonable,” the Data Act states. Furthermore, when the data recipient is a micro, small or medium enterprise, then the compensation agreed shall not exceed the costs directly related to making the data available to the data recipient.

Unfair contracts are not binding

Chapter IV of the Data Act addresses the unfairness of contractual terms in data sharing contracts between businesses, in situations where a contractual term is unilaterally imposed by one party on a micro, small or medium-sized enterprise. This is to prevent companies from taking advantage of imbalances in negotiating power.

1. Contractual terms will not be binding if it’s unfair
2. What is an unfair contractual term? A contractual term is unfair if it is of such a nature that its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing, the Data Act states. Here is a non-exhaustive list of examples that may be viewed as unfair:
   • Limits the liability of the imposing party
   • Exclude the remedies available to the party upon whom the term has been imposed
   • Prevents the data recipient the use of data in such a way that the party is not able to exploit the value of such data in a proportionate manner

Making data available to government bodies

1. Data should be made available to public sector bodies in case of exceptional need: Chapter V of the Data Act mandates that a data holder should make data available to a public sector body or to an EU institution, agency or body demonstrating an exceptional need to use the data requested. Exceptional needs may arise when preventing or responding to public emergencies such as public health emergencies, or major natural or human-induced disasters. Exceptional needs may also arise where the lack of available data prevents a public body from fulfilling a specific task in the public interest that has been explicitly provided by law and obtaining this data on the market poses substantial burdens. The data obtained can also be shared with research organisations or statistical bodies for scientific research or analytics.
2. Requests must be proportionate, use must be for the intended purpose: When a government body requests data, it has to specify the purpose of the request, intended use, duration of the use, and the legal basis of the request. The request should further be proportionate to the exceptional need and respect the legitimate aims of the data holder. The obtained data should only be used for the intended purpose and should be destroyed as soon as the stated purpose is achieved.
3. Compensation for data: Data made available to respond to a public emergency should be provided free of charge, whereas, for other cases of exceptional need, the data holder should be entitled to compensation that include costs related to making the relevant data available plus a reasonable margin.

Switching between data service providers

1. Data processing service providers should allow customers to seamlessly shift between providers: Chapter VI of the Data Act introduces minimum requirements of contractual, commercial and technical nature, imposed on providers of cloud, edge, and other data processing services, to enable switching between such services.
2. Functional equivalence must be maintained: The Data Act ensures that customers maintain functional equivalence i.e. a minimum level of functionality of the service after they have switched to another service provider.
3. No charges after three years: Providers can charge for switching at a cost rate only for the first three years from when the Data Act goes into effect, after which it must be free.

International transfer of data

1. Data can only be transferred if there is a legal basis for it: If a court or administrative authority of a third country requests data, it should only be provided if there is a legal basis to it such as mutual legal assistance treaty. In the absence of such an agreement, certain conditions such as proportionality of the decision or judgement have to be met. In all other cases, data processing service providers must take all reasonable technical, legal and organisational measures, including contractual arrangements, in order to prevent the international transfer or governmental access to non-personal data held in the EU.

Enabling interoperability

1. Requirements for operators of data spaces to enable interoperability: According to Chapter VIII of the Data Act, in order to facilitate interoperability of data, all operators of data spaces must sufficiently describe dataset contents, use restrictions, etc., in order to allow data recipients to find, access and use the data; publicly describe the data structures, data formats, and classification schemes; sufficiently describe the technical means to access the data, such as application programming interfaces; and provide the means to enable the interoperability of smart contracts. Furthermore, the European Commission has the right to prescribe common standards.
2. Requirements regarding smart contracts for data sharing: When smart contracts are used to make data available to others, the contracts must have the following features: robustness, safe termination and interruption, data archiving and continuing, and access control.

Implementation and enforcement of the Data Act

1. Each Member state appoints one or more competent authorities: According to the Chapter IX of the Data Act, each EU Member State is allowed to designate one or more competent authorities as responsible for the application and enforcement of the Data Act.
2. Role of the authority: The appointed authorities are responsible for promoting awareness of the Data Act, handling complaints, conducting investigations, imposing penalties, monitoring technological developments to improve data sharing, cooperating with competent authorities of other Member States, ensuring the online public availability of data requests made by public bodies, etc.
3. Right to lodge complaints with the authority: Any person who feels their rights under this Data Act have been infringed can lodge a complaint with the appointed authority, and the authority should inform the complainant of the progress of the proceedings and of the decision taken.
4. Penalties: The Data Act leaves it to the Members States to lay down the rules on penalties applicable to infringements provided that they are effective, proportionate, and dissuasive.
5. GDPR still governs personal data: For any personal data that is processed in connection with the rights and obligations laid down in the Data Act, the EU’s General Data Protection Regulation (GDPR) is still applicable and the relevant authorities responsible for monitoring the application GDPR shall have regulatory power for personal data even under the Data Act.
6. Model contractual terms: The European Commission will develop and recommend non-binding model contractual terms on data access and use to assist parties in drafting and negotiating contracts with balanced contractual rights and obligations.

Read: Data Act – Frequently asked Questions and Answers

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read:

• European Commission Proposes Data Act 2021 To Increase Data-Sharing Between Businesses And Govts
• EU Negotiators Agree On Tough Rules In Digital Markets Act To Curb Big Tech Dominance
• Big Tech will have to open up their ‘black box’ algorithms for regulatory scrutiny: EU Competition head
• Taming The AI Beast, The EU Way: EU AI Regulations

Have something to add? Subscribe to MediaNama here and post your comment.