This essential guide to the European Data Act is part of Orrick’s Cybersecurity & Privacy Compass Series. The Cybersecurity & Privacy Compass is your global guide to constant cybersecurity and privacy change.
In this guide, we answer pressing questions about the European Data Act, including what the Data Act is about, who is impacted and what the objectives are, the new right and obligations created by the act, the legislative status, and recommended next steps for companies.
- What is it about?
- Who is impacted?
- What are the objectives of the Act?
- What are the new rights and obligations created by the Act?
- What is the legislative status?
- What are the action items?
What is it about?
The European Data Act is the proposed regulation in Europe (EU) for harmonised rules on fair access to and use of data (Data Act). It is one of the key measures intended to make more data available for use by the private and public sector. The Data Act complements the Data Governance Regulation proposed in November 2020, which is the first deliverable under A European strategy for data. While the Data Governance Regulation creates the processes and structures to facilitate the sharing of data, the Data Act clarifies who can generate value from data and under which conditions.
Who is impacted?
The Data Act applies to broad variety of actors. Only micro, small and medium-sized enterprises (MSMEs) are partially exempted from the obligations of the Data Act. According to the Council’s proposal of 17 March 2023, the Data Act applies to a variety of entities including to, (i) manufacturers of products and providers of related services placed on the market in the EU, i.e., entities providing items in the EU, that obtain, generate or collect, accessible data concerning its use or environment and are able to communicate that data over the internet (e.g., connected devices), (ii) data holders, i.e., natural or legal persons who have access to data from products and make the data available to data recipients, (iii) data recipients to whom data is made available, (iv) public sector bodies of a Member State or Union institution, and agencies or bodies that request data holders to make data available, (v) providers of data processing services, irrespective of their place of establishment, offering such services to customers in the Union, and (vi) operators of data processing services providing such services to customers in the Union. Because the term "user" referred to by the Data Act means a natural or legal person, the Data Act’s obligations apply to both business to consumer and also business to business relationships.
What are the objectives of the Act?
The Data Act aims to allow users to access data they generated when using a connected device and to share such data with third parties for the purpose of providing aftermarket or other data-driven innovative services.
What are the new rights and obligations created by the Act?
The rights and obligations created by the Act include the following:
Obligation to Share Data and to Maintain it in Standard Formats
The Data Act requires covered entities to make data accessed from connected devices or generated during the provision of related services accessible to users free of charge and, where applicable, continuously and in real-time.
Under specific circumstances, other companies – called data recipients – have a right to receive data from the service provider – the data holder. If a data holder is obliged to disclose data to a data recipient, either under the terms of the Data Act or other EU or national law, the data holder must do so according to terms that are fair, reasonable and non-discriminatory (FRAND). Any compensation for making the data available shall also be reasonable. Where the data recipient is a MSMEs, any compensation agreed shall not exceed the costs directly related to making the data available to the data recipient and which are attributable to the request.
By requiring data to be provided in a comprehensive, structured, commonly used and machine-readable format, the Data Act imposes technical standards. Companies therefore may need to update their current standards for data storage and structure.
Incentives for investing into data
The Data Act maintains incentives for manufacturers to continue investing in high-quality data generation, by covering their transfer-related costs and excluding use of shared data in direct competition with their product.
Right of public sector entities to access data
Public sector entities are granted the right to request and obtain the data stored by a data holder. A data holder receiving a request for access to data is required to make the data available without undue delay. However, such requests are allowed only in exceptional cases that must be demonstrated by the public sector entity and require that the data requested and the purpose for what it is requested is specified. Moreover, the right is limited to non-personal data.
Facilitating data portability
The Data Act requires providers of data processing services to take measures to enable customers to switch to another data processing service, covering an equivalent service, which is provided by a different provider of data processing services. Providers of a data processing service shall not impose and shall remove commercial, technical, contractual and organisational obstacles, which inhibit customers from terminating, concluding new contractual agreements, porting the customer’s exportable data, and achieving functional equivalence in the use of the new service in the IT environment of the different provider. For example, the Data Act requires covered entities to allow customers to terminate a service after a maximum notice period of 30 days.
Rebalancing the rights of MSMEs
The Data Act contains measures to rebalance the negotiations powers for MSMEs. These measures include provisions according to which contractual terms shall not be binding where access and use of data or the liability and remedies for a breach have been unilaterally imposed on another enterprise and if these terms are deemed to be unfair. A contractual term will be deemed unfair if it is of such a nature that its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing.
What is the legislative status?
The Data Act was published by the Commission on 23 February 2022 and the European Parliament adopted amendments to the existing proposal of the European Commission on 14 March 2023. The Council agreed on a position on the Data Act on 17 March 2023. The Members of the European Parliament and the Council are now ready to enter into the final trilogue negotiations. Even though the Act is still in the legislative process, the end of this process will come sooner than later, and it is possible that the parties find an agreement before the summer recess or immediately thereafter. The Data Act will apply 12 months from adoption.
What are the action items?
Because the Data Act is still in negotiations, there is no need to rush. However, it seems sensible to start evaluating whether one would actually be subject to the Act given that the 12-month period to comply may be a little short. If it is likely that the Data Act applies to your entity, consider taking further strategy decisions and watch the trilogue negotiations closely.
