EU Data Act proposal: Commission plans comprehensive right to data access
Published on 23rd Feb 2022
The proposed legislation is set to have a huge impact on the European data economy
Data is the fuel for data-driven business models, and the European Commission intends to provide this fuel. The Commission’s proposal for an EU Data Act has now been officially presented (23 February 2022) as part of the European Data Strategy, which aims to realise a European single market for data. The proposed legislation tries to establish a cross-sectoral governance framework for data access and use, whether by individuals, organisations or European public authorities. It has the potential to fundamentally change the environment for data-driven business models in the EU.
All connected products in scope
The proposed regulation applies to manufacturers of connected products and providers of related services which are placed on the market in the EU. The official draft clarifies that a “product” also includes movable items incorporated in an immovable object. An earlier draft version of the regulation, which was leaked in early February, did not include this clarification. This is highly relevant as sensors or Internet of Things equipment will often be installed in immovable objects like buildings or large machinery (for example, sensors in a wind turbine). The EU Data Act will likely still apply in these scenarios.
The manufacturer’s location is irrelevant. Anyone doing business in EU markets will have to consider the implications of the EU Data Act. It will apply to very different types of products. A typical example in a business-to-business market would be connected machinery that is monitored or controlled with external software. A typical example in a business-to-consumer market would be a smart product, such as a connected fridge or any other type of connected kitchen device.
The Data Act governs rights and obligations regarding the data generated by the use of the connected products and related services. It applies to personal data as well as non-personal data.
Access to data from connected products must be granted
According to the proposal, manufacturers of products and providers of related services will have to make data generated by their use, easily accessible to the user. These users can be businesses or consumers. They will then be able to provide the data to third parties or use it for their own purposes. The users may also demand that the data is made available directly to third parties. The Commission’s intention is to foster innovation and the creation of complementary data-driven business models, such as a service enabling the owner of a smart home to aggregate and analyse data from all their connected products across different manufacturers.
To achieve this goal, companies in the scope of the proposal (the “data holders”) would face several far-reaching obligations beyond the accessibility of the data. The noteworthy obligations of manufacturers of connected products and providers of related services include:
- The data holders must provide comprehensive information on the data that will be generated when using the product or service, including the nature and volume of the data, how this data will be used and by whom, how the user may access this data, and how the user may request this data be shared with a third party.
- Access to the data will have to be granted without undue delay, free of charge and – where applicable – continuously and in real time.
- The respective data holder may only use the generated data based on a contract with the user.
- The data holder shall upon request by the user also provide the data to a third party authorised by the user; consequently, the data might have to be provided to external platforms or even competitors. However, the proposal includes drafting to deal with possible anti-competitive use of the new data access provisions. In particular, the EU Commission has linked these obligations to the Digital Markets Act (which has not yet been adopted) and stipulates that "gatekeepers" under the Digital Markets Act are not eligible third parties under the Data Act. The (draft) Digital Markets Act defines gatekeepers in essence as very big and relevant core platforms. While trying to make data more generally available, the Commission apparently intends to exclude the big platform providers from this benefit.
- Data shall be made available under fair, reasonable and non-discriminatory terms. Costs for providing data to data recipients who are small or medium enterprises may not exceed the costs directly related to making the data available.
- The data holder may also not impose unfair terms for granting such data access to small or medium enterprises. Such unfair terms include the exclusion of liability for gross negligence or intentional acts, the exclusion of remedies in case of non-performance or any stipulation limiting the rights of the user under the Data Act.
Public authorities' data access
The proposal also governs data access by public authorities. Chapter V states the obligation to make data available in exceptional circumstances; in particular, to respond to an emergency or to comply with legal obligations. This provision is intended for exceptional scenarios, requires compensation, and is subject to several requirements including a genuine proportionality test.
The earlier leaked draft included comfort that data that a business was obliged to share with the public authorities in an emergency situation would not be used to cause that business harm – but that protection has now been deleted from the formal proposal.
It is very difficult to determine if such a provision would have a strong practical significance.
Switching cloud services and international non-personal data transfers
The proposal also includes specific provisions on data processing services, which essentially are most cloud services. The Data Act aims to remove obstacles to switching between cloud services. The memorandum accompanying the draft argues that SWIPO, a non-binding initiative to facilitate cloud switching, "seems not to have affected market dynamics significantly".
For this purpose, providers of data processing services must conclude contracts with their customers that allow the customer to switch services within 30 days. Additionally, service providers must support their customers in the switching process. Full continuity of corresponding functions must also be ensured. For this purpose, providers must ensure compatibility with open standards or interoperability interfaces. For three years after the EU Data Act’s effective date, charges for switching services may not exceed the providers own costs; subsequently, they have to be free!
This might be good news for customers who are currently forced to negotiate switching services (which are usually called “exit services”) in detail. These exit services usually occur at a point where customers and service providers have not agreed what a fair compromise might look like. However, the Commission's proposal seems rather radical as – at least currently – such exit services can be complex and expensive.
International data transfers of non-personal data get more complicated
International data transfers of personal data keep all European data protection lawyers busy. The obligations under the EU General Data Protection Regulation, the Schrems II judgement by the Court of Justice of the EU, and the data protection authorities’ guidelines establish a very complex legal situation that makes every transfer of personal data to a third country (read “every use of a cloud service”) challenging. The Data Act’s proposal might extend this challenge to non-personal data.
Providers of data processing services will have to take all reasonable steps to prevent government access to, or transfer of, non-personal data that would be incompatible with European or national law. Access to the data by authorities or courts located in third countries would only be lawful under certain conditions that are similar to those established for personal data in the Schrems II decision. While not processing personal data was the best escape from the very strict data-transfer regulations under the EU General Data Protection Regulation, the Data Act might apply in these scenarios in the future.
Osborne Clarke comment
The new Data Act may be an opportunity or obstacle, depending on the business model. If the Data Act was implemented as proposed, it would have a massive impact on the European data economy. It offers opportunities and challenges, and it really depends on a company’s business model and its ability to adapt and prepare whether the opportunities or the challenges prevail.
Companies that rely on data that stems from connected products – such as maintenance companies or companies offering complementary services – will have the opportunity to provide better services. It can also be expected that the availability of the data will lead to entirely new business models and indeed trigger innovation in Europe. The Commission might think that, while Europe has lost the race with regards to business models based on personal data, it still has a chance with regards to business models based on non-personal data. The Data Act will certainly extend the market for data.
Companies that try to leverage knowledge about their products or related services and the data generated in this context to lock out competitors will mainly come up against the challenges. They will have to accept that monopolisation of data is not an option. This might be bad news for manufacturers of machines that have only recently digitalised their products and were now hoping to establish new business models around their product without really having any competition. Instead, if the Data Act is implemented, they will certainly have competition, for which they will have to prepare. Half-hearted attempts at creating new business models around the data generated by their products will likely fail because there will be companies that will use this data in an innovative and creative way to the benefit of the customers.
Right now, the Data Act remains a proposal and the draft will likely to be subject to change. But the proposal certainly shows that the Commission is serious about its goal to create a European data economy and to take radical steps to foster this economy. It is not hesitating even to force companies to provide the main asset required for such an economy: data.