EU data protection act

EU Data Act approved by the Parliament and the Council

On November 27, 2023, the European Union (EU) reached a significant milestone in data regulation by adopting the final text of the Data Act.[1] This legislation is an integral component of the European Data Strategy Package, marking the EU’s ambitious efforts to establish a leadership role in the global networked economy. The Data Act is designed as a harmonized, cross-sectoral framework for data sharing, aiming to guarantee fair access and use of data across various sectors.

This Act is the second major legislative endeavour under the European Data Strategy,[2] following the Data Governance Act,[3] which encourages voluntary data sharing among businesses, individuals, and the public sector. The primary objective of the Data Act is to enhance the availability of generated data for reuse, thereby maximizing data value and fostering a competitive data market. This approach is expected to bolster open opportunities for data-driven innovations and widen data accessibility.

The Data Act was first proposed by the European Commission on February 23, 2022.[4] After a series of negotiations, an agreement was reached in June 2023,[5] leading to its adoption by the Parliament on November 9, 2023. The final approval by the Council on November 27, 2023.

Extraterritorial Scope and Application of the Data Act

The Data Act, as a part of the EU’s comprehensive approach to data regulation, boasts an extraterritorial scope, meaning its influence extends beyond the geographical borders of the EU. It applies to various entities regardless of their place of establishment, including: (i) manufacturers of products and suppliers of services that fall within the scope of the Act in the EU; (ii) data holders that make data available to recipients within the EU; and (iii) providers of data processing services catering to customers in the EU. This broad application is a shift from the General Data Protection Regulation (GDPR), which applies more broadly, as the Data Act specifically targets users and data recipients within the EU.

The Act’s data sharing obligations are pertinent to “Business to Consumer” (B2C) and “Business to Business” (B2B) users alike, conferring data sharing rights to both groups. Additionally, in certain exceptional circumstances, Business to Government (B2G) users are also granted these rights. This inclusive approach ensures that a wide spectrum of economic activities and relationships are covered under the Act. Notably, the Data Act provides special considerations for small and medium-sized enterprises (SMEs) by exempting them from certain B2C and B2B data sharing obligations. This exemption is intended to create more opportunities for SMEs to compete and innovate using the data they generate and to encourage broader participation in the data economy, irrespective of business size.

User and Data Recipient Obligations under the Data Act

Under the Data Act, there are explicit obligations outlined for users and data recipients to ensure transparency and fair use of data. Article 3 requires connected products and related services to be designed in a way that allows users easy access to the data generated. Sellers or lessors of these products must provide comprehensive information to potential users about the type and volume of data generated, storage locations and retention duration, and methods for accessing or erasing data. Providers of related services are similarly obligated to provide transparency information regarding data processing before concluding a service contract.

Data holders, defined as entities other than users who have rights or obligations to make data available, including data generated by connected products and related services, have a set of stringent obligations under Article 4. They are required to make product and related services data (PRS data) along with relevant metadata accessible to the user upon request. This data should be provided free of charge, in a secure, commonly used, and machine-readable format, and where feasible, continuously and in real time.

Article 5 extends the obligation of data holders to share PRS data with third parties upon user request. Like the provisions of Article 4, the data should be made available promptly, securely, and without charge to the user. The Act considers any third party acting for commercial purposes and receiving data under EU law as a “data recipient.”

Further, Articles 8 and 9 detail the provisions for data holders making data available to third parties, requiring agreements to be set under fair, reasonable, and non-discriminatory terms. Compensation in business-to-business relations must be reasonable and non-discriminatory but can include a margin. The Act also includes safeguards for trade secrets, stipulating that data holders are not obligated to disclose such information unless mandated by EU or national law.

Contractual arrangements may limit data access or sharing if it compromises security requirements. Moreover, users are prohibited from using PRS data to develop or assist in developing competing connected products. Dispute resolution related to the fair and reasonable terms of data sharing is addressed under Article 10, which allows access to certified dispute settlement bodies.

Switching Facilitation by Data Processing Service Providers (DPSPs)

The Data Act imposes specific obligations on Data Processing Service Providers (DPSPs) to facilitate easy switching between service providers for customers, including both individual consumers and corporate entities. These measures are intended to remove any contractual or organizational barriers that might hinder customers from effectively managing their data processing services. Key measures DPSPs must implement include:

  1. Ease of Contract Termination: Ensuring that customers can terminate contracts with their current data processing service (DPS) and establish new ones with minimal difficulty.
  2. Data Portability: Enabling customers to transfer their exportable data and digital assets to a different service provider smoothly.
  3. Functional Equivalence in IaaS: For providers delivering Infrastructure as a Service (IaaS), ensuring that customers can achieve a minimum level of functionality equivalent to the previous provider.
  4. Unbundling Services: Allowing for the unbundling of specific data processing services from others where technically feasible.

The Data Act mandates that the rights of customers and the obligations of DPSPs related to switching providers must be explicitly outlined in written contracts. These contracts are required to include:

  • An obligation for the DPSP to provide reasonable assistance to the customer and relevant third parties, maintaining due care to preserve business continuity during the switch.
  • A comprehensive specification of all categories of data and digital assets that are eligible for export.
  • A default transitional period, not exceeding 30 days, for the completion of the switching process unless technically unfeasible. If unfeasible, DPSPs are required to justify this and propose an alternative period, which should not exceed 7 months.

Moreover, Article 29 of the Act introduces a provision that, after three years from the Act’s enforcement, DPSPs will be prohibited from imposing any charges on customers for the switching process. Any charges applied during the initial three years must not exceed the costs directly linked to the switching process, adhering to a cost recovery model.

Article 13: Regulating Business-to-Business Data Sharing Agreements

Article 13 of the Data Act introduces specific rules for the contractual terms between businesses concerning data sharing and access. The focus is on ensuring fairness in business-to-business (B2B) data sharing agreements, particularly addressing the balance of power when terms are imposed unilaterally. This article represents a significant shift from the traditional freedom businesses have enjoyed in arranging their IT contracts, incorporating elements of fairness similar to those found in EU consumer protection legislation.

Key Aspects of Article 13

1. Unilaterally Imposed Terms: A term is considered “unilaterally imposed” if it arises in a situation where one party dictates a contractual term, and the other party has no real influence over its content despite attempts to negotiate. If a term is negotiated or accepted by both parties, it is not considered to be unilaterally imposed.

2. Unfair Terms: A contractual term is deemed unfair if it grossly deviates from good commercial practice, particularly if it:

  • Limits the liability of the imposing party for intentional acts or gross negligence.
  • Excludes remedies for the party upon whom the term was imposed in case of non-performance.
  • Gives the imposing party exclusive rights to determine data conformity or interpret any contractual term.

3. Presumption of Unfairness: Certain situations are presumed to render a term unfair, including if it:

  • Inappropriately limits remedies for non-performance.
  • Allows the imposing party detrimental access or use of the other party’s data.
  • Prevents the imposed party from using or exploiting the value of data provided or generated during the contract.
  • Prevents reasonable termination of the agreement by the imposed party.
  • Prevents the imposed party from obtaining data copies after contract termination.
  • Allows the imposing party to terminate the contract on unreasonably short notice or substantially change contract terms without valid reason.

4. Inalterability of Article 13: Parties to a contract covered by Article 13 cannot exclude or vary the application of this article through contractual terms. This inalterability ensures the protective measures intended by the article cannot be circumvented.


You May Also Like