On 23 February, the Commission published its long-awaited proposal for the regulation on fair access and use of data (EU Data Act). The Act is a key element of the European Strategy for Data published in 2019 and aims at creating a single market for data. The proposal’s main objective is to facilitate access, exchange and the use of non-personal data between businesses and with governments. It also includes obligations to give users access to data that they are generating.
The proposal is to regulate three areas:
- making data generated by the use of a product or related service available to the user of that product or service;
- making data available by data holders to data recipients; and
- making data available by data holders to public sector bodies or EU institutions where there is an exceptional need and for the performance of a task carried out in the public interest.
The proposal includes a broad definition of data which covers both personal and non-personal data. It also covers a wide array of stakeholders, including the providers of cloud services, manufacturers of connected products and related services and data holders, that is enterprises who have a right, obligation or ability to make data available to data recipients.
The proposed regulation imposes data sharing obligations on the producers of connected products and related services. The producers, referred to in the proposal as ‘data holders’ would need to make data available to their users through easy-to-use interfaces and free of charge. The users, in turn, would be able to share their data with third parties unless they are classified as gatekeepers under the Digital Markets Act.
The proposal also sets out the conditions under which data holders make data available to data recipients, in particular fair, reasonable and non-discriminatory terms for sharing data. The burden of proof for discriminatory data sharing with the recipient lies with the data holder, i.e., the data holder needs to demonstrate that there has been no discrimination.
It obliges the data recipient to either destroy the data or to stop production, offering ad placing on the market of products and services that were developed on the basis of data acquired on the basis of false information or deceptive or coercive practices.
Unfair contractual terms imposed by an enterprise on a micro, small and medium sized enterprise will not be binding on them. The proposal further defines what is or is presumed unfair under the proposed regulation.
The proposal also sets out the conditions for sharing data with public authorities in case of exceptional need. To this end, it clarifies what such a need, e.g. prevention or response to a public emergency.
The proposal obliges the providers of data processing service to ‘remove commercial, technical, contractual and organisational obstacles’ that inhibit the customers from:
- terminating the contractual agreement;
- concluding a new one with a new service provider;
- porting its data and other digital assets to another provider of data processing services;
- maintaining functional equivalence of the service in an IT environment of a different service provider.
The proposal sets out safeguards to be adopted by the data processing services to prevent international transfer or governmental access to non-personal data held in the EU when such access or transfer ‘would create a conflict with Union law or the national law of the relevant Member State.’ This approach is similar to the one under the GDPR and following the Schrems I and II rulings of the CJEU, only this time it is extended to non-personal data.
The Article further states that a request for access to data issued by a court or tribunal of a third country may only be recognised if based on the international agreement between that country or an EU member state or EU. In case of an absence of such an agreement, the data processing provider can still respond to such a request provided that certain conditions are fulfilled.
The proposed regulation sets out the requirements for open interoperability specifications and European standards for the interoperability of data processing services, including data portability and functional equivalence. The open interoperability standards are to comply with relevant part of the Regulation 1025/2012 on European standardisation.
It also includes a list of essential requirements for smart contracts for data sharing, and these include robustness, safe termination and interruption, data archiving and continuity and access control. The vendor of a smart contract is to perform a conformity check and upon successful testing, issue an EU declaration of conformity.
The member states are to designate a competent authority to be responsible for monitoring the application of this regulation. Importantly, the supervisory authorities under the GDPR will be responsible for monitoring the application of this regulation insofar as the data sharing concerns personal data.
The proposal will be discussed in the European Parliament and in the Council in the coming months. As a regulation, the proposal will follow the ordinary legislative procedure, previously known as co-decision.