Find out today what the legal world will be talking about tomorrow.
EU Commission publishes draft EU Data Act
On February 23, 2022, the EU Commission published the draft regulation on harmonised rules on fair access to and use of data ("Data Act"; COM(2022), 68). Before that, a version has already been leaked.
The Data Act is another component of the EU Commission for the implementation of the European Data Strategy of February 2020. As a regulation, the Data Act would be a directly applicable European law, comparable to the EU General Data Protection Regulation ("GDPR").
Purpose of the Data Act
The Data Act aims to eliminate legal, economic and technical obstacles regarding the data economy as far as possible. Therefore, the aim of the Data Act is to ensure fairness in the allocation of value from data with regard to different stakeholders in the data economy and to support access to and use of data.
Product manufacturers should be obliged to design network-capable products as “data-transparent” as possible. Users of such a product should have easy access to data collected or generated when using such a product. In addition, the term “data” is defined in a broad manner. The term “data” is not limited to personal data.
However, the Data Act does not create a legal basis for processing data by the dataholder. The starting point of the Data Act is the actual control of the data holder over the relevant data (please see recital No. 5 Data Act). Therefore, in addition to the requirements of the Data Act, a data holder is also obliged to comply i.a. with data protection requirements. These can primarily result from the GDPR and the German Telecommunications Telemedia Data Protection Act (“TTDSG”).
Subject Matter and Scope of the Data Act
The subject matter of the Data Act are physical products that collect or generate data about their performance, use or environment through relevant components and which can transmit such data via a publicly available electronic communications service. Recital No. 14 Data Act refers to such products as “Internet of Things” (“IoT”). Such IoT products may include vehicles, home equipment and consumer goods, medical and health devices or agricultural and industrial machinery (Recital No. 14 sentence 3 Data Act).
Corresponding (raw) data should be accessible because such data represents the digitalisation of user actions and events. However, data derived from such data should not be considered within the scope of the Data Act (Recital No. 14 Data Act).
Unlike IoT products, products designed primarily to display or play content, or to record and transmit content, are not intended to be within the scope of the Data Act. These products include, for example, personal computers, servers, tablets and smartphones, cameras and webcams (Recital No. 15 Data Act).
Overview regarding the core Elements of the Data Act
Obligation to enable Access to Data, Art. 3 Data Act
Products and related services within the scope of the Data Act should be designed in such a manner that data generated while using them is easily, securely and – if possible – directly accessible to the user by default.
In addition, certain information on the type and scope of the possibly generated data, the data holder, the data access as well as any data recipients should be made available before a contract is concluded. If the potential contractual partner is not the data holder, the potential contractual partner should also provide information on who the actual data holder is.
Right to Access and Use Data, Art. 4 Data Act
If direct data access is not possible, the data holder should provide the relevant data on request without undue delay and free of charge, if necessary continuously in real time.
Art. 4 Data Act also contains certain restrictions regarding data access and use. For example, if a dataset also includes personal data within the meaning of the GDPR, such personal data may only be made available if there is a legal basis with regard to Art. 6 or Art. 9 GDPR. Furthermore, a data holder may not use generated data to derive knowledge about the user's economic situation, assets and production methods if this could adversely affect the user.
Right to Data Sharing with Third Parties, Art. 5 Data Act
A user may request a data holder to “share” data with certain third parties, e.g. to provide such a third party with a copy of the data. Regarding personal data, this can be interpreted as an addition to the right to data portability in accordance with Art. 20 (1) GDPR.
Obligations of a Third Party Data Recipient, Art. 6 Data Act
A third party as a data recipient may only process data provided to it under Art. 5 Data Act for purposes and under the conditions agreed with the user. Furthermore, a data recipient must comply with the data subject rights requirements under the GDPR and further GDPR principles, such as data deletion, with regard to personal data.
In addition, a data recipient may not contractually prohibit a user from making corresponding data available to other third parties. A data recipient may not use the data to develop competing products and a data recipient may not carry out profiling in the sense of the GDOR (Art. 4 No. 4 GDPR), unless this is necessary for a service requested by the user.
Obligations for Data Holders to make Data available, Art. 8 et seq. Data Act
Data holders who provide data under the Data Act must comply with certain obligations. These include, for example, that the provision of data is made on the basis of fair, reasonable and non-discriminatory terms and in a transparent manner (Art. 8 (1) Data Act).
If the data holder demands remuneration from the data recipient for the provision of data, such remuneration must be reasonable (Art. 9 (1) Data Act).
The data holder may implement appropriate technical protection measures, including so-called smart contracts, to prevent unauthorised access to data and to ensure compliance with the respective requirements of the Data Act and corresponding agreements on data provision. However, these technical protection measures may not be used as a means to impair any user rights with regard to the Data Act (Art. 11 (1) Data Act).
“Unfair” Contractual Terms regarding Data Access and Use, Art. 13 Data Act
In addition to the principle of data access that is as easy and barrier-free as possible, unilateral “unfair” contractual terms on data access and use should be invalid regarding micro, small and medium-sized companies.
Limitations regarding any liability for intent and gross negligence or complete exclusions of a warranty should always be invalid.
In addition, the Data Act declares certain provisions usually invalid. This applies, for example, to unreasonable warranty limitations or regulations on data access and data use that significantly impair the legitimate interests of the other contractual party.
Data Portability, Art. 23 et seq. Data Act
According to Art. 23 et seq. Data Act, data holders must ensure that customers can switch to another service provider with a comparable service and thereby, among other things, be able to port corresponding data. While Art. 20 (1) GDPR regulates the right to data portability for personal data that a data subject has provided himself or herself, the corresponding requirements of the Data Act cover all data within the scope of the Data Act.
Interplay with Data Protection Regulations
Data holders and data recipients within the meaning of the Data Act may also have to comply with data protection regulations such as the GDPR and the TTDSG. If non-personal and personal data are inextricably linked, the requirements of the GDPR must be observed when processing such data sets (please see recital No. 30 Data Act; Art. 2 (2) Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the European Union; “Regulation (EU) 2018/1807”). National implementations of the ePrivacy Directive and a possible EU ePrivacy Regulation must also be observed in addition to the Data Act (Recital No. 32 Data Act).
The distinction between non-personal and personal data can be a practical challenge to European case law and the scope of the GDPR definition of personal data (Art. 4 No. 1 GDPR).
Therefore, a data holder should first clarify whether it can separate non-personal from personal data (comparable to the corresponding question with regard to the Regulation (EU) 2018/1807). This will probably depend on whether, for example, environmental sensor data is generated separately, without a link to an identifiable natural person. In addition, it could be decisive whether a data holder can sufficiently anonymise personal data.
In practice, this means that in addition to the requirements for anonymization of personal data, e.g. on the basis of a consent or an overwhelming legitimate interest, the requirements of the Data Act regarding processing of non-personal data must also be observed. The GDPR does not apply to (completely) anonymised data, but the Data Act does. For the sake of completeness, it should be mentioned that section 25 TTDSG also applies to non-personal data. According to section 25 TTDSG, the storage of data in the terminal equipment of an end user and access to data already stored in the terminal equipment are in principle only permissible if the end user has consented on the basis of clear and comprehensive information.
The Data Act does not create an absolute right to data (in non-legal words: the Data Act does not create “data ownership”). The Data Act regulates access and usability of data in connection with certain products.
Therefore, the Data Act is a contribution to the data economy, which could well become significant in practice. It indicates a paradigm shift in data access and use.