Skip to content

EU unveils first draft of the Data Act

Author
Emma Keeling - Senior PSL
Emma Keeling

Senior PSL

London

View profile →

03 March 2022

On 23 February 2022, the European Commission unveiled proposals for the EU’s latest legislative development, the EU Data Act.

Originally scheduled for publication in December 2021, the draft Regulation stems from the EU’s May 2020 Strategy for Data and sits alongside the EU’s Data Governance Act (as agreed by co-legislators in November 2021).

Hailed by the Commission as the way to unlock the untapped value of data (whether personal or otherwise) across the EU and implement a single market in data, the proposed EU Data Act is a wide ranging, sector neutral proposal. There is clear interplay with existing EU legislation (such as the GDPR) and more recent proposals (such as the Digital Markets Act, DMA) but the proposed EU Data Act introduces a range of new rights and obligations with potential for extra-territorial reach. By way of example, the draft EU Data Act:

  • requires manufactures of connected products and providers of related services to address access to data generated by use of those products and services by default and provide certain information about the nature of that data, its use and access. Users (whether consumers or business) must be given access to that data by the relevant data holders, free of charge;
  • requires data holders to share said data, on user instruction, albeit subject to certain conditions on the data recipient regarding purpose limitations, onward sharing limits, data deletion, non-compete/exclusivity requirements and data protection compliance - for example, gatekeepers under the DMA cannot benefit as data recipients here;
  • requires that when obliged to provide data under the proposed EU Data Act (or other subsequent EU law), data holders must do so on fair, reasonable and non-discriminatory terms, with any compensation required to be reasonable and with caps applicable in relation to SME recipients. Similarly, no party can unilaterally impose an unfair term on an SME where that contract term relates to access and use of data or liability and remedies for breach or termination of data related obligations;
  • requires data holders to provide data to EU public bodies where there is an exceptional need, defined to include both emergency scenarios and certain circumstances where the public body is otherwise unable to obtain the data. Conditions apply, although costs can only be recovered in certain cases and onward sharing of the data by the recipient public body is permissible in relation to certain scientific research or similar scenarios;
  • addresses the ease of switching between data processing service providers (including cloud services providers). Barriers to switching must be removed, whether commercial, technical, contractual or organisational. Requirements are imposed regarding transition periods, contractual provisions to be agreed between original provider and customer, and the removal of switching charges. The proposed EU Data Act also addresses interoperability and EU standardisation;
  • imposes requirements on data processing service providers to take all reasonable technical, legal and organisational measures to prevent international transfer or non-EU governmental access of non-personal data held in the EU, where such transfer or access would create a conflict with EU or Member State law. The proposed EU Data Act addresses circumstances where such data is requested in the context of a decision or judgment of a third country court or tribunal and the specific circumstances in which that data can be shared; and
  • includes further provisions regarding the standardisation of smart contracts in the context of data sharing arrangements and clarifies that connected product-generated data will not benefit from the sui generis database right.

The publication of the proposed EU Data Act is the first step on what is likely to be a long legislative journey. Nonetheless, its application is wide and with potential for broad data sharing obligations and GDPR-level fines (at least to the extent any non-compliance under the EU Data Act relates to personal data), mean that organisations will no doubt be following its progress closely.

Read the press release 'Data Act: Commission proposes measures for a fair and innovative data economy' and the proposed regulation

You can see our more detailed article on the EU Data Act here.

Related expertise