|
The rationale for a Data Act
Most data are unused, or its value is concentrated in the hands of a few large companies. The European Commission wants to foster the development of the European data economy in compliance with European rules and values.
The situation of SMEs can be particularly difficult as they are often in a weak position when it comes to negotiating contractual arrangements. This unbalance can also lead to the misuse of data.
Definitions of products and related-services
Product is here defined as "a tangible, movable item, including where incorporated in an immovable item, that obtains, generates or collects, data concerning its use or environment, and that is able to communicate data via publicly available electronic communications services and whose primary function is not the storing and processing of data".
A "related service" means "a digital service, including software, which is incorporated in or inter-connected with a product in such a way that its absence would prevent the product from performing one of its functions".
Facilitating access to and use of data by consumers and businesses
Chapter II of the Data Act aims to bring legal certainty to consumers and businesses in their access to data generated by the products or related services they own, rent or lease. The data shall be easily and securely accessible by default. This is an obligation for manufacturers. Data is made available either directly or upon request (free of charge), depending on the most appropriate solution. Users shall not use the data obtained on request to develop a competing product.
Manufacturers can still access and use data from products or related services they offer if the user has agreed. Users shall be informed of the intended use of their data by the manufacturer, the service provider or a third party.
Data can be made available to third parties upon the request of the user. However, such third parties cannot be gatekeepers -as defined in the Digital Markets Act. For instance, users could decide to make available the data to providers of aftermarket services.
The obligations stemming from this Chapter do not apply to micro and small enterprises. However, those micro and small enterprises shall not have partner enterprises that do not qualify as micro or small enterprises.
Conditions under which data is made available
Chapter III sets the conditions of data sharing in case data holders are legally obliged to make data available. Such an obligation to share can stem from the user's right to share data with third parties (see above) or from an EU or national law. The conditions and the compensation to make data available to a data recipient shall be fair and non-discriminatory. The compensation shall be reasonable. In case parties disagree, dispute settlement bodies certified by the Member States may intervene.
The data holder may use appropriate technical protection measures, including smart contracts, to prevent unauthorised access to the data.
The Data Act goes one step further for SMEs: any compensation set for SMEs cannot exceed the cost incurred for making the data available. Chapter IV of the Data Act covers this particular case of unbalanced power between an SME and another company. Contractual agreements on data access shall not take advantage of imbalances in negotiating power. The Data Act sets an "unfairness test". Such a test comprises a general definition of what is unfair and a list of clauses that are always unfair or presumed to be unfair.
The Commission proposes model contractual terms on access to and use of data. Such models are voluntary.
Making private sector data available to governments
While the Data Governance Act facilitates the reuse of public sector data, the Data Act encourages reverse flow. Thus, in certain situations, the private sector is obliged to make data available to the public sector. This obligation primarily concerns public emergencies (natural disasters, health crises etc.). In such situations, data is made available for free.
The obligation to share data can also apply to situations where public sector bodies have an exceptional need to use certain data, but such data cannot be obtained on the market.
Facilitating switching between cloud and edge services
Chapter VI of the Data Act introduces regulatory requirements of contractual, commercial and technical nature imposed on cloud/edge providers to enable switching between services. Concretely, that means that providers of data processing services take measures to ensure customers can switch to another data processing service, covering the same service type but provided by another company.
The proposal does not mandate specific standards. However, where European standards or open interoperability technical specifications exist, they shall be used.
Putting safeguards against unlawful international transfers
In the Data Act introduction, the European Commission mentions that "concerns have been raised about non-EU/EEA governments' unlawful access to data". Therefore, Chapter VII of the Data Act addresses this issue.
Cloud providers shall take all reasonable, technical, legal and organisational measures to prevent unlawful access that conflicts with data protection obligation under national or EU law.
However, in case of judicial or administrative requests, the Data Act still allows such a transfer if there is an international agreement between the EU and the requesting country. When there is no such agreement, the transfer is also possible if a set of conditions are met.
Developing interoperability standards for data to be reused across sectors
Chapter VIII of the Data Act sets requirements to be complied with regarding interoperability of data spaces and data processing services providers. It also sets requirements for smart contracts.
For operators of data spaces, the requirements include publicly available data structures and formats, as well as a sufficient description of the technical means to access the data, such as application programming interfaces and their terms of use.
For data processing services, open interoperability specifications and European standards shall be performance-oriented, enhance portability and guarantee functional equivalence.
The ultimate goal is to promote a "seamless multi-vendor cloud environment".
Enforcement: complaints and penalties
Member States shall designate a competent authority for enforcement. Natural and legal persons have the right to lodge a complaint with the competent authority if they consider that their rights have been infringed.
Member States shall lay down the rules on penalties in case of infringement of the Data Act.
Further requirements and specifications
The European Commission may adopt delegated acts to introduce a monitoring mechanism on switching charges imposed on providers of data processing services to specify the requirements on interoperability. It may also publish the reference of open interoperability specifications and European standards for the interoperability of data processing services.
Moreover, the committee procedure applies to adopt implementing acts. The implementing acts will establish common specifications for interoperability and smart contracts -where harmonised standards do not exist or are insufficient.
Entry into force
The Data Act shall apply one year after its entry into force (which takes place shortly after the publication in the Official Journal of the EU).
Next steps
The proposal for a Data Act will follow the ordinary legislative procedure, meaning that the European Parliament and the Council will examine and amend the text. They will ultimately have to agree on a common version.
If you have any questions on this topic, please contact Camille Dornier - Policy Manager: camille.dornier@eurosmart.com
|
