On 27 November, the final text of the EU’s Data Act (the Act) was formally approved by the European Parliament and the European Council.
It will enter into force 20 days after its publication in the EU’s official journal, which is expected in the coming days. However, the majority of its provisions will only apply 20 months after it enters into force.
Scope of the Act
The Act, which takes the form of a directly applicable EU regulation, has three central focuses:
- remove obstacles to the process of switching between providers of “data processing services” and the portability of data generally;
- increase interoperability of data and data services; and
- increasing accessibility to data generated by “connected products” and “related services”;
“Data” is defined very broadly under the Act as “any digital representation of acts, facts or information”, so the provisions of the Act will be of wide application and also, importantly, apply to both personal and non-personal data.
The overarching goals are to stimulate a competitive data market, by allowing greater access to data and removing barriers to changing data service providers.
This article aims to provide a summary of the principal provisions by looking at six key areas covered by the Act:
- Part A: Switching between data processing services
- Part B: Interoperability Obligations
- Part C: Business-to-Business Data Sharing Agreements
- Part D: Connected Products and Related Services
- Part E: Obligations in respect of requests from public authorities
- Part F: Enforcement
Part A. Switching between “data processing services”
Data processing services are digital services that enable “on-demand network access to a configurable, scalable and elastic shared pool of distributed computing resources”. It appears intended to cover any Infrastructure as a Service (IaaS), Platform as a service (PaaS) and Software as a Service (SaaS) offerings including resources such as cloud services, networks, servers or other virtual infrastructure, software, and data storage services.
It should be noted that the phrase “data processing” in this context is unrelated to how that phrase is understood within the GDPR framework.
Obligations of Data Processing Service Providers (DPSPs)
DPSPs must implement a number of specific measures to enable customers to switch DPSP with minimal difficulty. “Customers” here includes both individual consumers and corporate entities who have entered into a contract for data processing services.
These measures include removing any contractual or organisational obstacles which would inhibit customers from:
- terminating their contract with the relevant DPS or concluding a contract with new DPS providers;
- porting the customer’s exportable data and digital assets to a different service provider;
- (if providing an IaaS delivery model) achieving functional equivalence of services – i.e. re-establishing a minimum level of functionality in the environment of the new DSPS which is akin to that of old DSPS; and
- where technically feasible, allowing for the unbundling of certain data processing services from others.
The rights of customers and obligations of DPSPs in relation to switching between providers must be clearly set out in a written contract and the Act provides a number of specific, technical and, in some instances potentially onerous requirements, which must be provided for in such a contract, including:
- an obligation to provide reasonable assistance to the customer and relevant third parties and act with due care to maintain business continuity for the customer;
- provision of an exhaustive specification of all categories of data and digital assets that can be exported; and
- a default transitional period, of a maximum of 30 days, in which the switching process should be completed, unless technically unfeasible. (If the DPSP intends to claim the transitional period is unfeasible they must justify the technical unfeasibility and propose an alternative period, not exceeding 7 months).
Under Article 29, once 3 years has passed from the entry into force of the Act, DPSPs may not impose any charges on the customer for the switching process. Any switching charges imposed during that initial 3 year period may not exceed the costs incurred by the DPSP directly linked to the switching process (i.e. a cost recovery model).
Part B. Interoperability Obligations
Chapter VIII sets out requirements to facilitate the interoperability of data and data sharing mechanisms.
Article 33 imposes general obligations for “participants in data spaces” that offer “data or data services”. Notably, no definition or guidance is provided in the Act in respect of the meaning of “data spaces” or “data services” but from the content of the Recitals, it would appear intended to have a broad application.
Although Article 33(1) notes a number of broad requirements related to the obligation to provide sufficient descriptions for various elements of data (e.g. the dataset content, use restrictions, data collection methodology; data formats and classification schemes, technical means of access etc.), it does not actually provide specific standards for data services to adhere to. Similarly, Article 35 provides high level interoperability requirements for DPSPs.
It would seem that the Act intends for secondary legislation to set the specific mandatory standards of data interoperability. The Act acknowledges that data interoperability may be purpose- or sector-specific and provides for the EU Commission, pursuant to Article 10 of Regulation (EU) No 1025/2012, to request one or more European standardisation organisations to draft more detailed harmonised standards that align to the general requirements set out in Chapter VIII. The Act also provides for the Commission itself to adopt common specifications in the event that the European standardisation organisations fail to provide harmonised standards upon request. As such, we await further detail in this area for the complete picture here.
Part C. Business-to-Business Data Sharing Agreements
Article 13 of the Act sets out a number of rules concerning the contractual terms between businesses which relate to the sharing of and access to data. Essentially Article 13 provides that, where a contractual term concerning:
- the access to or use of data; or
- liability and remedies for breach of data related obligations; or
- the termination of data related obligations
has been unilaterally imposed by one enterprise on another – such a clause shall not be binding on the former enterprise if it is considered “unfair” under the Act.
A “unilaterally imposed” term is one that arises in a take-it-or-leave-it situation, where one party supplies a certain contractual term and the other enterprise cannot influence the content of that term despite an attempt to negotiate it. A contractual term that is simply provided by one party and accepted by the other enterprise or a term that is negotiated and subsequently agreed in an amended form between contracting parties will not be considered to have been unilaterally imposed.
This regime is particularly notable as it appears, within its scope, to significantly erode the freedom which business to business / commercial entities have historically enjoyed to arrange their IT contractual arrangements between themselves largely free of regulatory constraints to date. Indeed, elements of this regime, including regulating the fairness of terms, has echoes in EU consumer protection legislation.
A term will be considered unfair if its use “grossly deviates from good commercial practice in data access and use”, in particular if is its effect is to:
- limit the liability of the party that imposed the term for intentional acts or gross negligence;
- excludes remedies available to the party upon whom the term was unilaterally imposed in the case of non-performance of of contractual obligations; or
- give the party that unilaterally imposed the term the exclusive right to determine whether the data supplied are in conformity with the contract or to interpret any contractual term.
Article 13 also sets out a number of situations where a contractual term will be presumed to be unfair, for example if its effect is to:
- inappropriately limit remedies in the case of non-performance of contractual obligations;
- allow the party that unilaterally imposed the terms to access and use the data of the other contracting party in a manner that is significantly detrimental to the legitimate interests of the other contracting party;
- prevent the party upon whom the the term have been unilaterally imposed from using the data provided or generated by the party during the period of the contract, or to limit the use of such data data to the extent that the party is not entitled to exploit the value of such data;
- prevent the party upon whom the term has been unilaterally imposed from terminating the agreement within a reasonable period;
- prevent the party upon whom the term has been unilaterally imposed from obtaining a copy of the data provided or generated by that party during the period of the contract or within a reasonable period after termination;
- enable the party that unilaterally, imposed the term to terminate the contract at unreasonably short notice; or
- enable the party that unilaterally imposed the term to substantially change the price specified in the contract or any other substantive condition related to the nature, quality or quantity of the data to be shared, where no valid reason, and no right of the other party to terminate the contract in the case of such a change exists
The parties to a contract covered by Article 13 can not exclude or vary the application of the Article through contractual terms. As such, it will be interesting to see how B2B contracting will take account of this new regime.
Part D: Connected Products and Related Services
“Connected products” are devices that:
- generate data concerning their use or environment; and
- are able to communicate such product data via an electronic communication service, physical connection or on-device setting.
The classic example of such a product is a device that shares information on its use or environment via the Internet of Things.
As per the Act’s recitals, “related services” are services that involve the exchange of data between the connected product and the service provider and which are explicitly linked to the operation of the connected product’s functions. This would include services that remotely transmit commands to the connected product that impact on its behaviour. Ancillary services which do not have an impact on the operation of the connected product and which do not involve the transmission of data or commands are not to be considered to be “related services”. For example regular repair and maintenance, or the supply of power or connectivity are not “related services”.
The definition of both appears intended to have a broad scope, encompassing a wide range of products from varied fields including vehicles, health and lifestyle equipment, ships, aircraft, home equipment and consumer goods, medical and health devices or agricultural and industrial machinery.
The “data” being captured will include both personal and non-personal data produced by connected products and the provisions of the GDPR will still apply to any personal data involved. The Act is rather a further layer of regulation which will attach to such data.
The Act seeks to ensure greater access to the data generated by “connected products” through the user’s use of such products, making such data more accessible to:
- the users of such devices (whether business or consumer users);
- third party service providers to whom users may wish to transfer the data ; and
- public authorities who demonstrate an “exceptional need” to access such data.
Obligations in respect of users and data recipients
Under Article 3, connected products and related services must, by default, be designed in a manner whereby the data generated are easily accessible to the user. Before concluding a contract for the purchase or lease of a connected product, the seller or lessor must provide a range of information to the relevant user in respect of the data collected, including:
- the type and volume of data that the connected product can generate;
- whether the connected product will store data on-device or on a remote server and intended duration of retention; and
- how the user may access or erase the data
Providers of “related services” must also provide similar transparency information to the user in respect of data to be processed pursuant to the service, in advance of concluding a contract for such services.
The Act imposes a range of obligations on “data holders” – i.e. any persons, other than the users, who, in accordance with the Act, has a right or obligation to make data available, including the data generated by connected products and related services.
Under Article 4, where product and related services data (PRS data) cannot be directly accessed by the user from the relevant product, data holders must make PRS data, and relevant metadata, available to a user upon request. The data must be provided free of charge, in a secure, commonly used and machine readable format and where feasible it should be provided continuously and in real time.
A data holder may only use PRS data that is non-personal on the basis of contract with the user. Data holders may not make non-personal product data available to third parties other than in compliance with their contract with the user. Where relevant, data holders must contractually bind third parties not to further share data received from them.
Under Article 5, a data holder must also share the PRS data with a relevant third party, if a user requests it. Similarly to Article 4, where requested, the data must be provided to the relevant data recipient without undue delay, in a secure, commonly used and machine readable format, without charge to the user.
Where a data holder is obliged, under EU law, (whether by virtue of a request under Article 5 of the Act or other EU laws) to make data available to a third party acting for commercial purposes, (e.g. a person other than a user of a connected product) that third party is considered a “data recipient” under the Act.
Where a data holder must make data available to a third party it must do so in accordance with Articles 8 and 9 of the Act. Article 8 requires data holders to agree with data recipients the arrangements for making the data available, and do so under fair, reasonable and non-discriminatory terms and conditions and in compliance with the provisions under the Data Act relating to unfair conditions (see more detail above). Any compensation agreed between a data holder and a data recipient for making data available in business-to-business relations shall be non-discriminatory and reasonable but may include a margin.
There is a notable saver that, unless otherwise provided for in EU law or by national legislation, an obligation to make data available to a data recipient shall not oblige the disclosure of trade secrets.
Users and data holders may contractually restrict accessing or sharing data with users if such processing could undermine security requirements. Any trade secrets enclosed in product data must only be disclosed where the data holder and the user take “all necessary measures” to preserve their confidentiality. Article 4 sets out the process to be followed where a data holder and a user cannot agree on what such necessary measures should entail.
The user is also prohibited from using PRS data to develop a connected product which competes with the product from which the data was obtained, nor can the user share the data with a third party who has the same intention.
Under Article 10, users, data holders and data recipients shall have access to dispute settlement bodies certified in accordance with the Act, to settle disputes relating to the fair, reasonable and non-discriminatory terms and conditions of making data available.
Part E: Obligations in respect of public authorities
Under Article 14, where a public sector body, the Commission, the European Central Bank or a Union body demonstrates an “exceptional need” to use certain data, in order to carry out its duties in the public interest, data holders which hold those data shall make them available upon a duly reasoned request.
“An exceptional need” to use data must be limited in time and scope and will require conditions such as:
- a public emergency: or
- (where the data involved is non-personal) circumstances where the relevant body has exhausted all other means available to obtain the relevant data, including offering market rates to purchase it, and the specific data identified is needed to fulfil a specific task carried out in the public interest, that has been explicitly provided for by law.
Article 17 provides that, when requesting data pursuant to Article 14, a relevant body must:
- specify the data required
- demonstrate the existence of an exceptional need
- explain the purpose of the request, the intended use of the data and how the processing will address the exceptional need
- specify if possible when the data are expected to be erased by all parties that will gain access
- justify the choice of data holder to which the request is addressed
- specify any other bodies with whom the data will be shared
- where personal data are requested, specify any technical and organisational measures necessary to implement data protection principles, such as pseudonymisation or anonymisation
- state the legal provision allocating the requesting body the specific task carried out in the public interest relevant for requesting the data
- specify the deadline by which data are to be made available and the deadline by which a data holder may decline or seek modification of a request.
- make its best efforts to avoid compliance with the data request resulting in the data holders liability for infringement of Union or national law
Article 17(1)(j) is a particularly striking provision as it would seem to anticipate that mandatory data request from a public body, under Article 14 may bring the data holder into contravention with other Union laws, if that request is complied with.
Under Article 17(2) all requests for data made under Article 14 must be specific, proportionate and to the exceptional need, duly justified and respect the legitimate aims of the data holder, committing to ensuring the protection of any relevant trade secrets.
Part F: Enforcement
Member States must appoint one or more national competent authorities for supervision and enforcement of the Act. National authorities which are responsible for monitoring the application of the GDPR shall be responsible for monitoring the application of the Act, in so far as it applies to personal data.
Member States are also obliged to establish a penalties framework for infringement. Thus, although the Act will be directly applicable as an EU regulation, it will still require substantial transposition. Some critiques have flagged that there is scope for a lack of harmonisation to arise in the field of sanctions, as penalties could differ (and perhaps differ significantly) from country to country.
If you would like further information on the Data Act, please contact A&L Goodbody’s Commercial & Technology team.