The European Data Act (EU-DA) is a proposed regulation that aims to harmonize rules on fair access to and use of data within the European Union. It is seen as the second pillar of the overall European strategy for data, complementing the Data Governance Regulation. The purpose of this article is to provide an analysis of the Data Act, including its scope, potential benefits and drawbacks, and its impacts on data-driven companies. It will also ensure fairness by setting up rules regarding the use of data generated by Internet of Things (IoT) devices.
The aim is to use new regulations to better exploit the economic potential of the ever-increasing volume of data and to maximize the economic potential.
What is the scope of the European Data Act?
Due to the broad scope of application, this covers any digital representation of acts, facts or information generated by the use of a product or associated service. Data is understood to include both personal and non-personal data, making the scope of application of the Data Act wider than that of the GDPR.
The Data Act aims to provide users with the ability to assess the data and to share it with third parties under certain conditions. Additionally, the draft and corresponding regulations seek to foster a competitive market for data. This concerns in particular manufacturers of products and providers of connected services placed on the market in the Union, data controllers (Art. 2 Nr. 6 EU-DA), users (Art. 2 Nr. 5 EU-DA) of networked devices and providers of data processing services.
What is the relation between the European Data Act and GDPR?
The Data Act is expected to complement the GDPR. While the focus of the GDPR is primarily on creating legal bases for the processing of personal data, the Data Act aims to facilitate the circulation and accessibility of data. Even though the Data Act takes contractual provisions into account as data processing bases, the aim of this draft is primarily to enable the circulation and accessibility of non-personal data and not to create legal bases for their processing. However, the use of a product or related service may generate data, that pertains to an identified or identifiable natural person, making it personal data. Such data processing remains subject to the provisions of the GDPR, even though personal and non-personal data are often inextricably linked in a single data set.
Therefore, where personal data is collected and falls within the scope of the Data Act, both regulations must be observed.
A potential issue could arise in the transfer of personal data under the Data Act, where a non-data subject who is also a user seeks to transfer personal data of another person to third parties. For instance, according to recital 24 of the Data Act, the Data Act itself cannot be used as a legal basis for processing under Art. 6 I lit. c of the GDPR.
How will the Data Act work in practice and what are its most important regulations?
Chapter II of the Data Act is critical for B2C and B2B sectors as it sets out important regulations regarding data transfers from companies to consumers as well as between companies. It outlines the rights of users of a product or related service and enables them to assert these rights.
The Data Act places a central obligation on companies to make data generated during the use of products or related services available, as stated in Art. 3 of the EU-DA. Additionally, companies must provide transparent information before concluding a purchase, rental, or leasing contract for an IoT product, as set out in Art. 3 II of the EU-DA.
Furthermore, the Data Act seeks to prevent the abuse of contractual imbalances that may hinder fair data sharing. To this end, the Commission is developing model contract clauses to assist market participants in drafting and negotiating fair data-sharing contracts.
Article 5 of the EU-DA regulates the disclosure of data to third parties upon the request of a user.
The Data Act will make more data available for the benefit of companies, citizens, and public administrations through a set of measures such as:
- Measures to increase legal certainty for companies and consumers who generate data on who can use what such data and under which conditions.
- Measures to prevent abuse of contractual imbalances that hinder fair data sharing. Therefore, the Commission needs to develop model contract clauses to help such market participants and negotiate fair data-sharing contracts.
What challenges could the Data Act entail?
The Data Act has the fundamental potential to achieve important goals in the EU internal market and to enable a wider use of collected data, but it is also viewed critically by large parts of the economy.
On the one hand, the categorization of companies is criticized, it is mainly small start-ups that shape and partly dominate the market, and it is not possible to draw conclusions about the balance of power categorically based on the size of the company. The existing exchange of data between companies is also underestimated in the draft.
On the other hand, there could be significant challenges in applying the Data Act in practice, such as the difficulty of companies assessing whether their products fall within the scope of the Data Act or how to take into account the complex interaction with the requirements of the GDPR. Therefore, it is advisable for companies to deal with the requirements of the Data Act at an early stage and to evaluate the proposed regulations and take measures or make necessary preparations if needed.