Trying to Tackle Big Data: European Union Launches Draft Data Act
On 23 February 2022, the European Commission (Commission) proposed a draft of a regulation on harmonised rules on fair access to and use of data – also known as the Data Act. The Data Act is intended to “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all”.
If adopted in its current form, the new rules will impose far-reaching obligations on tech companies (such as manufacturers of connected products and cloud service providers) and give national authorities new enforcement powers to sanction infringements with fines of up to EUR 20 million or 4% of annual global revenue, whichever is higher.
The Data Act is part of the Commission’s broader digital and data strategy, announced in February 2020, to make “Europe fit for the Digital Age”. Since the announcement, the Commission has presented several legislative proposals, including:
(i) Digital Services Act (DSA) – which proposes new content regulation provisions for “online intermediary service providers” (i.e., services such as internet service providers, cloud services, messaging, marketplaces, and social networks). It also identifies a subcategory of “very large online platforms” which would be subject to additional obligations, mainly internal audits on systemic risks like the spread of hate speech and child sexual abuse material;
(ii) Digital Markets Act (DMA) – which proposes a set of obligations (including in relation to collection and sharing of data) for so-called “gatekeeper” platforms to address anticompetitive practices and make digital markets more contestable by competitors;
(iii) Data Governance Act (DGA) – which will implement a number of measures (including the creation of “data intermediation services”) to ensure a secure environment in which companies and individuals can share data; and
(iv) Artificial Intelligence Regulation (AIR) – which addresses the risks stemming from the various uses of artificial intelligence (AI) systems and aims to promote innovation in the field of AI.
Complementing the above proposals, the Data Act is aimed at giving individuals and businesses more control over their data; it regulates data sharing between business to consumer (B2C), business to business (B2B) and business to government (B2G).
Below we set out the key elements of the Data Act, including its scope, main obligations and implications.
Scope
The Data Act will apply to all data – personal and non-personal – generated in the EU. Data is defined broadly as: “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording.”
The Data Act will cover a wide range of stakeholders, including: (i) manufacturers of products and suppliers of services that generate data that are placed on the EU market (e.g., Internet of Things (IoT) products), and users of such products or services, (ii) data holders that make data available to data recipients in the EU, (iii) data recipients to whom data are made available, and (iv) providers of cloud services to EU customers. Small and medium-sized enterprises are exempted from certain obligations.
Key provisions
The proposed Data Act imposes a broad range of obligations, some of the main ones being:
- Data sharing obligations: IoT products and services must be designed and manufactured in a way that will allow users (consumers and businesses) easy and direct access to data. Users may also request that their data are made available to third parties, sometimes even in real time. Data holders are, however, obliged to take all reasonable measures (technical, legal and organisational) in order to prevent unlawful third-party access to data.
- Data sharing T&Cs: The Data Act specifies that data must be shared with third parties on a fair, reasonable, and non-discriminatory basis, and sets out detailed rules to that effect. To enhance compliance, the Commission is also expected to propose recommended (non-binding) voluntary model contractual terms on access to and use of data.
- Cloud switching and interoperability: The Data Act sets out provisions that aim to facilitate switching and interoperability between providers of cloud services. For example, providers must remove all obstacles that inhibit customers from porting their data to another provider and the switching rights of a customer and the obligations of providers must be clearly set out in a written contract. Switching charges will be gradually withdrawn over the course of three years after the entry into force of the Data Act. Cloud service providers are also obliged to take measures to avoid unlawful access to data (e.g., by non-EU governments).
- Exceptional data requests: The Data Act provides for special data-sharing obligations with public sector bodies in times of exceptional need. Such exceptional need circumstances are defined quite broadly and include situations where the requested data is needed to either respond, prevent or assist with the recovery of a public emergency (such as a pandemic) or where the lack of data prevents a public sector body from fulfilling a specific public interest task. In such circumstances, data holders will be required to provide the requested data (non-personal data, insofar as possible) without undue delay.
Enforcement
Once the Data Act is adopted, it will become directly applicable in EU Member States, which will be tasked with its enforcement, including laying down specific rules on penalties (which must be “effective, proportionate and dissuasive”). As is the case in relation to the EU General Data Protection Regulation (GDPR), each Member State will be required to designate one or more responsible enforcement authorities.
Non-compliance with certain obligations could be fined with administrative fines or financial penalties of EUR 20 million or 4% of annual global revenue, whichever is higher.
Next steps
The European Parliament and EU Member States will now debate, and propose their own amendments to, the draft Data Act. The proposal was met with mixed reactions from various stakeholders in the industry. Several stakeholders see this as a positive development (the European Consumer Organisation (BEUC) describes the Data Act as “an important piece of the jigsaw to make sure data can be accessed fairly across industries while giving users full power to decide what happens to the data they generate”,[1] and the Fédération Internationale de l’Automobile European Bureau (FIA EB) “strongly welcomes the Data Act proposal”.[2] However, others fear that the Data Act “risk[s] stifling market trends towards data sharing and data-driven innovation”[3] or could have effects opposite of the ones intended.[4]
With many more stakeholders likely to offer views, the proposal is unlikely to be adopted without amendments, and the approval process of the new laws could take two or more years.
[1] BEUC, “Data Act important for competition and consumer choice” (23 February 2022), https://www.beuc.eu/publications/data-act-important-competition-and-consumer-choice/html.
[2] FIA EB, “FIA EB welcomes Data Act and supports path towards sector-specific legislation” (24 February 2022), https://pr.euractiv.com/pr/fia-eb-welcomes-data-act-and-supports-path-towards-sector-specific-legislation-229133.
[3] EURACTIV, “Industry readies to fight the Commission’s Data Act proposal” (3 February 2022), https://www.euractiv.com/section/digital/news/industry-readies-to-fight-the-commissions-data-act-proposal/.
[4] Digital Europe, “Data Act: Right ambition to unlock data potential, but obligations would hold back Europe’s data-driven recovery” (23 February 2022), https://www.digitaleurope.org/news/data-act-right-ambition-to-unlock-data-potential-but-obligations-would-hold-back-europes-data-driven-recovery/ and BSA “BSA Statement on the EU Data Act Proposal” (23 February 2022), https://www.bsa.org/news-events/news/bsa-statement-on-the-eu-data-act-proposal.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.