Dec 52023

Agreement Reached on the EU’s Data Act

Francesca Blythe, Lauren Cuyvers and Mhairi Cameron
, , , , , , ,

On 27 November 2023, the Council adopted the final text of the Data Act which facilitates (and in certain cases, mandates) the access to (personal and non-personal) data. The Data Act was originally proposed by the European Commission in 2022. Alongside the EU Data Governance Act (which came into force in June 2022) the Data Act forms part of the EU’s Data Strategy which aims to “make the EU a leader in a data-driven society”.

The Data Act – which has a very broad scope – imposes obligations on: (i) manufacturers of connected products (e.g., smart watches) and providers of related services who provide those products/service in the EU, (ii) data holders who make data available to data recipients in the EU, (iii) data recipients in the EU to whom data are made available, (iv) EU public sector bodies (incl. the EU Commission and EU Central Bank) and other EU bodies that request access to data from data holders in exceptional circumstances, (v) providers of data processing services to EU customers (incl. cloud and edge providers), (vi) participants in data spaces and vendors of applications using smart contracts as well as the individuals who deploy those smart contracts for others in a professional capacity. New rights are in addition afforded to (vii) users within the EU of connected products or related services.

The Data Act imposes broadly the following five types of requirements in relation to each of the actors mentioned above:

a.  In relation to (i) and (vii), facilitating user and business access to ‘product data’ generated by connected (or IoT) devices and related services (i.e., data sharing in a business-to-consumer context or in a business-to business context upon the user’s request);

b.  In relation to (ii), (iii) and (iv), providing a general legal framework regulating mandatory data access in certain circumstances between private entities (i.e., in a business-to-business context) and private and public entities where there is an exceptional need in the public interest (i.e., in a business-to-government context);

c.  In relation to (v), avoiding vendor lock-in by making it easier for users to switch between cloud data processing providers, with the aim of promoting competition, and restricting unfair, unilaterally imposed contract terms applicable to voluntary data sharing agreements; and

d.  In relation to (v), providers of data processing services, safeguarding against unlawful international governmental access to and transfer of non-personal data and supporting the development of interoperability standards to facilitate data access, transfer and use.

e.  In relation to (vi), ensuring fairness in smart contracts, imposing protections such as easier termination and access controls, and requiring vendors of smart contracts to perform conformity assessments.

The Data Act is a horizontal (i.e., sector-neutral) piece of EU legislation – and in that sense complements more vertical pieces of legislation such as the proposed European Health Data Space Regulation (“EHDS”) which among other things, will regulate and mandate access to electronic health data and the proposed Financial Data Access Act (“FIDA”) which will facilitate the sharing of and access to customer financial data (whether of businesses or consumers).

The Data Act, along with adjacent legislative frameworks such as the proposed EHDS, FIDA and Data Governance Act, and the creation of the common EU data spaces, will be an important catalyst for AI in the EU as they all support the common notion of making data more widely accessible – including for the training of AI models and algorithms – and as such are a key pillar to supporting the EU digital market.

Throughout the legislative process the Data Act has undergone a number of amendments.

A summary of key discussion points that arose during the negotiations, and how these were addressed in the final text, is set out below:

1. Extra-territorial scope: The extra-territorial scope of application of the Data Act was heavily debated throughout the legislative process. In that regard, the final text applies on an extraterritorial basis to (i) manufacturers of connected products who commercialize those products in the EU and providers of related services in the EU (e.g., repair and maintenance services) (irrespective of the manufacturers’ and providers’ place of establishment inside or outside the EU); (ii) data holders inside and outside the EU (i.e., entities who exercise control over data and are subject to an obligation under EU law to grant access to data) that make data available to data recipients in the EU; and (iii) providers of data processing services inside and outside the EU (including cloud and edge computing) who provide those services to customers in the EU.

The material scope of the Data Act in relation to the mandatory data sharing obligations for data collected through connected devices (i.e., those mentioned under point (a) above) was also a key point of negotiation. In this regard, the final text confirms that data covered by these requirements relate to the technical event (product) data and metadata which are generated by the user’s use of the connected device such as data logged by the device through sensors, embedded applications, malfunctions, etc. However, these data sharing obligations under the Data Act do not extend to content that is stored on or processed through the connected device.

2. Trade Secrets: Another key point during legislative negotiations was the discussion around how trade secret and copyright protection can be reconciled with the Data Act’s data access requirements. Initial drafts of the Data Act provided more limited protection for trade secrets, in favour of robust data access rights. However, the final text (in part) acknowledges the concerns raised by industry that, without adequate protections, the data collected by connected devices and shared under the Data Act on a mandatory basis could reveal proprietary information and, in turn, could be abused by competitors and ultimately disincentivize innovation. Whilst mechanisms have been included for companies to safeguard their proprietary data and in exceptional circumstances, to refuse to comply with a data access request, the thresholds for doing so remain high (and for instance, would require the data holder being able to demonstrate that it is ‘highly likely to suffer serious economic damage’) and reliance on the exception would (amongst other things) require notification to the competent authority.

3. Relationship with the GDPR: The Data Act applies to both personal and non-personal data and is in that sense is significantly broader in scope than the GDPR. But, the Data Act also confirms that legislative frameworks such as the GDPR and the e-Privacy Directive may apply in parallel and may prevail over the Data Act in case of conflict. As such, the Data Act’s final text clearly establishes that the user’s data access and portability rights under the Data Act are meant to supplement, and not supersede, the individual’s rights under the GDPR. In addition, any access to personal data can only be granted where an appropriate legal basis under Art. 6 – and, where applicable, Art. 9 – of the GDPR has been established by the data holder. The final text of the Data Act now explicitly establishes that, only where the Data Act includes an express legal requirement to share personal data, the data holder would be able to rely on “compliance with a legal obligation” as a legal basis under the GDPR. For any other data sharing/processing, such as data collection or generation, an alternative legal basis would need to be relied on.

Next Steps

Following the adoption of the Data Act’s text by the Council on November 27, which marks the final step in the legislative process, the Data Act will be officially published in the EU’s Official Journal soon and enter into force 20 days after publication. Most of the Data Act’s provisions become applicable (i.e., enforceable) 20 months after the Data Act enters into force. Within 32 months after entry into force, new connected products must be designed in compliance with Data Act standards – including, to facilitate the Data Act’s reinforced access and portability rights.

The Data Act will be enforced at the national EU Member State level, and does not impose any minimum or maximum amounts for administrative fines. As such, it remains to be seen whether enforcement on the basis of the Data Act will involve fines of the same magnitude as proposed under the other EU digital data laws e.g., the proposed EU AI Act.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Francesca Blythe

London

fblythe@sidley.com

Lauren Cuyvers

Brussels

lcuyvers@sidley.com

Mhairi Cameron

Trainee Solicitor

mcameron@sidley.com

You might also like
Top 10 Questions on the EU AI Act

The EU AI Act will be the first standalone piece of legislation worldwide regulating the use and provision of AI in the EU, and will form a key consideration in AI governance programs. The AI Act will have a significant impact on many organizations inside and outside the EU, with failure to comply potentially leading to fines of up to 7% of annual worldwide turnover.

EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Chambers 2024 Global Practice Guides for Data Protection & Privacy and Cybersecurity
The newest editions of the Chambers Global Practice Guides have been published and, once again, Sidley lawyers have contributed to two guides: Data Protection & Privacy 2024 and Cybersecurity 2024. These publications cover important developments across the globe and offer insightful legal commentary for businesses on issues related to data privacy and cybersecurity, such as regulatory enforcement and litigation, global cooperation to combat cybercrime, international agreement on ‘Software Security by Design,’ a global approach to policy on artificial intelligence, and more. Sidley partner Alan Charles Raul is a contributing editor to both guides in addition to authoring the introductions. The UK chapters of Cybersecurity 2024, covering “UK Law and Practice” and “UK Trends and Development” were authored by Sidley lawyers William Long, Francesca Blythe, Denise Kara, and Eleanor Dodding.