The Data Act – “It's not personal, it's just business"

By Ricky Kelly and Lorcan Moylan Burke

Introduction
Recognising the amount of data that continues to be generated, which it estimates will increase from 33 zettabytes in 2018 to 175 zettabytes by 2025, and the underutilisation of that data, the European Commission has published draft legislation which will regulate the use and access of data generated in the EU, across all economic sectors.

In what is described as the “last horizontal building block of the Commissioner’s data strategy”, the Data Act is intended to address the “legal, economic and technical issues” that lead to data being under-used. The new rules will make more data available for use/reuse and is designed to position the EU as a global leader in a data-agile economy. Significantly, the European Commission estimates that 80% of data is never used and believes that by unlocking its potential it can create €270 billion of additional GDP by 2028.

Not to be confused with the GDPR, which relates to personal data only, the Data Act will capture almost every type of information that can be digitised and should stimulate a competitive, data market, open opportunities for competition in the aftermarket service and repair of connected devices, empower European citizens, businesses and organisations to ‘make better decisions based on insights gleaned from non-personal data’, complement the right of data portability of individuals under the GDPR and lead to new and data-driven, innovative services. Put another way the Data Act will cover all data that is non-personal in nature, also referred to as industrial data.

With this regulation the EU seeks to create “a fairer distribution of the value from data, reduce the digital divide” and reconfirms its firm stance; “that data should be available to all, whether public or private, start-up or giant”.

Overview of the Data Act

With 41 articles, there is a lot to consider. To assist with getting to grips with what exactly this ground-breaking act entails, we set out below a summary of the principle aims of the Data Act followed by a more in-depth analysis of some of its key features.

Some of the main proposals of the Data Act include:

• Measures to allow users of connected devices to gain access to data they generate which is often held exclusively by manufacturers, as well as measures for users to share that data with third parties. In theory, this should provide greater control to users of the data that they generate, beyond anything that may already be captured by the GDPR.
• Measures to rebalance negotiation power to SMEs by preventing abuse of contractual imbalances in data sharing contracts. Interestingly, the European Commission is to develop model contractual terms to help such companies in negotiating fair contracts.
• Means for public sector bodies to access and use data held by the private sector that is necessary for “exceptional circumstances”.
• New rules allowing customers to effectively switch between cloud data-processing service providers and putting in place safeguards against unlawful data transfers.
• Importantly, the Data Act aims to remain consistent with the existing rules of the GDPR, the confidentially of communications and provisions under the ePrivacy Directive.

Some of the intended benefits of the Data Act, as envisaged by the European Commission, include:

• Cheaper prices for aftermarket services and reparation of their connected objects.

Users will be entitled to require that the manufacturer of devices provide access to third-party repair services.

• New opportunities to use services relying on access to this previously inaccessible data.

In an example relied upon by the European Commission, a farmer cannot, currently, outsource data analytics of the data collected from different pieces of equipment operated as access to that data is generally restricted to the manufacturer. Under the Data Act, that same farmer will now be entitled to require that those manufacturers do make that data available, opening the market to new services and allowing the farmer to receive custom advice from an independent third-party based on information collected from multiple pieces of equipment.

• Better access to data collected or produced by a device.

In a further example, both a coffee shop and coffeemaker company want to improve its service/product. Currently, only the coffeemaker has access to the data produced by its devices. The Data Act clarifies that both parties will be entitled to access all of the data generated and collected.

Key features of the Data act

The Data Act is broken into eleven chapters covering definitions, contractual requirements, interoperability obligations, enforcement and monitoring. Set out below is a chapter-by-chapter breakdown of some of the key features you need to be aware of.

Chapter 1 – General Provisions

Some interesting definitions are used with clear links to those adopted by the GDPR:-

• ‘Data’ is defined to include almost everything that can be digitised. In particular it captures “any digital representation of act, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording.”
• A ‘user’ is defined as a natural or legal person that owns, rents or leases a product or receives a service. Similar to the GDPR, it does not include deceased persons.
• A ‘data holder’ is a legal or natural person who has the right, or obligation, to make available data which is non-personal in nature and is derived through the control of the technical design of a product or related services.
• A ‘data recipient’ is a legal or natural person, in the context of their trade, craft, business or profession, to whom a data holder is required to make data available following a request from a user.
• ‘Processing’, much like under the GDPR, covers almost everything that can be done to, or with, data.

Chapter 2 – Data Sharing

Chapter 2 is one of the central and innovative parts of the Data Act. It aims to provide greater legal certainty for consumers and businesses in accessing data generated from products and related services.

It provides that:

• Manufacturers and designers are to design products in a way that makes the generated data easily and securely accessible by default.
• Manufacturers and designers are to be sufficiently transparent on what data will be accessible and how that data can be accessed.
• Where data is not directly accessible by a user, a data holder is to make available to the user, and in certain instances, third-parties, the data generated by its product or service without “undue delay, free of charge and, where applicable, continuously and in real time.”
• Micro and small enterprises (effectively any enterprise which employs fewer than 250 people and has a net annual turnover of less than €50 million) are to be exempt from the obligations of Chapter 2.

Chapter 3 – Obligations for Data Holders when required to make Data available

Where Chapter 2 sets out the obligations on data holders to make data available to users and third-parties, Chapter 3 set outs the rules to be adhered to when making that data available:

• Where a data holder is obliged to make data available to a data recipient it must be done subject to “fair, reasonable and non-discriminatory terms.”
• A data holder can agree with a data recipient the terms, subject to certain conditions, for making the data available. Such contractual terms will not be binding where they derogate from, or vary, a user’s rights under Chapter 2.
• Any compensation agreed between a data holder and a data recipient for making the data available is to be reasonable.
• Significantly, Member States are required to ensure the availability of certified dispute settlement bodies to settle disputes in relation to the determination of “fair, reasonable and non-discriminatory terms” and the transparent manner of making data available. Settlement bodies are to be independent, have a sufficient level of expertise, and are to provide decisions within 90 days in a “swift, efficient and cost-effective manner”.

Chapter 4 – Unfair Terms

Contractual terms concerning the access to, and the use of data, including liability and remedies, will not be binding where they are unfair. An unfair term is defined as a term, that “grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing”.

Chapter 4 also provides examples of instances where a term is presumed to be unfair, including:

• Where the object or effect of the term is to exclude or limit liability in favour of the party who unilaterally imposed the term for intentional acts or gross negligence.
• The exclusions of remedies available to a party, where the term has been unilaterally imposed in cases of non-performance of contractual obligations or liability of party imposing the term in case of a breach of those obligations.
• Where a party unilaterally imposes a term providing exclusive right to determine whether the data supplied is in conformity with the contract or to interpret any part of the contract.

Chapter 5 – Public Bodies

Chapter 5 provides for a mechanism which can be availed of by public sector bodies to acquire data in unique situations. In essence, the proposed mechanism provides obligations on data holders to make data available to a public sector body in order to prevent, or recover from, a public emergency or where an “exceptional need” arises.

The chapter is perspective in the manner in which the request is to be made, requiring that the public body demonstrate the exceptional need for the data, as well as the purpose, intended use and the duration that the public body will hold the data. Notably, no further guidance is provided for in the current wording of Chapter 5 as what amounts to an “exceptional need”, giving rise to cause for concern of its compatibility with the data protection principles enshrined by the GDPR.

In cases of non-compliance by a data holder, penalties may be imposed pursuant to Article 33 (see below at Chapter 9).

Chapter 6 – Switching between Data Processing Activities

Under Chapter 6, providers of data processing services will be required to take certain measures to ensure that customers can switch to another data processing service provider, easily and efficiently, while maintain a minimum level of functionality and security during any switch over period.

Minimum measures are to be included in service contacts and are to include:

• Clauses allowing customers to switch to a new data processing service provider within 30 days from the date of the request to switch.
• The original service provider is to assist, and where feasible, complete the process and to ensure full continuity in the provision of the respective functions or service.
• Providers of data processing services are to gradually withdraw switching charges imposed on customers.
• While the Data Act does not mandate specific technical standards or interfaces, services are to be compatible with European standards or open interoperability technical specifications.

Chapter 7 – International Safeguards

Chapter 7 requires that providers of data processing services are to take all reasonable technical, legal and organisational measures to prevent international transfers or governmental access to non-personal data held in the EU, where such transfers would conflict with EU or member state laws.

Where a court or a tribunal of third country seeks the disclosure or transfer of data subject to the Data Act to a jurisdiction outside the EEA, it must be done pursuant to an international agreement or, in the absence of such an agreement, subject to certain conditions, including: providing reasons as to why the data is being requested by reference to the specific facts of the case and that the court or tribunal is lawfully empowered to take into consideration the legal interests of the provider of the data, protected by EU law.

Thankfully, the Data Act provides that the European Data Innovation Board (which is to be created under the Data Governance Act) will provide guidelines for this space.

Chapter 8 – Interoperability

While technical in nature, Chapter 8 is significant as it provides that operators of data spaces and data processing service providers are to ensure essential requirements are to be implemented and / or complied with, when it comes to the interoperability of data. The chapter also provides for similar essential requirements regarding the use of smart contracts for the sharing of data.

The Data Act provides that the European Commission may introduce guidelines as necessary for this space, which, like those planned for international transfer safeguards, would be very much welcomed.

Chapter 9 – Implementation and Enforcement

Much like Article 57 of GDPR, Article 31 of the Data Act provides for an implementation and enforcement framework requiring Member States to appoint competent authorities to oversee.

New authorities may be established, or reliance can be placed on existing authorities. How this would work in Ireland remains to be seen. The Data Protection Commissioner would seem a readymade, obvious choice but adding to its workload may be counterproductive given the well documented tolls that the enforcement of the GDPR alone is already having on the Commissioner’s resources.

The right to lodge a complaint to a competent authority is also provided for as is the requirement that Member States lay down penalties for infringements.

Chapters 10 and 11 – Sui Generis Rights and Final Provisions

Chapter 10 provides that the sui generis rights established under Directive 96/9/EC for the legal protection of databases does not apply to databases containing data generated by the use of product or service with a view to hindering the rights of users to access and use that data as provided for in Chapter 2 of the Data Act.

Finally, Chapter 11 provides that the European Commission can adopt further acts to introduce a monitoring mechanism on switching charges imposed by providers of data processing activities and to provide further specifical on the essential requirements of interoperability.

Conclusions

The Data Act unquestionably breaks new ground when it comes to the accessibility to, and use of, industrial / non-personal data. While the Data Act is still in its infancy and is yet to be finalised, it is clear that it has the potential to uproot out of date approaches to the use and access of data and provide greater control to users.

However, despite the fact that the Data Act makes clear of its intention not to disrupt the current data protection framework, there are concerns that it does not go far enough to set down clear boundaries and limitations when it comes to data created by individuals or users, which may tread into the realm of personal data.

In a Joint Opinion published by the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) on 5 May 2022, the opinion welcomes the efforts made to ensure the Data Acts complies with current data protection laws. However, the opinion calls for stringent definitions and limitations as to what is necessary and proportionate when it comes to the use of data generated by a user which may allow for “precise conclusions” to be drawn from a person’s private life or amount to a high risk to their data protection rights.

Further, in the absence of any clarity in the Data Act as to what amounts to an “exceptional need”, both the EDPB and the EDPS have “grave concerns” that, in its current format, the provisions under Chapter 9 are open to misuse and may lead to arbitrary or unlawful interferences into the private lives of individuals.

Once finalised, there will then be a 12-month period to implement the Data Act, which we can expect to conclude in late 2023 / early 2024.

For more information on the content of this Insight please contact:

Ricky Kelly, Partner | E: ricky.kelly@rdj.ie | T: +353 21 2332826

Lorcan Moylan Burke, Associate