Data is an essential part of the digital economy but many regulators and policymakers are concerned that too often data is held and controlled by a small number of large companies. On 23 February 2022 the European Commission (EC) published a proposal for a new Data Act which aims to solve this data sequestration problem. Together with the recently finalised Digital Governance Act, the Data Act provides the foundation for the EC’s vision to create an economy wide single European market for data.
The Data Act aims to facilitate the growth of a new data economy in which third party recipients of data are able to access and use the data currently held only for the benefit of data holders to provide new products and services. The Data Act deals with data generated by Internet of Things (IoT) devices, as well as cloud services and data spaces, and it is likely to have the largest impact on manufacturers of IoT products that are sold in the EU market and the people who control the data collected by those products.
What are the main obligations?
The Data Act imposes a range of new of obligations relating to “data” which is defined as any compilation or digital representation of acts, facts or information. This definition is broad and includes both personal and non-personal data, which means personal data will now be regulated by both the Data Act and the EU’s General Data Protection Regulation (GDPR):
Devices must allow all users to directly access their data
Products and related services must be designed to allow users to directly access data generated by the product or service. Where this data is not directly accessible, it should be made available to the user at no additional charge, and where applicable, continuously and in real time.
Data holders must share user data with third parties
At the user’s request, data holders must share a user’s data with third parties. Data holders must also share data with certain public sector bodies where the body has an exceptional need to use the data, such as where data is needed to respond to, or prevent a public emergency.
Data holder must use reasonable and non-discriminatory contractual terms
The Data Act sets out terms that are, or are presumed to be, unfair. For example, a term which ‘grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing’ will be considered unfair. Compensation for data must also be reasonable. Unless the data recipient is a micro, small or medium enterprise, in which case compensation for the data must not exceed the costs directly related to making the data available. In practice, it may be difficult to determine what fair terms and reasonable compensation is.
The data holder also must not discriminate between ‘comparable recipients of data’, including its own affiliated businesses.
Data processing providers must allow switching
The Data Act increases the ease with which data processing services may be switched by requiring providers of data processing services to remove commercial, technical, contractual and organisational obstacles which prevent the customer from switching providers. Examples of barriers to be removed include requiring termination notice periods of longer than 30 days, and preventing the user maintaining ‘functional equivalence’ in the new data processing service. A data processing provider may only levy cast-based charges for switching for the first three years following commencement, and thereafter no switching charges can be applied
Data processing provides must not transfer data to jurisdictions with conflicting laws
The Data Act introduces GDPR-like obligations for the transfer of non-personal data outside of the EU. Providers of data processing services are required to take all reasonable measures to prevent international transfer or governmental access to non-personal data held in the Union where the transfer or access would create a conflict with Union law or the national law of the Member State.
Dominant firms are excluded from being data recipients
The EU’s Digital Markets Act allows the Commission to designate a company as a ‘gatekeeper’, based on certain criteria, including its economic position, its intermediation position, and whether its position in the market is entrenched and durable. The Data Act applies special rules to designated gatekeepers. Designated gatekeepers cannot request, nor can they be granted access to user data generated by products or related services. The reasoning behind this differential treatment is that these companies already have the ability to acquire significant amounts of data, it is therefore not necessary nor proportionate to make these companies beneficiaries of the data access rights in the Data Act.
New requirements for smart contracts
The Data Act lays down essential requirements for smart contracts for data sharing. Smart contracts are computer programs on electronic ledgers that execute and settle transactions based on pre-determined conditions. In the EU’s research, 80% of industry respondents thought that smart contracts would be the key to unlocking a fair data sharing regime between users, data providers and would-be data recipients. The Data Act’s smart contract obligations apply to those who integrate smart contracts into applications, and those whose trade, business or profession involves the deployment of smart contracts. Smart contracts must offer a high degree of robustness; have mechanisms for safe termination and interruption; have data archiving and continuity functions for the smart contract code and logic so the archived data can be reviewed to track past disclosures; and have rigorous access control mechanisms. Operators of data spaces are required to ensure interoperability of smart contracts with their services and products, which means a user can ‘bring their own’ third party smart contract.
The proposed Data Act is not yet in force and will likely come in effect by 2024. Device manufacturers and data holders will need time to develop new systems to allow data to be directly accessible or shared in real time with users and data recipients, and to redraft and renegotiate their contracts for data processing.
Comparison with Australia
The Australian government introduced the Consumer Data Right (CDR) in 2020. The CDR has comparable objectives to the Data Act, including enhancing decision making by consumers, encouraging innovation, and enabling businesses to realise the value of data. However, the reforms take different approaches which result in key differences between the obligations to share data in the EU and in Australia.
The CDR in Australia is a much more hands-on regime :for example, the government and standards setting body help create sector specific rules and data sharing standards. Such standards are required because in most industries there is a lack of adequate standards for sharing as data holders are generally accustomed to determining how they will code and store their data unilaterally. See our article summarising the EC report on Consumer IoT for a further discussion of the lack of standards in the IoT ecosystem.
By contrast, the Data Act does not currently provide a solution for the lack of standards, although the regulation foreshadows the Commission’s power to step and mandate standards. As the Data Act operates on an economy wide basis rather than sector-by-sector like the CDR, there is a strong emphasis on economy-wide data standards and data formats because:
“High quality and interoperable data from different domains increase competitiveness and innovation and ensure sustainable economic growth. The same dataset may potentially be used and reused for a variety of purposes and to an unlimited degree, without any loss in its quality or quantity.”
The CDR is also more explicitly consumer centric and provides frameworks for the protection of consumers. For example, the consumer experience standards strictly govern interaction between the data holder, data recipient and the CDR consumer to ensure that regime is consistent, easy to use and that any consent received under the regime is genuine and informed. Importantly, the Data Act anticipates a contractual relationship between data holder and data recipient as well as reasonable compensation for the sharing of data. Under the CDR, the relationship between the data holder and data recipient is governed by the CDR rules and there is no contractual relationship between the parties. Data Holders are also only able to charge a fee for data sharing in very limited circumstances.
Conversely, the consumer centric nature of the CDR allows the government to take a more hands-off approach to uses of data once consent has been received. For example, the Data Act prevents data recipients from using the shared data to create IoT products or services that compete with the original data holder. While it is expected that the data under the CDR will be used to create new products, provided the consumer provides the necessary consent, there is no prohibition on using the data to create or improve products or services that compete with the original data holder. The Data Act says that is restriction is intended to “avoid undermining the investment incentives for the type of product from which the data are obtained.”
As the CDR is being introduced sector-by-sector beginning with Banking followed by Energy, Telecommunications and Financial services the CDR does not yet cover the IoT ecosystem. We will be watching with interest to see if the government will be influenced by the introduction of the Data Act when considering the next priority sector.