Like us, those interested in data regulation have most likely earmarked February 23, 2022 in their calendars, as the date of publication of the proposal for a Regulation on ensuring fairness in the allocation of value across the data economy (Data Act).
The Data Act, which constitutes an integral element of the European Data Strategy, has attracted considerable attention since its announcement. With the Data Act, the EU Commission aims to facilitate the access, exchange and use of the increasingly valuable resource “data” between businesses and with governments. While the proposal itself has not yet been published, we understand it has the potential to fundamentally restructure the data landscape once again, as the scope of application would seem to be far-reaching and would raise a myriad of questions regarding data access obligations with a complex interplay with GDPR and antitrust requirements.
The obligations – once in force – will likely have a major impact on manufactures of connected products (“Internet of Things”) and providers of related services, as well as providers of data processing services.
It is expected that several regulatory mechanisms known from the GDPR will be expanded under the Data Act. For instance, the new regulations on B2C and B2B data access would not only require manufactures holding IoT-related data to comply with “user access requests” without undue delay and free of charge, but also oblige them to ensure “data access by design”.
Whenever a data holder is legally obliged to provide data to a third party, this shall always be done under fair, reasonable and non-discriminatory terms and in a transparent manner. In this regard, we understand that the EU Commission would issue model clauses (similar to the Standard Contractual Clauses under the GDPR) in order to help the parties draft and negotiate a contract with balanced contractual rights and obligations.
The regulatory regime would differentiate between different stakeholders. Gatekeepers within the meaning of the Digital Markets Act would not be able to benefit from the new regulations, whereas small and micro enterprises would receive special protection and be largely exempt from any obligations. Special provisions are also envisaged for the public sector. In case of public emergencies and situations of exceptional need all data holders would have a general obligation to provide data to the public sector if the requested data cannot be obtained otherwise.
In addition to the access obligations, the Data Act will also promote the switching between providers of cloud, edge and other data processing services. In the long term, users would be able switch without having to fear any fees. However, that is not all. Providers of data processing services would also have to take reasonable technical, legal and organisational measures, including contractual arrangements, in order to prevent international transfer or governmental access to non-personal data held in the European Union where such transfer or governmental access would create a conflict with EU law. This would basically mean that the data protection requirements for international data transfers which so far only apply to personal data would be extended to non-personal data, at least for those service providers.
We understand that the Data Act would also be influenced by the GDPR when it comes to enforcement. With regard to administrative fines, we are expecting the Data Act to propose fines up to EUR 20 million or 4% of annual group turnover, whichever is higher.
One might well wonder whether this is really going to happen and if so, when. Whereas the other elements of the EU Digital Strategy (such as the Data Governance Act or the Digital Markets Act) are due to be formally adopted in the upcoming months, the Data Act is still in the early stages of the legislative process. Given the Data Act’s ambitious scope and the difficulties it has had going through the Commission’s internal approval process to-date, it can be assumed that the Data Act will be the subject of considerable debate and amendment as it goes through the legislative process. Nevertheless, companies should assess whether they might potentially fall under the scope of the Data Act and assess the potential business impact that the implementation would entail.