The EU is rapidly driving its Digital Strategy forward. One of its key pillars is the Data Act – designed to facilitate industry-wide access to and sharing of data to foster innovation. This creates a tension not only with existing privacy laws, but also with companies’ interests to protect their proprietary and confidential information. This blog post sheds some light on the potential conflicts with existing regulations and how this may affect your business.
The Data Act was proposed by the EU Commission on 23 February 2022. It is part of the European Digital Strategy, aiming to build a legal framework for the digital world. The draft act sets out general rules on making data accessible across all economic sectors to create a single market for (non-personal) data and make currently unused data better available for reuse. It is targeted in particular to the Internet of Things (IoT) space, where products, services and devices of various providers will be connected, interact together and generate data.
Shortly after the Data Act was presented, it became clear that there are considerable interference with existing European legislation protecting legitimate interests of data holders (e.g. Trade Secrets Directive and Database Directive) and data subjects (General Data Protection Regulation). The proposal is in the process of being negotiated between EU member states and the EU Parliament. While some of the criticism from stakeholders is already being picked up (e.g. by the CNIL, Council’s presidency first compromise text, see below 'Looking ahead'), there is still a lot of room for discussion in the current legislative process, in particular to resolve conflicts with existing EU regulation.
Main points of draft Data Act
The Data Act aims
- to facilitate the sharing of data between companies (B2B) and with consumers (B2C), in particular by introducing an obligation to make data generated by the use of connected objects and related services accessible, in return for fair and equitable compensation;
- to facilitate the switching between providers of cloud, edge and other data processing services by regulating the contractual relationship between service providers and customers;
- to allow public bodies to use data held by undertakings in case of public emergencies and situations of exceptional need if the requested data cannot be obtained otherwise.
Existing IP rights and protection of trade secrets
The draft Data Act provides certain carve-outs in consideration of intellectual property rights, such as copyrights or patents protecting e.g. algorithms, encryption or compression processes in relation to the processing of data covered by the Data Act. Conceptually, the Data Act does not affect data holders’ IP rights in this respect.
A more complicated issue is the interplay with the protection of proprietary or confidential information, in particular trade secrets, governed by the Trade Secrets Directive. In principle, the access rights set out in the Data Act also cover data qualifying as such information – but in the case of trade secrets, the draft proposes a prerequisite requiring that all specific measures to preserve confidentiality of trade secrets must be ensured. In addition, trade secrets would only have to be disclosed to third parties to the extent that they are strictly necessary to fulfill the purpose agreed between the user and the third party.
But even with such restrictions in place, there is much uncertainty about how effectively trade secrets would be protected in practice: there is currently no standard for a minimum level of protective measures in place, and it questionable how effective such measures will be once the data has been shared more widely by the data recipient with other third parties. More generally, the question needs to be addressed if in some cases, the data holder’s interest to protect its trade secrets may outweigh (also in consideration of the fundamental rights involved) the data recipient’s and user’s interest to access the data in question. The draft provides no answer on how to deal with this conflict of interest, and how disputes on this issue can be resolved fairly and swiftly.
Another issue is data within the scope of the Database Directive, which establishes, under certain circumstances, a sui generis IP protection for databases. The draft Data Act intends to cut through this sui generis right if the database contains data obtained from or generated by the use of IoT devices/ connected products or related services (Article 35). The provision is aimed at avoiding circumvention of users’ rights to access, use and share data as contemplated under the Data Act. Still, there remains some ambiguity about whether such exemption will apply in any case, or only when exercising one’s database rights would undermine legitimate data access under the Data Act (requiring a case-by-case assessment (see Recital 84)).
GDPR
The interplay with the General Data Protection Regulation (GDPR) remains unclear as well. While the GDPR regulates the processing of personal data, the Data Act applies to all data generated by the use of a product or related services, be it personal or non-personal data. The proposed Data Act stipulates that the application of existing data protection rules and principles shall not be affected or undermined.
Still, the relationship to the GDPR appears challenging insofar as the data access by design principle stipulated by the Data Act may conflict with data protection regulation, in particular with the data minimization principle. Data holders that fall under the obligation to share their data under the Data Act must assess whether the GDPR is applicable, especially whether the shared data refer to personal data or not. Depending on the result, different requirements must be met.
The GDPR provides for a data portability right of the data subject, only applicable if personal data are concerned. It allows - under certain conditions - data subjects to move their data between controllers who offer competing services. However, the Data Act enables users of connected devices to obtain access to any data they generate, irrespective of whether it is personal or non-personal data. The Data Act stipulates that it shall complement the GDPR’s data portability rights. This leads to open questions as certain rules in the GDPR on data portability are stricter than in the Data Act. The GDPR requires data processing based on consent or contract while under the Data Act, the data portability right is applicable to users that are data subjects irrespective of the legal ground on which the processing of the personal data is based (Article 1 (3) and Recital 31).
Similar to the GDPR, the Data Act provides for restrictions on international data transfers, especially requiring service providers to put safeguards in place to prevent access by non-EU authorities. However, these rules do not contain any exceptions as provided for in the GDPR (e.g., anonymization of data) and therefore the Data Act seems stricter than the GDPR. Further guidance and requirements for the international data transfer of non-personal data, as they exist for personal data, will probably follow once the Data Act is in place. A European Data Innovation Board, yet to be established under the Data Act, shall advise and assist the Commission in developing such guidelines.
Looking ahead
Until now, the Commission's draft is still under negotiation. The Czech presidency of the Council recently pitched its first compromise text in July and August 2022 .(More to follow as these texts don’t cover the entire Act yet). It remains to be seen if and how existing ambiguities will be addressed and if tensions with existing regulations can be avoided or at least softened. Notably, the draft proposes an implementation period of only 12 months once adopted. Therefore, companies should familiarize themselves with the regulations of the Data Act early enough and work out the operational impact of any potential contradictions with other existing regulations.
You can find further analysis on the Data Act in our blog posts ‘Data access by design? EU plans major overhaul of data-sharing rules with the forthcoming Data Act’ and ‘Products and services in scope of the proposed EU Data Act’ .
