The Data Act was initially proposed by the European Commission in February 2022 as the second legislative pillar of the EU’s Data Strategy (the first being the Data Governance Act (DGA)). At its core, the Data Act seeks to facilitate access to data, including with specific provisions addressing the Internet of Things (IoT), and cloud services providers.
On 14 March 2023, the European Parliament approved —by an overwhelming majority—its position on the Data Act. Only a few weeks later, on 24 March 2023, the Council (EU Member States) reached an agreement on its own position.
Now that the European Parliament and the EU Member States have reached their respective positions, the EU institutions have commenced “trilogue negotiations” with a view to finding compromises on sticking points where they have diverging positions and agreeing a final text to be adopted.
An introductory political trilogue has taken place earlier this week, although it remains to be seen through further political and technical discussions to take place over the coming months where common ground is found.
Open hot topics between European Parliament, Council and Commission
We have identified for you some of the points where we can expect heated discussions among the co-legislators and how possible outcomes could look like.
A cornerstone of the Data Act are the new rights for users of connected devices to access and share the data that they generate by their use.
Which types of data shall fall in scope and which will have to be shared has been very much debated among Member States and parliamentarians, and their respective positions are still not fully convergent. The initial Commission proposal defined the scope of the Data Act with a clear focus on the connected products. Now the Council and the European Parliament are both suggesting a scope of application that is focusing also on the functionalities of the data collected by the connected products instead of the connected products themselves. Both are introducing an additional set of provisions listing the types of data covered by the Data Act. For example, when looking at a connected product, the Council suggests that any data concerning the performance, use and environment of this product would fall into the scope. There are still differences in the details between the positions of Council and the European Parliament about the data in scope but focusing on the types of data instead of the products seems to be the common direction of travel.
2) Trade Secrets
In principle, the access rights of the users set out in the Data Act would also cover data qualifying as confidential information. To balance this out with the interests of companies’ trade secrets, the Commission foresaw that data shall only be disclosed if all necessary measures to preserve the confidentiality of trade secrets have been taken in advance. In addition, trade secrets would only have to be disclosed to third parties to the extent that they are strictly necessary to fulfil the purpose agreed between the user and the third party.
Companies holding trade secrets were not satisfied with those restrictions to the data sharing obligations proposed by the Commission and questioned their overall effectiveness in safeguarding trade secrets. The Council tries to address these concerns now by introducing further restrictive conditions under which data holders would have the right to reject data access requests with a view to protecting trade secrets. This is the case if the data holder can demonstrate that, despite the technical and organizational measures taken, it is highly likely that it will suffer serious damage in the event of the disclosure of trade secrets.
However, the European Parliament seems more reluctant to blindly increase the protection of trade secrets holders and has only introduced provisions to require a contractual agreement to be concluded by the parties upfront listing the reasons for refusal. In fact, in case the company wants to restrict data sharing towards the user, the European Parliament limits the contractual grounds to cases the security of the product can be undermined. Where a company is asked to share trade secretes with a third party, this shall be limited to what is strictly necessary to fulfil the request and the company shall be able to suspend the data flow if it turns out that the third party infringes for example its contractually agreed obligations on technical and organisational measures to protect the trade secret. Both the Council and the European Parliament are suggesting some sort of guarantees in terms of access to dispute settlement in this regard.
Finally, there seems to be a consensus that regardless of whether the data are trade secrets or not, they may not be used to manufacture a directly competing product.
3) Data protection
The interplay of the Data Act with the General Data Protection Regulation (GDPR) has been an open issue for the legal expert community since the Commission first published its draft. While the GDPR regulates the processing of personal data, the Data Act applies to all data generated by the use of a product or related services, be it personal or non-personal data. Even though the Commission’s original proposal stipulated that the application of existing data protection rules and principles shall not be affected or undermined by the Data Act, there seems to be a need for greater clarification. The Council and the European Parliament both address this in their respective final drafts by introducing several modifications throughout the whole text to clarify the relationship not only between the Data Act and the GDPR, but also with other horizontal and sectoral legislation. One example being the data portability right under the GDPR which is only applicable if personal data are concerned. It allows - under certain conditions - data subjects to move their data between controllers who offer competing services. However, the Data Act enables users of connected devices to obtain access to any data they generate, irrespective of whether it is personal or non-personal data. The Council and the European Parliament clarify now that the Data Act does not provide the legal basis for processing the personal data in this case but that the stricter GDPR rules shall apply.
4) Compensation for data sharing
The Data Act offers a compensation right for the data holder when making data available. The Commission’s proposal did not make a distinction as to whether the data sharing is done in a B2B or a B2C context. Both the Council and the European Parliament suggest limiting the right to compensation to B2B relations and exclude the possibility to charge consumers. The European Parliament is even allowing consumers to sell data obtained under the conditions set out in the Data Act. Although some gaps seem to remain between the Council’s and the European Parliament’s positions regarding the mechanisms and criteria to determine a ‘reasonable’ compensation, the general objective is to limit the compensation for SMEs to the technical cost of making the data available.
5) B2G data sharing based on exceptional need
In its original proposal, the Commission suggested that in case of exceptional need (e.g. a public emergency) private companies that are data holders shall make data available to public bodies. Both the Council and the European Parliament have now introduced different clarifications to this general rule that either limit the public bodies’ power to access this data or the conditions on which the requests can be made. For instance, the European Parliament would like to restrict the data to be shared to non-personal data and limit the cases that qualify as ‘exceptional circumstances’. On its side, the Council introduces clarifications as to the different public bodies that would be empowered to request data and completely excludes SMEs from the scope of the obligation to share. Overall, although the original rational proposed by the Commission will likely be maintained, we can expect co-legislators to introduce chirurgical changes that remain to be agreed upon.
6) Cloud switching
The Data Act proposal introduces rules to facilitate the switching between cloud providers for users and sets out rules on switching charges. Although there seems to be a consensus that cloud providers must stop imposing data egress or switching charges three years after the entry into force of the Data Act, the transition period will certainly merit more discussion during trilogies. While the Council intends to allow reduced charges generally during this period, the European Parliament is suggesting that consumers are exempted from any switching charges as soon as the Data Act enters into force. The European Parliament would however still allow for imposing reduced charges during the transition period in B2B relations.
Since the debate on provisions for cloud service providers is even broader, we recommend you to be on the lookout for a deep dive of some more related topics coming up soon.
There is at this stage no concrete timeline for the Council and the European Parliament to conduct trilogue negotiations and reach a final agreed position on the Data Act. However, the initial and ambitious objective of the co-legislators is to wrap up discussions by the end of June. In fact, the European Parliament’s lead MEP has already expressed her ambition to finalise the process by then, and the Swedish Presidency seems to have matched her ambition. What is clear at this stage is that there will certainly be pressure to reach an agreement before the European Parliament elections in May 2024, and that if Sweden is not able to reach an agreement the subsequent Spanish Council Presidency starting on 1 July 2023 will have enough political drive to do so.