Like other parts of the EU Digital Strategy, also the Data Act reaffirms the supremacy of data protection laws, ensuring that the rights and obligations under the GDPR, being the centrepiece of EU data protection regulation, remain unaltered. For a general overview on the Data Act see here.
The basic rule seems clear: The Data Act is “without prejudice to” the GDPR and in the event of a conflict between the Data Act and the GDPR, the GDPR shall prevail. But, when looking more closely at the requirements that the Data Act sets for businesses and how they interplay with GDPR rules, the situation is not so straightforward.
Let’s get down to the main points.
Don’t take it too personal…
The Data Act is all about personal and non-personal data. But it's tricky for businesses to know if they're dealing with personal data or not. If they get it wrong and consider data as non-personal data (though it was personal data), they could end up breaking the GDPR and getting fined. But businesses can’t just play it safe and call everything personal data when they are not sure. If they do that, they might end up violating the Data Act and getting fined too. So, even though the Data Act doesn't explicitly say businesses have to prove if data is personal data or not, it's a good idea for them to know what they're dealing with to avoid any trouble.
In preparing for the Data Act, businesses need to figure out what kind of product data and related service data they have that counts as personal data and what doesn't, so that they don't get fined for classifying data wrong. But, for some data it might not always be easy to figure out in practice if such data is personal data or not. You might want to document why you decided the way you did for these tricky cases, though.
One thing we don't know yet is who will make sure the Data Act is followed. The data protection authorities are in charge whenever personal data is affected, though. But for data that isn't personal, member states can decide if they want the same authorities or different ones. Having two separate authorities enforcing the Data Act depending on what kind of data we are looking at, though, might cause problems for businesses as it bears the risk of deviating decision practice should those authorities not align amongst themselves.
In any case you don't have to worry about anonymised data as a data holder in relation to the Data Act. Fully anonymised data has no personal reference and, thus, is not covered by the GDPR. Anonymising data is a process that adds value or insights to the data and such data is therefore not covered by the B2C and B2B data access rules in the Data Act (see here for what data is in scope of the Data Act and what not).
Information is key
The GDPR has made everyone aware of the extensive information obligations towards data subjects regarding their personal data. The Data Act introduces a similar information obligation. Users of connected products or related digital services shall receive information about the data storage and data processing associated with such connected product or digital service, before signing a purchase, rent or lease contract. Like the GDPR, this obligation aims to provide clarity over the data generated and to facilitate easy access to such data.
The Data Act states that the obligation to provide information does not interfere with the obligation of the controller to provide information to the data subject pursuant to the GDPR. So, these obligations remain alongside each other. If you look closer, however, you'll see that there are some differences between the things you have to tell people, especially about what and how clear you have to be. For example, under the Data Act it is sufficient that information is provided in a “clear and comprehensible manner” whereas the GDPR sets the bar much higher, so that information has to be provided in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”.
Businesses need to pay attention to how they display and match the information required by the GDPR and by the Data Act, especially to prevent "information overload" that could make the information provided "unclear". Sometimes, putting the info that the Data Act says you need to share into the existing GDPR data protection notice might not be the best idea.
Make the right data available on time
In addition to information duties, the Data Act also has other rules that resemble data subject rights.
Under the Data Act, businesses are required to make product data and related services data accessible to the user. If the user is a data subject and requests data on its own use of a connected product or related service, this is a lot like when they ask for their data under GDPR. Likewise, the users’ right under the Data Act to have their data being made available to a third party of their choice, is rather similar to a data portability request under the GDPR.
The provisions are not the same thing, though. There are several differences to be observed when answering a user request, in particular in terms of the stuff you need to answer and how fast you need to do it. Therefore, businesses should know what regulation is relevant to a particular request to make sure that they comply with all the rules and limitations established in the relevant law.
However, users may not always specify which law they are invoking when they ask for access to their data or for sharing their data with a third party. In such cases, businesses could ask users to specify their request when they are not sure which law the users are referring to or they could comply with both laws to avoid penalties for breaching their obligations. Especially, because the same authorities that oversee the Data Act for personal data also enforce the GDPR, they will probably examine user requests under both frameworks if a user (being a data subject) lodges a complaint with them. To follow both laws, the highest standard for each part of answering a user request must be met. For example, the GDPR might need more information to be provided, but the Data Act might have a shorter deadline for responding and fulfilling the request.
Identify the user
Data holders have to make sure that the person who requests access to data is actually a user of the connected product or related service, i.e. whether it owns such product or service or whether it has been granted temporary rights to use such product or service. For the purpose of verifying whether a natural or legal person qualifies as a user, a data holder shall not require that person to provide any information beyond what is necessary. This is quite similar to the situation under GDPR so that businesses might base their user verification processes on established internal practices on data subject verification under GDPR. But, if data holders provide user accounts, no further verification efforts would be required if users make requests via their respective user accounts.
To search for a valid legal basis or not – that’s the question
Whenever the intersections between the Data Act and the GDPR are discussed, the question arises which legal basis under GDPR could be used to justify making data available. But before we go there, let's ask ourselves: do we have to search for a legal basis at all?
If an individual requests its own data under the GDPR (that does not relate to any other individual), then arguably we do not need to look further for a specific legal basis. The request is similar to a data subject exercising their right to access or right to data portability under GDPR – for which also no specific legal basis under GDPR is needed in order to allow the controller to make available the requested data. It makes absolute sense that businesses do not have to search for an explicit legal basis in order to give users control of their own data.
The user and the data subject to whom the requested data relates may be a different person, though. And the situation is more complicated where the user requests data for which it is not a data subject in relation to the data requested. This may happen if the user is a legal entity that owns the connected product and the product is used by its employees, or if more than one person shares a connected product or related service.
One should keep in mind that the Data Act clearly says that it does not establish additional legal grounds (in the GDPR sense). Moreover, when the user is not the data subject whose personal data is requested, the Data Act specifies that any such personal data generated by the use of a connected product or related service shall be made available by the data holder to the user (as a controller under GDPR) only if such user has a valid legal basis under GDPR for later processing such data under GDPR.
Therefore, even though this does not affect the data holder directly, this could imply that data holders have to confirm that the user has such legal basis before providing data to the user. However, such obligation should not be exaggerated. For instance, if users say that they depend on consent, it may well be considered unreasonable to require the data holder to verify all consents given. Especially, as the data holder probably could not check if any consent had been withdrawn later.
In practice, it will also be hard for data holders to recognize these situations. The data holder may not be aware that, for example, a connected product is used by two people, but they may think that it is only used by one person (i.e. the user who requested the data). Further, when data is non-personal for the data holder (e.g. if the requesting user is a legal entity), the data holder might not know that the user (e.g. the legal entity) can make the link to which individual the data relates to. This supports the argument that the data holder's responsibilities in this point should not be excessive.
We anticipate that this vital question, i.e. whether it is enough for users to claim that they have a lawful reason to rely on, or whether data holders need to do more and ask for extra information from those users to make sure to some degree that they really have a valid legal basis, will be among the first questions to be resolved by national authorities and the CJEU decision practice.
One more issue is which legal basis applies to the data holder for making data available should the user not be the data subject whose data is being requested. As mentioned above, in situations in which a user requests data for which it is not considered the data subject, the Data Act should not be read as to create an additional legal basis in addition to the GDPR. Interestingly, the Data Act does not contain a similar note in relation to its business-to-government data sharing obligations (see here for an overview on those). For B2G data access requests under the Data Act the data holder may clearly rely on Art 6(1)(c) GDPR (i.e. the fulfilment of a legal obligation).
As also the Data Act’s B2C and B2B data sharing rules comply with the requirements to be considered an eligible legal obligation, the data holder may rely on Art 6(1)(c) GDPR (i.e. the fulfilment of a legal obligation) as well when responding to B2C and B2B data access requests in line with the conditions set out in the Data Act. The respective explanation in the recital whereas the Data Act does not create an additional basis in addition to the GDPR does not mean that the applicability of Art 6(1)(c) GDPR (i.e. the fulfilment of a legal obligation) was to be restricted as well. This would clearly go against the stated preference of the GDPR in case of a conflict.
If one nonetheless takes the view that data holders may not rely on Art 6(1)(c) GDPR (i.e. the fulfilment of a legal obligation) when responding to data access requests in line with their Data Act obligations, there may indeed be other legal grounds available for individual situations. However, there is no other legal basis that could cover all conceivable scenarios, which would result in giving data holders the right to restrict their data sharing duties – an outcome that likely cannot be attributed to the Data Act.
Prepare carefully
The GDPR and the Data Act don't really match up in some areas. Businesses should be careful and get ready – so they don't get in trouble with either the Data Act or the GDPR.
We don't know yet if the EU data protection authorities will team up to sort out issues and conflicts between the GDPR and the Data Act, like they did recently for the overlap between the Digital Services Act and the GDPR. Since the data protection authorities are the ones who have the final say on both the GDPR and the Data Act in this respect, this would be a smart move.
In any case, we can bet that the overlap between the Data Act and the GDPR will keep the authorities and the CJEU busy for a while.