In past weeks, the European Commission has been making a series of presentations, obtained by EURACTIV, to EU countries that have requested further clarity on how the new data law will apply and how it will interact with other legislation.
The Data Act is a legislative proposal intended to complete the Commission’s data strategy. The file was officially published in February. Since then, the member states in the EU Council have been seeking to better understand the proposal and how it will fit in an increasingly complex legislative framework.
Three more workshops are expected to take place with national experts by 25 May.
The new data law is meant to regulate access conditions for data produced by the Internet of Things (IoT) devices, requiring manufacturers to provide access and introducing the right for device users to access and port their data.
Users will also be able to give third parties the opportunity to access such data to develop their offers, with special conditions offered for small and medium-sized enterprises (SMEs) as they will not have to pay compensation higher than the direct costs for data access.
The objective of the data access obligations is to “establish consistent, fairness-based, cross-sectoral data sharing practices for what we expect to be a growing body of EU access to data obligations,” one of the presentations reads.
The Commission stressed that the “rules for IoT data also frame data sharing in other sectors.” In particular, the proposal tackles contractual unfairness by prohibiting the unilateral imposition of unfair contractual clauses on data sharing to SMEs.
Moreover, private companies will have to provide access to data to public sector bodies in case of emergencies, while cloud services providers will have to ensure easy switching conditions for their customers.
For the EU executive, the Data Act addresses the lack of data availability and unfair commercial practices by putting in place a series of obligations and common standards for reusing data within and between sectors.
In doing so, it will interact with other legislations that have not fully addressed these fundamental problems. The GDPR, the EU data protection law, introduced the data portability right, “but its scope is unclear, it is rarely used and does not cover non-personal data.”
Similarly, the recently agreed upon Digital Markets Act addresses vendor lock-in issues but only for the largest cloud providers and does not empower users to access their data. Meanwhile, competition law is insufficient to address power imbalances in private contracts.
At the same time, the Commission sought to clarify the relationship between the Data Act and the Database Directive, legislation protecting the treatment of databases. The general rule is that original datasets are covered by copyright, and those who do not fall in this category but require substantial investments enjoy a sui generis protection.
The EU executive wanted to avoid IoT manufacturers opportunistically using the sui generis protection to comply with the Data Act and therefore made an explicit reference that databases containing IoT data are outside the scope of such protection.
The European strategy for data includes a series of European data spaces and sectorial legislation for pooling data in strategic sectors such as health, energy and manufacturing. The Data Act supports these initiatives by facilitating data flows via data sharing mechanisms and interoperability.
International data transfer
In addition, the new data law is meant to “ensure that companies and individuals can benefit from international data flows while guaranteeing compliance with the Union’s data protection and security rules.”
An entire presentation was dedicated to the chapter on international data transfer, which requires data processing services to prevent unlawful data access and transfers based on requests from third countries’ authorities.
The basis for drafting these provisions was the measure on international access and transfer in the Data Governance Act, which states that any decision from a third country’s court or administrative authority to access non-personal data is enforceable only if based on an international agreement.
In the absence of an international agreement, the providers must assess whether a request conflicts with European or national law and whether the jurisdiction in question can provide appropriate procedural safeguards and legal remedies.
The data processing services will be able to request an opinion from the competent authorities, for instance, if they think that the data is commercially sensitive or relevant for national security and defence interests.
The European Data Innovation Board, a body set up under the DGA, will provide guidelines on how to apply these provisions. The international transfers of personal data are regulated under the data adequacy regime of the GDPR.
[Edited by Nathalie Weatherald]