The European Commission today presented its second instrument in the European Data Strategy; a “Regulation on harmonised rules on fair access to and use of data”, better known as the Data Act. After the adoption of the Digital Governance Act (DGA) at the end of 2021, which essentially defines the data-sharing architecture, this proposal seeks to introduce rules regarding data sharing, access to and reuse of data, contractual terms for data sharing and use, compensation mechanisms, emergency access to data, switching between data processing services, and facilitating data portability. These horizontal rules would apply across all sectors, and especially impact data-driven business and organisations relying on connected products’ data.

In the proposal, “data” is broadly defined and contains both personal and non-personal data. This means that the Data Act would further regulate personal data in addition to the GDPR. It would also extend certain GDPR-like obligations to non-personal data, such as data portability and data transfer restrictions for non-personal data, as well as introduce completely new rules.

The Data Act would apply to all types of enterprises, in principle, including small and micro businesses. That said, for certain obligations, the proposal also takes into account the size of an organisation by exempting or relaxing the obligations for SMEs.

Key provisions of the proposal:

• Data sharing obligations enabling consumer and business access to “IoT” data

The proposal includes an access by design obligation for connected “products” and all related services and virtual assistants used to access and control these products and services. By default, users must be able to easily, securely and “where relevant and appropriate”, directly access data generated by their use. Before any purchase, rental or lease contract for such products or services is concluded, the user must receive certain information (ie introducing the obligation to provide a kind of “data use and access notice”) which partly overlaps with, but also partly exceeds, the information that needs to be provided for personal data under the GDPR.

Users receive a right of access (insofar the data cannot be directly accessed by the user), use and portability on data generated by connected “products” and all related services and virtual assistants. Data holders can only use such non-personal data based on a contractual agreement with the user. These agreements, and the data sharing agreements with third parties acting on behalf of a user to receive the data, can also contain measures to preserve the confidentiality of trade secrets. Moreover, data holders cannot use such IoT data to derive insights that could undermine the commercial position of the user, or the third party acting on behalf of the user, in the markets in which the user, or the third party, is active.

Unlike the GDPR, the Data Act does not only confer rights upon natural persons. The definition of “user” includes both natural and legal persons that “own, rent or lease” a connected product or receives services.

• Fairness of B2B contractual terms on data access and use

Additional rules would apply to the contractual terms of such data sharing agreements between data holders and data recipients. These terms must be fair, reasonable and non-discriminatory (FRAND), cannot establish exclusiveness with one data recipient (unless requested by the user) and can only provide for a reasonable compensation to the data holder. Certified dispute settlement bodies will be made available to settle disputes in relation to the terms of these data sharing agreements. Data holders are, under certain conditions, allowed to impose technical measures, such as smart contracts, to ensure compliance with these terms and prevent unauthorised access to the data.

To reduce economic power imbalances, rules are introduced for contractual terms on access to and use of data or certain data related obligations. Where these contractual terms are unilaterally imposed on SMEs, the proposal explicitly states that terms should not be “unfair”.

As an open norm, unfair terms are those that are “of such a nature that their use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing.” Furthermore, the proposal contains a list of terms that are considered (black list) and terms that are presumed (grey list) to be unfair.

Another interesting point is that the Commission will develop and recommend non-binding model contract terms on data access and use.

• Data transfer restrictions and unlawful third party access to non-personal data

Where international “transfer” or “governmental access” to non-personal data held in the EU “would create a conflict with EU law or the relevant national law”, providers of data processing services shall take all reasonable technical, legal and organisational measures to prevent such transfer or access.

Such obligation to protect the data that can create a conflict under EU or national law may relate, for example, to the protection of fundamental rights (eg right to security and effective remedy), national security or defence interests, protection of commercially sensitive data (eg trade secrets) and the protection of intellectual property.

Furthermore, the proposal also establishes rules for the enforcement and recognition of third country court (or administrative) decisions, depending on whether or not these are based on an international (MLAT) treaty between the EU or a member state and the third country. If possible, under the terms of the third country data access request, the provider of data processing services should notify the customer before complying with the request.

Whether or not these conditions are fulfilled will need to be assessed according to guidelines of the Commission, assisted by the newly established European Data Innovation Board under the DGA.

• Data sharing obligations with the public sector in case of exceptional data needs

In a case where, due to terrorist attacks, public health emergencies, natural disasters or other public emergencies, an exceptional need exists to use certain data, data holders would be obliged to share their data with public bodies or EU institutions, bodies or agencies upon request.

Such an “exceptional need” exists where the data:

• are necessary to respond to a public emergency;
• request is limited in time and scope and necessary to prevent or assist the recovery from a public emergency;
• the lack of available data prevents the public body to fulfil a specific task in the public interest explicitly provided by law; and
• could not be obtained by alternative means or the public emergency procedure of the Data Act substantially reduces the administrative burden for the data holders or other enterprises.

The proposal further lays down a procedure for these public emergency data requests containing a number of conditions for such requests. While the data in principle need to be provided free of charge, compensation would be possible in certain instances. The data obtained in this context can be further shared on a not-for-profit basis or in the context of a public-interest mission with organisations conducting scientific research or analytics compatible with the purpose of the request or to official statistical institutes.

• Cloud switching obligations

Providers of data processing services (including cloud and edge services) must scrutinise their services, contractual agreements and commercial practices and remove certain obstacles of a commercial, technical, contractual and organisational nature to ensure that their customers can switch to another data processing service.

Moreover, to support these goals, minimum requirements for customer contracts are included, a gradual withdrawal of switching charges is foreseen and technical measures to facilitate switching are imposed in some situations.

• Minimal requirements regarding smart contracts for data sharing

Minimum requirements would apply to smart contracts used in the context of an agreement to make data available. These include, for example, measures offering a very high degree of robustness to avoid functional errors and withstand manipulation. Smart contract providers should also provide for data archiving and audit options and ensure that smart contracts can be reset or can be instructed to stop or interrupt transactions.

Such vendors are responsible for compliance with these minimum obligations and must perform a conformity assessment and issue an EU declaration of conformity.

• Exemption of database rights on machine-generated data

According to the Explanatory Memorandum, the evaluation of the Database Directive (No. 96/9/EC) pointed out that legal uncertainty remains around the application of the sui generis right to databases composed of machine-generated data.

As the sui generis right of the Database Directive aims to protect the investments in the collection, and not “the creation of data as a by-product of another economic activity”, the Data Act explicitly states that the sui generis database right “cannot be invoked to hinder” the effective exercise of the access and portability rights of IoT-generated data as provided for by the Data Act.

Enforcement and sanctions

As regards to supervision of the rules of the proposed Data Act, the member states can designate an existing or establish a new supervisory authority. These authorities would have the competence to handle complaints, start investigations and impose financial penalties, aside from other tasks such as promoting awareness, monitoring technological developments. Both natural and legal persons would have the right to lodge an individual or collective complaint with the authority.

That said, the Data Act would not impose the powers and tasks of supervisory authorities to be as extensive as those of data protection authorities under the GDPR. In contrast to the GDPR and other recent EU initiatives, the Regulation only states that penalties must be “effective, proportionate and dissuasive” but leaves the determination of the level of fines and availability of other sanctions to the member states. This will likely result in varying levels of potential sanctions across the EU and leaves the door open for sanctions that are either higher or lower than the maximum under the GDPR.

However, insofar personal data and users that are natural persons are involved, it must be noted that EU data protection authorities, competent under the GDPR, would also become responsible for monitoring the application of the Data Act. In those cases, the data protection authorities can also impose GDPR level fines for infringements of the Data Act.

Link with other EU legislation

As announced by the European Commission, the proposed Data Act complements the recently adopted Data Governance Act (DGA) which establishes a framework to facilitate voluntary data sharing by individuals and businesses and harmonises conditions for the use of certain public sector data. In addition, the proposed Digital Markets Act (DMA) which is currently under negotiation, already requires providers of “core platform services” identified as “gatekeepers” to provide portability of data generated to business and end users’ activities on their platforms, in addition to the right to data portability under the GDPR. The Data Act also has considerable links with the proposed (and still pending) ePrivacy Regulation, as that instrument foresees to lay down rules on the processing of machine-to-machine communications data.

Moreover, the Data Act also interacts with the existing Regulation (No. (EU) 2018/1807) on a framework for the free flow of non-personal data in the EU, which already included self-regulatory codes of conduct to facilitate switching and data portability between service providers. The Commission thus deems a more binding regulatory initiative is needed in this respect.

Finally, there are several other areas of law and regulatory instruments which are of relevance to this proposal, including platform regulation, competition law, intellectual property rights.

Data is at the heart of the EU’s digital and green transformation, which are the two priorities of the European Commission.

With the General Data Protection Regulation (GDPR), adopted in 2016, the EU has created a solid framework for the protection of personal data in line with the EU Charter of Fundamental Rights. Since then, other regulatory data protection initiatives have been taken to foster the development of the EU data economy.

This article provides an overview of the main regulatory data protection initiatives and explores how they all fit together. As discussed here, certain legislation applies either only to personal data or to non-personal data. However, certain recent legislative proposals do not make this clear distinction and apply to both types of data.

GDPR as a baseline for the protection of personal data

The GDPR offers a comprehensive regulatory framework which constitutes the baseline for the protection of personal data. It applies to all processing activities involving personal data by entities qualifying as controllers, and to a lesser extent to processors.

This general horizontal framework is/will be complemented by a number of legislative acts that are – with regard to data protection – focusing on specific processing activities and/or market players, including:

• the proposed ePrivacy Regulation that will be replacing the ePrivacy Directive
• the proposed Digital Markets Act
• the proposed Digital Services Act
• the proposed Data Governance Act
• the proposed Artificial Intelligence Act
• the proposed Political Advertising Regulation
• the expected Data Act

Status overview

The proposed ePrivacy Regulation

The proposed ePrivacy Regulation focuses on the protection of electronic communications (by both natural and legal persons) and provides for additional rules on:

• consent by end-users in the context of electronic communications, including the retrieval and presentation of information on the internet;
• the lawfulness of the processing of electronic communications data (including both content and metadata);
• compatible processing;
• retention;
• the processing of end-user equipment information; and
• the legal basis for direct marketing communications.

Certain obligations have a more general scope of application, whereas others are limited to providers of electronic communications networks and services.

The main differences with the GDPR are that (i) it also protects electronic communications of legal persons and (ii) certain requirements (including on consent) apply to both personal and non-personal data.

The proposed Digital Markets Act and Digital Services Act

The proposed Digital Markets Act (DMA) aims at addressing economic imbalances and unfair business practices by so-called gatekeepers, ie providers of core platform services such as online intermediation services, online search engines, online social networking services, video-sharing platform services, number-independent communication services, operating systems, cloud computing services and advertising services.

The proposed Digital Services Act (DSA) on the other hand is a horizontal initiative that focuses on liability of online intermediaries and due diligence obligations tailored to certain specific categories of providers of online intermediary services.

Where the focus of the DMA and DSA is not the protection of (personal) data, both Acts contain important data protection obligations applicable to gatekeepers and providers of intermediary services respectively.

Under the DMA, gatekeepers are subject to certain restrictions and obligations. In particular, gatekeepers must:

• refrain from combining personal data sourced from their core platform services with personal data from other services offered by the gatekeepers or with personal data from third-party services, and from signing in end-users to other services of the gatekeeper in order to combine personal data, unless the end-user has provided consent;
• refrain from using, in competition with business users of its core platform services, any data not publicly available which is generated through activities of those business users (or its end-users) of its core platform services or provided by those business users (or its end-users);
• provide effective portability of data generated through the activity of the business user or end-user, including tools for continuous and real-time access;
• provide business users, or third parties authorised by the business user, free of charge, with effective, high-quality, continuous and real-time access and use of aggregated or non-aggregated data, that is provided for or generated in the context of the use of the relevant core platform services by those business users and the end-users engaging with products or services provided by those business users (subject to further restrictions with regard to personal data);
• provide to any third-party providers of online search engines, upon request, with access on fair, reasonable and non-discriminatory terms to ranking, query, click and view data in relation to free and paid search generated by end-users on online search engines of the gatekeeper, subject to anonymisation for the query, click and view data that constitutes personal data; and
• take the necessary steps to enable business users which need consent to the processing of personal data under the GDPR to directly obtain that consent or to allow compliance with data protection rules in other ways, for example, by providing duly anonymised data.

The DSA imposes increased transparency obligations on online platforms and “very large” online platforms with regard to advertisements as well as additional accountability obligations, in particular reporting obligations, on providers of intermediary services, online platforms and “very large online platforms.”

The proposed Data Governance Act and (expected) Data Act

Where the GDPR, the proposed ePrivacy Regulation, Digital Markets Act and Digital Services Act focus on regulating data processing activities to ensure (personal) data is duly protected, the proposed Data Governance Act (DGA) aims at unleashing and fostering the benefits of the data economy by creating a regulatory framework for re-use and sharing of data. At the same time the DGA aims at enabling the establishment of common European data spaces.

In particular, the DGA creates a framework for:

• the re-use of categories of “protected” data held by public sector bodies. Protected data means data that is protected on the grounds of commercial confidentiality, statistical confidentiality, third-party intellectual property rights or personal data protection. In this respect, the DGA complements Directive 2019/1024 on open data and the re-use of public sector information which provides a framework to re-use data held by public sector bodies or public undertakings not subject to any confidentiality, IP or personal data protections.
• the provision of data sharing services. These services will be subject to a notification procedure and certain conditions with regard to the use of and access to the data, and security.
• the use of data for the greater good, the so-called data altruism. Organisations meeting certain conditions will be able to be recognized as data altruism organisations.

As announced by the European Commission, the framework for re-use and sharing of data created by the DGA will be further complemented by a “Data Act” that would include rules on business-to-government sharing, and B2B data access and use. As the public consultation has been closed, the European Commission is expected to publish a proposal in the coming months.

The proposed Artificial Intelligence Act

The proposed Artificial Intelligence Act (AI Act) offers a comprehensive framework for AI, comparable to the GDPR for personal data, which ties in with the abovementioned regulatory data protection framework by providing:

• specific rules on data and data governance
• enhanced transparency obligations
• specific rules on human oversight

The proposed Political Advertising Regulation

There have been some discussions around targeted advertising and, ultimately, the DMA and DSA proposals do not include a ban. They do, however, comprise horizontal design, transparency and accountability obligations for all types of advertising on online platforms. The proposed Regulation on the transparency and targeting of political advertising (the proposed Political Advertising Regulation) contains a number of additional restrictions to political advertising.

The proposed Political Advertising Regulation provides for transparency obligations for “providers of political advertising” and related services (ie both online and offline) and for rules that apply to all controllers who use “targeting and amplification techniques” (eg micro-targeting) in the context of the publication, dissemination or promotion of political advertising that involve the use of personal data. These data protection obligations would apply on top of the GDPR.

For controllers of personal data used for targeting and amplification techniques in the context of political advertising, the proposal includes:

• a restriction of the legal bases for processing of special category data and data relating to criminal convictions and offences (within the meaning of the GDPR): only possible when having obtained explicit consent or, under certain conditions, in the course of the legitimate activities of a non-profit;
• a number of additional data protection compliance obligations: (i) record keeping obligation on the use of targeting or amplification, the mechanisms, techniques and parameters and sources of personal data used, (ii) the obligation to adopt and implement an internal policy describing the use of such techniques and (iii) additional transparency obligations on the main parameters used and the logic involved in the targeting.

Regulation on a framework for the free flow of non-personal data

The last piece of the puzzle discussed here is Regulation 2018/1807, which creates a framework for the free flow of non-personal data in the EU.

Only this Regulation and the GDPR are limited to one type of data, non-personal and personal data respectively. Most legislative initiatives discussed above do not make a clear distinction between non-personal and personal data and may apply to both.

The framework for non-personal data is much less comprehensive than the GDPR. It provides for:

• a prohibition for data localisation requirements, unless justified on ground of public security or stemming from EU law; and
• an incentivization to develop codes of conduct with regard to porting of data.

Conclusion

The European Data Strategy is resulting in decisive steps towards the development of an extensive new digital legal framework alongside the GDPR for the EU. Many of these initiatives focus on building trust for B2B and business-to-government data sharing and some are mainly aimed at regulating only particular market players within the EU digital ecosystem.

The emerging framework builds on a considerable number of new legal concepts defining the scope of the legislation and the relevant obligations for a particular organisation. While some are one-on-one aligned with the existing framework (such as the GDPR and the European Electronic Communications Code), the impact of the scope of the proposals for a large number of organisations is less clear to date. Identification of one’s qualification under the new rules will without a doubt be an essential first compliance step to be taken.

As most instruments are currently under negotiation at EU level, it is clear that much work still lies ahead and the adoption of the GDPR was only the start of a larger digital regulatory landscape in the EU. We will continue to monitor the developments in the EU regulatory data protection space and will dedicate a series of publications to these topics.