The EU Data Act is part of the European Commission's wider European Strategy for Data communicated in February 2020 – at the centre of which is the view of harnessing the value of EU data for the betterment of the economy and society as a whole, and working towards creating a single European market for data. This gave rise to the Data Governance Act which came into effect on 21 November 2021 and now the proposed EU Data Act which was put forward on 23 February of this year.
The proposed EU Data Act in essence aims to "ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all". Based on its current proposed obligations and requirements, the draft Data Act touches on both data protection and competition laws, including the contentious data transfers topic.
What does it aim to achieve?
The European Commission is of the view that, no matter the sector or industry, all companies have access to data - however, most organisations are not realising the full value or potential of that data. Furthermore, it recognises with a significant amount of 'Internet of Things' ("IoT") products entering the market, we are currently at the cusp of an even more vast amount of data being generated and whilst there is legislation in place like the GDPR which largely speaks about how personal data will be treated, the law generally is silent on what businesses and consumers can actually do with data. The aim is to significantly boost GDP, enable wider use of data (including by the individuals being monitored) and require data sharing in some circumstances.
The EU Data Act therefore aims to address data sharing and reuse in the context of business to business; business to consumers; businesses to governments as well as providers and users of cloud services.
It is important to note that the EU Data Act applies in the context of both personal and non-personal data. In the context of personal data it is intended for the GDPR is to be read in parallel and any personal data made available will only be made available subject to their being a valid legal basis as per Article 6(1) of the GDPR.
Key outcomes of the proposed EU Data Act
Whilst there are some exemptions for small and medium size enterprises (SMEs) and micro enterprises, on the whole the proposed EU Data Act will add a significant compliance burden on organisations that hold, share or provide data to customers and/or recipients in the EU. Some of these are highlighted below:
- Accessibility to data by design: products and services where data is generated through their use will need to be designed by companies such that users can easily access the data generated.
- Obligation to share data: data generated by IoT products and services are to be made available to users of such products and services upon request, free of charge and without undue delay. Users may also request their data to be made available to third parties.
- Contractual terms: IoT manufacturers and service providers will need to update existing contracts to ensure standard terms allow third party access to user details. In addition, it identifies terms which it consider unfair for the purposes of data sharing, which IoT manufacturers and service providers will have to preclude from their standard terms.
- Ability to switch between cloud providers: the proposed EU Data Act has introduced measures that cloud service providers will need to adhere to in order to facilitate parties being able to switch between cloud providers. This is done through the introduction of contractual terms, one such example being reducing the timeframe for switching providers to 30 days.
- International transfers to restricted countries: the proposal's position on cloud service providers sharing data with third countries are strict, and are only permitted where there are appropriate international transfer agreements in place or where the third country's legal system provides protections similar to that of the Data Act. This reinforces the GDPR and the ever-changing position on international transfers of personal data.
Under the Data Act member states will be responsible for identifying competent authorities to handle complaints and take appropriate enforcement actions. Infringements will be subject to administrative or financial penalties. In addition, the Data Act also introduces dispute settlement bodies in order to facilitate settlement in the context data sharing and access disputes.
If you would like advice on any aspect of the Data Act and how it may affect your organisation, please contact one of our privacy specialists.
Author: Najiba Sultana