On Wednesday 23 February 2022, the European Commission presented a “Regulation on harmonised rules on fair access to and use of data”, also known as the Data Act.
Alongside the Data Governance Act, this proposal is a key pillar of the European Data Strategy, which aims to make the EU a leader in our data-driven society. In particular, the Commission is aiming to create a genuine single market for data where personal and non-personal data are secure, where businesses have easy access to an almost infinite amount of high-quality industrial data, and where rules governing access to and use of data are fair, practical and clear (for more information, see our news about this subject).
While the Data Governance Act creates the processes and structures to facilitate data sharing by companies, individuals and the public sector, the Data Act clarifies who can create value from data and under which conditions. The Data Act envisages rules for enterprises in all economic sectors and applies to both personal and non-personal data. As such, it is consistent with and builds on the GDPR and the ePrivacy Directive (to be replaced by the ePrivacy Regulation).
The key provisions of the Data Act include:
- Measures to allow users of connected devices to gain access to the personal and non-personal data generated by them and to share such data with third parties to provide aftermarket services, such as predictive maintenance;
- Measures to shield SMEs from unfair contractual terms in data sharing contracts imposed by parties with a significantly stronger bargaining position, including a list of unilaterally imposed contractual clauses that are deemed or presumed to be unfair;
- Means for public sector bodies to access and use data held by the private sector in exceptional situations of high public interest, such as natural disasters or terrorist attacks;
- Obligations for providers of cloud data processing services, such as cloud and edge services, to remove commercial, technical, contractual and organisational obstacles and ensure that customers can effectively switch between different providers;
- Obligations for providers of data processing services to take all reasonable measures to avoid international transfer of or governmental access to non-personal data held in the EU that would create a conflict with EU law or the relevant national law;
- The development of interoperability standards for data to be reused between sectors;
- The setting of standards for “smart contracts” in data sharing applications, including the requirement to offer a very high degree of robustness to avoid functional errors, to provide for the possibility of archiving transactional data and to implement rigorous access control mechanisms.
The proposal will now be discussed by the Council of the EU and the European Parliament. Once adopted, the Data Act will be applicable immediately in all Member States.