Mar 72022

Trying to Tackle Big Data: European Union Launches Draft Data Act

Willemijn Hooij, Monika Zdzieborska, Ken Daly and Maarten Meulenbelt
, , , , , , ,

On 23 February 2022, the European Commission (Commission) proposed a draft of a regulation on harmonised rules on fair access to and use of data – also known as the Data Act. The Data Act is intended to “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all”.

If adopted in its current form, the new rules will impose far-reaching obligations on tech companies (such as manufacturers of connected products and cloud service providers) and give national authorities new enforcement powers to sanction infringements with fines of up to EUR 20 million or 4% of annual global revenue, whichever is higher.

The Data Act is part of the Commission’s broader digital and data strategy, announced in February 2020, to make “Europe fit for the Digital Age”. Since the announcement, the Commission has presented several legislative proposals, including:

(i) Digital Services Act (DSA) – which proposes new content regulation provisions for “online intermediary service providers” (i.e., services such as internet service providers, cloud services, messaging, marketplaces, and social networks). It also identifies a subcategory of “very large online platforms” which would be subject to additional obligations, mainly internal audits on systemic risks like the spread of hate speech and child sexual abuse material;

(ii) Digital Markets Act (DMA) – which proposes a set of obligations (including in relation to collection and sharing of data) for so-called “gatekeeper” platforms to address anticompetitive practices and make digital markets more contestable by competitors;

(iii) Data Governance Act (DGA) – which will implement a number of measures (including the creation of “data intermediation services”) to ensure a secure environment in which companies and individuals can share data; and

(iv) Artificial Intelligence Regulation (AIR) –  which addresses the risks stemming from the various uses of artificial intelligence (AI) systems and aims to promote innovation in the field of AI.

Complementing the above proposals, the Data Act is aimed at giving individuals and businesses more control over their data; it regulates data sharing between business to consumer (B2C), business to business (B2B) and business to government (B2G).

Below we set out the key elements of the Data Act, including its scope, main obligations and implications. See also here for our previous blog on this legislative proposal.

Scope

The Data Act will apply to all data – personal and non-personal – generated in the EU. Data is defined broadly as: “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording.”

The Data Act will cover a wide range of stakeholders, including: (i) manufacturers of products and suppliers of services that generate data that are placed on the EU market (e.g., Internet of Things (IoT) products), and users of such products or services, (ii) data holders that make data available to data recipients in the EU, (iii) data recipients to whom data are made available, and (iv) providers of cloud services to EU customers. Small and medium-sized enterprises are exempted from certain obligations.

Key provisions

The proposed Data Act imposes a broad range of obligations, some of the main ones being:

  • Data sharing obligations: IoT products and services must be designed and manufactured in a way that will allow users (consumers and businesses) easy and direct access to data. Users may also request that their data are made available to third parties, sometimes even in real time. Data holders are, however, obliged to take all reasonable measures (technical, legal and organisational) in order to prevent unlawful third-party access to data.
  • Data sharing T&Cs: The Data Act specifies that data must be shared with third parties on a fair, reasonable, and non-discriminatory basis, and sets out detailed rules to that effect. To enhance compliance, the Commission is also expected to propose recommended (non-binding) voluntary model contractual terms on access to and use of data.
  • Cloud switching and interoperability: The Data Act sets out provisions that aim to facilitate switching and interoperability between providers of cloud services. For example, providers must remove all obstacles that inhibit customers from porting their data to another provider and the switching rights of a customer and the obligations of providers must be clearly set out in a written contract. Switching charges will be gradually withdrawn over the course of three years after the entry into force of the Data Act. Cloud service providers are also obliged to take measures to avoid unlawful access to data (e.g., by non-EU governments).
  • Exceptional data requests: The Data Act provides for special data-sharing obligations with public sector bodies in times of exceptional need. Such exceptional need circumstances are defined quite broadly and include situations where the requested data is needed to either respond, prevent or assist with the recovery of a public emergency (such as a pandemic) or where the lack of data prevents a public sector body from fulfilling a specific public interest task. In such circumstances, data holders will be required to provide the requested data (non-personal data, insofar as possible) without undue delay.

Enforcement

Once the Data Act is adopted, it will become directly applicable in EU Member States, which will be tasked with its enforcement, including laying down specific rules on penalties (which must be “effective, proportionate and dissuasive”). As is the case in relation to the EU General Data Protection Regulation (GDPR), each Member State will be required to designate one or more responsible enforcement authorities.

Non-compliance with certain obligations could be fined with administrative fines or financial penalties of EUR 20 million or 4% of annual global revenue, whichever is higher.

Next steps

The European Parliament and EU Member States will now debate, and propose their own amendments to, the draft Data Act. The proposal was met with mixed reactions from various stakeholders in the industry. Several stakeholders see this as a positive development (the European Consumer Organisation (BEUC) describes the Data Act as “an important piece of the jigsaw to make sure data can be accessed fairly across industries while giving users full power to decide what happens to the data they generate”,[1] and the Fédération Internationale de l’Automobile European Bureau (FIA EB) “strongly welcomes the Data Act proposal”.[2] However, others fear that the Data Act “risk[s] stifling market trends towards data sharing and data-driven innovation[3] or could have effects opposite of the ones intended.[4]

With many more stakeholders likely to offer views, the proposal is unlikely to be adopted without amendments, and the approval process of the new laws could take two or more years.

[1] BEUC, “Data Act important for competition and consumer choice” (23 February 2022), https://www.beuc.eu/publications/data-act-important-competition-and-consumer-choice/html.

[2] FIA EB, “FIA EB welcomes Data Act and supports path towards sector-specific legislation” (24 February 2022), https://pr.euractiv.com/pr/fia-eb-welcomes-data-act-and-supports-path-towards-sector-specific-legislation-229133.

[3] EURACTIV, “Industry readies to fight the Commission’s Data Act proposal” (3 February 2022), https://www.euractiv.com/section/digital/news/industry-readies-to-fight-the-commissions-data-act-proposal/.

[4] Digital Europe, “Data Act: Right ambition to unlock data potential, but obligations would hold back Europe’s data-driven recovery” (23 February 2022), https://www.digitaleurope.org/news/data-act-right-ambition-to-unlock-data-potential-but-obligations-would-hold-back-europes-data-driven-recovery/ and BSA “BSA Statement on the EU Data Act Proposal” (23 February 2022), https://www.bsa.org/news-events/news/bsa-statement-on-the-eu-data-act-proposal.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Willemijn Hooij

Brussels

whooij@xxxxxx.com

Monika Zdzieborska

London

mzdzieborska@sidley.com

Ken Daly

Brussels

kdaly@sidley.com

Maarten Meulenbelt

Brussels

mmeulenbelt@sidley.com

You might also like
EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Chambers 2024 Global Practice Guides for Data Protection & Privacy and Cybersecurity
The newest editions of the Chambers Global Practice Guides have been published and, once again, Sidley lawyers have contributed to two guides: Data Protection & Privacy 2024 and Cybersecurity 2024. These publications cover important developments across the globe and offer insightful legal commentary for businesses on issues related to data privacy and cybersecurity, such as regulatory enforcement and litigation, global cooperation to combat cybercrime, international agreement on ‘Software Security by Design,’ a global approach to policy on artificial intelligence, and more. Sidley partner Alan Charles Raul is a contributing editor to both guides in addition to authoring the introductions. The UK chapters of Cybersecurity 2024, covering “UK Law and Practice” and “UK Trends and Development” were authored by Sidley lawyers William Long, Francesca Blythe, Denise Kara, and Eleanor Dodding.
Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.