Why a Data Act?
On 23 February 2022, the European Commission adopted a Proposal for a Regulation on harmonised rules on fair access to and use of data (the Data Act) as part of its set of measures related to the European Data Strategy.
An explanatory memorandum accompanies the Data Act detailing the reasons for and objectives of the proposal. As a key pillar of the European Data Strategy, this act aims at contributing to the creation of a cross-sectoral governance for data access.
The European Commission is hence willing to foster access to and use of data between various players, notably by way of protecting small and medium-sized enterprises (SMEs).
What's in the Data Act?
The proposed Data Act pursues several objectives propelling a virtuous circle of data sharing between consumers and private and public entities. In particular, it aims at:
- facilitating access to and use of data by consumers while preserving incentives to invest in ways of generating value through data; this means that, by default, users must be able to easily, securely and "where relevant and appropriate", directly access data generated by their use of a product or service;
- providing for the use by public sector bodies and EU institutions, agencies, or bodies, of data held by enterprises in certain situations where there is an exceptional data need (i.e. in cases where compulsory business-to-government data sharing is justified);
- facilitating switching between cloud and edge services;
- putting in place safeguards against unlawful data transfers;1
- ensuring that data holders avoid unilaterally imposing unfair contractual terms to SMEs.
The Data Act would also slightly modernise certain concepts linked to the sui generis right protecting databases by intellectual property rights.
Interactions between the Data Act and other EU laws
The proposed Data Act relies on a broad definition of the concept of "data" which include both personal and non-personal data. The proposed Data Act would apply without prejudice to the EU General Data Protection Regulation 2016/679 (the GDPR). In that respect, the proposed Data Act recalls that the use of a product or service may, particularly when the user is a natural person, generate data that relates to an identified or identifiable natural person (the data subject). In such circumstances, the processing of that data remains subject to the rules set out under the GDPR including "where personal and non-personal data in a data set are inextricably linked."
As indicated above, the proposed Data Act shall be read in the light of the European Data Strategy. The proposal complements and shall be read in conjunction with (i) the proposed Data Governance Act (DGA) which notably harmonises conditions for the use of certain public sector data and (ii) the proposed Digital Markets Act (DMA) requiring providers of "core platform services" identified as "gatekeepers" to provide certain portability features to the benefit of business and end-users.
The feedback from stakeholders (that can be provided online will be presented to the European Parliament and Council for consideration during the legislative debate.
1.Chapter VII of the Data Act specifically relates to the prevention of unlawful access to or disclosure of non-personal data held in the European Union. Such developments are in fact quite similar to the provisions set out under Chapter V of the GDPR regulating the lawful disclosure of personal data to third countries.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.