Data Act – Harmonized Rules On Fair Access to and Use of Data

6 minute read | June.30.2023

The Cybersecurity & Privacy CompassThis Essential Guide to the European Data Act is part of Orrick’s Cybersecurity & Privacy Compass Series. The Cybersecurity & Privacy Compass is your global guide to constant cybersecurity and privacy change.

In this Essential Guide, we answer pressing questions about the European Data Act, including what the Data Act is about, who is impacted and what the objectives are, the new rights and obligations created by the act, the legislative status, and recommended next steps for companies.

What is it about?

The Data Act is the proposed EU Regulation on harmonised rules on fair access to and use of data ("Data Act"). It is one of the key measures intended to make more data available for use by the private and public sector. The Data Act complements the Data Governance Regulation proposed in November 2020, which is the first deliverable under A European strategy for data. While the Data Governance Regulation creates the processes and structures to facilitate the sharing of data, the Data Act clarifies who can generate value from data and under which conditions.

Who is impacted?

The Data Act applies to broad variety of actors. Only micro, small and medium-sized enterprises ("MSMEs") are partially exempted from the obligations of the Data Act. According to the Council’s proposal of 17 March 2023, the Data Act applies to a variety of entities including to, (i)  manufacturers of products and providers of related services placed on the market in the EU, i.e., entities providing items in the EU, that obtain, generate or collect, accessible data concerning its use or environment and are able to communicate that data over the internet (e.g., connected devices), (ii) data holders, i.e., natural or legal persons who have access to data from products and make the data available to data recipients, (iii) data recipients to whom data is made available, (iv) public sector bodies of a Member State or Union institution, and agencies or bodies that request data holders to make data available, (v) providers of data processing services, irrespective of their place of establishment, offering such services to customers in the Union, and (vi) operators of data processing services providing such services to customers in the Union. Because the term "user" referred to by the Data Act means a natural or legal person, the Data Act’s obligations apply to both business to consumer and also business to business relationships.

What are the objectives of the Act?

The Data Act aims to allow users to access data they generated when using a connected device and to share such data with third parties for the purpose of providing aftermarket or other data-driven innovative services.

What are the new rights and obligations created by the Act?

The rights and obligations created by the Data Act include the following:

Obligation to Share Data and to Maintain it in Standard Formats

The Data Act requires covered entities to make data accessed from connected devices or generated during the provision of related services accessible to users free of charge and, where applicable, continuously and in real-time.

Under specific circumstances, other companies – called data recipients – have a right to receive data from the service provider – the data holder. If a data holder is obliged to disclose data to a data recipient, either under the terms of the Data Act or other EU or national law, the data holder must do so according to terms that are fair, reasonable and non-discriminatory (FRAND). Any compensation for making the data available shall also be reasonable. Where the data recipient is a MSMEs, any compensation agreed shall not exceed the costs directly related to making the data available to the data recipient and which are attributable to the request.

By requiring data to be provided in a comprehensive, structured, commonly used and machine-readable format, the Data Act imposes technical standards. Companies therefore may need to update their current standards for data storage and structure.

Incentives for investing into data

The Data Act maintains incentives for manufacturers to continue investing in high-quality data generation, by covering their transfer-related costs and excluding use of shared data in direct competition with their product.

Right of public sector entities to access data

Public sector entities are granted the right to request and obtain the data stored by a data holder. A data holder receiving a request for access to data is required to make the data available without undue delay. However, such requests are allowed only in exceptional cases that must be demonstrated by the public sector entity and require that the data requested and the purpose for what it is requested is specified. Moreover, the right is limited to non-personal data.

Facilitating data portability

The Data Act requires providers of data processing services to take measures to enable customers to switch to another data processing service, covering an equivalent service, which is provided by a different provider of data processing services. Providers of a data processing service shall not impose and shall remove commercial, technical, contractual and organisational obstacles, which inhibit customers from terminating, concluding new contractual agreements, porting the customer’s exportable data, and achieving functional equivalence in the use of the new service in the IT environment of the different provider. For example, the Data Act requires covered entities to allow customers to terminate a service after a maximum notice period of 30 days.

Rebalancing the rights of MSMEs

The Data Act contains measures to rebalance the negotiations powers for MSMEs. These measures include provisions according to which contractual terms shall not be binding where access and use of data or the liability and remedies for a breach have been unilaterally imposed on another enterprise and if these terms are deemed to be unfair. A contractual term will be deemed unfair if it is of such a nature that its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing.

What is the legislative status?

The Data Act was published by the Commission on 23 February 2022 and the European Parliament adopted amendments to the existing proposal of the European Commission on 14 March 2023. The Council adopted a position on the Data Act on 17 March 2023. The Members of the European Commission, the Parliament and the Council have completed its informal trilogue negotiations and on 27 June 2023, a political provisional agreement on the Data Act was reached between the European Parliament and the Council. The political agreement is now subject to formal endorsement by the European Parliament and the Council. It will then be adopted by both institutions following legal-linguistic revision.

We expect that the legislators to be keen to present the text for endorsement as soon as possible, so that the legislative process can come to an end quickly. The Data Act will enter into force on the twentieth day following that of its publication in the Official Journal of the European Union and will apply 20 months after the date of entry into force.

What are the action items?

As the Data Act is still in the legislative process and the final text is not yet publicly available, there is no need to rush. However, the Data Act is a regulation and therefore binding in each Member State. However, as the final text appears to be very close, it is sensible to start evaluating whether one would actually be subject to the Data Act given that the 20-month period to ensure compliance may be a little short. If it is likely that the Data Act will apply to your organisation, consider taking further strategic decisions.