Update Data Protection No. 148
DATA ACT: European Parliament agrees on a data law with far-reaching legal consequences for companies
After the European Commission presented a first draft of the EU Data Act in early 2022, the Member States also agreed on a draft Data Act with the European Parliament on the night of June 26 2023. This concludes the trialogue negotiations and paves the way for formal confirmation by the European Parliament and the Council of the European Union. An agreement is expected in the autumn; after entry into force a transitional period of 24 months begins (according to the current state of negotiations).
The Regulation is intended to establish a legal framework for trade in non-personal data. Above all, the rights of consumers, but also of small and medium-sized enterprises, who are to be given access to data that has hitherto been exclusively in the hands of the large platforms, will be strengthened. In addition to the personal data for which the Data Act acts in addition to the GDPR, non-personal data that arises during the operation of Internet-connected devices is also affected. In addition, the Data Act contains interoperability requirements for data processing providers as well as regulations on official access to data in exceptional cases and catastrophic situations.
In the following, we give you an overview of what regulations the Data Act is expected to contain and what measures can be taken to implement the requirements and avoid fines of up to 4 % of total annual turnover achieved worldwide.
The Data Act primarily collects data generated by connected objects (“products”), such as connected household appliances, voice assistants or industrial plants, as well as cars connected to the Internet. This also includes permanently “connected services” with a product, such as the software of a fitness watch. The focus of the law is therefore on data from the Internet of Things (IoT). The term used is very broad and covers every digital representation of (personal and non-personal) information. This data is valuable to many companies when developing new products, or when servicing or repairing networked devices, as well as for use as training data for algorithms, but it is currently usually stored exclusively by the manufacturers or sellers of such products.
In the Data Act, as in the GDPR, the market location principle applies, so it also applies to non-European companies if they are active in the European Union, in particular if the corresponding products and services are marketed in the EU or if the data recipients are located in the EU.
2. What rights and obligations are there?
a) Provision of data to users and third parties
Most of the obligations of the Data Act do not apply in principle to small and micro enterprises, i. e. companies with fewer than 50 employees and an annual turnover or annual balance sheet of less than EUR 10 million (cf. Art. 7 Data Act), unless they are partner companies or affiliated companies that are not considered micro or small enterprises. Medium-sized enterprises with fewer than 250 employees and an annual turnover of less than EUR 50 million or an annual balance sheet of less than EUR 43 million are expected to have to implement the obligations described in detail below. It is thought there will only be exceptions for medium-sized enterprises that have crossed the threshold for qualification as medium-sized enterprises less than a year ago or for products of medium-sized enterprises that have been available on the market for less than a year. A contractual restriction of these specifications is fundamentally excluded.
Users, both consumers and companies, if they own, rent or lease a connected product or use a service, must be able to obtain IoT data (including metadata) from the data holder and share it with third parties in the same quality. Ideally, the access should take place directly from the respective product, or alternatively the data should be made available to the users in real time, free of charge and possibly continuously in a machine-readable format. In the case of fitness watches, for example, this means that users must be provided with the raw data collected in addition to the results of the data evaluation. In the case of personal data, it remains the case that this may only be issued to the data subject themselves, unless there is a corresponding legal basis under data protection law (Art. 4 (5) Data Act).
As to how the data is accessed and how the data can be passed on to third parties, manufacturers and sellers of such products must inform users before concluding the contract on the basis of which the connected product or service is used (Art. 3 (2) Data Act). In addition, the following information must be provided to users upon conclusion of the contract:
- the nature and extent of the data likely to be generated during use;
- information on whether the data is expected to be generated continuously and in real time;
- the intention of the manufacturer (or service provider) to use the data itself or to make it available to third parties, and if so, for what purposes;
- information on the identity of the data holder;
- means of communication for quick contact with the Data Controller;
- the right of the user to lodge a complaint with the competent authority.
In addition, the data holder may only use the resulting data for their own purposes if this has also been expressly contractually agreed with the user.
As a rule, data recipients receive the data as third parties at the instigation of the user. Consequently, they may also process the data they receive as a result of a user’s issue request only for the purposes and under the conditions agreed with the user. If the data is no longer required for these purposes, is must be deleted (Art. 6 (1) Data Act). An exception to the right of users to request that the data holder issue data to a third party is provided for in the Data Act for issuance to gatekeepers within the meaning of the Digital Markets Act. Gatekeepers may not receive such data either as a data recipient or indirectly via the user themselves (Art. 5 (2) Data Act).
In relation to a data recipient (B2B), the provision of the data may only take place under “fair, reasonable and non-discriminatory conditions and in a transparent manner” (Art. 8 (1) Data Act). In particular, the following agreements are not permissible:
(1) the data holder may not stipulate that the provision is made exclusively to only one data recipient, unless the user expressly requests this (Art. 8 (4) Data Act);
(2)discriminatory conditions are not permissible; the data holder is responsible for proving that the conditions are non-discriminatory (reversal of the burden of proof, Art. 8 (3) Data Act);
(3) abusive clauses to the detriment of the data recipient should be ineffective (regardless of whether the recipient is an SME) (cf. point 3).
In return for the provision of data to a data recipient, the data holder may request a reasonable consideration (Art. 9 (1) Data Act). The fee charged by small and micro enterprises may not exceed the cost of collecting and providing the data.
Data processing providers (in particular cloud or edge services) must enable a simple changeover of the service provider via corresponding interfaces as well as by adhering to corresponding interoperability standards and maintain them contractually so that all functionalities are retained even when the provider changes (function equivalence). In principle, short notice periods of 30 days apply, unless a different agreement is required. They must also provide for a transitional period of 30 days, during which the data processing service provider supports the switching process and ensures the full continuity of services as well as a high level of security. Prior to the planned changeover, a lead time may be provided, with this not exceeding two months, however. After the changeover, all data and metadata must be deleted. In addition, from the entry into force of the Data Act, only a reduced bill of exchange or data transfer fee may be demanded, and, three years after the entry into force of the Data Act, none at all.
The current draft also stipulates that data processing service providers must provide information on whether they maintain IT infrastructure in third countries. In doing so, they must take all appropriate technical, legal and organizational measures to prevent state access to non-personal data in third countries in violation of European Union law (Art. 27 Data Act).
c) Regulatory access
In exceptional circumstances, it should also be possible for public bodies and European Union bodies to have access to data. This applies, for example, in the event of public emergencies such as natural disasters and to the performance of a task in the public interest if the public authority is unable to obtain the data in another way in a timely and efficient manner under equivalent conditions. As far as the fulfilment of tasks in the public interest is concerned, the acquisition of the data on the market is also a priority.
If a company receives such an issue request, the requested data must be provided immediately (Art. 18 (1) Data Act) unless the data is not available to the data holder or the data access request does not meet the legal requirements. Where appropriate, personal data must be anonymized or at least pseudonymized prior to issue.
3. Not permissible: Abusive clauses
The regulation is intended to prevent the use of abusive contractual clauses between data holders and data recipients (Art. 13 Data Act). These are not binding if they have been unilaterally imposed on one side by the other (cf. GTC). In doing so, the legislator first uses a general clause, according to which a clause is abusive, “if its use deviates grossly from good business practice in data access and data use and violates the requirement of good faith and fair business dealings.” The Data Act gives a few examples of this, namely:
- limitation or exclusion of the user’s liability for intent or gross negligence;
- exclusion of remedies in case of non-performance of contractual obligations or exclusion of liability of the imposing party as well as unreasonable limitations of remedies in this case;
- the unilateral right to determine whether the data provided is in conformity with the contract or to interpret contractual clauses;
- a right of the imposing party to access data of the other party that significantly harms their legitimate interests;
- hindering the other party from using the data provided or generated by it;
- hindering the other party from obtaining a copy of the data provided or generated by it during the term of the contract or within a reasonable period after termination of the contract;
- a right of the imposing party to terminate the contract with an unreasonably short notice period.
The Commission is also expected to adopt model contractual clauses that can be used to avoid unfair terms.
The Data Act, on the other hand, does not regulate data usage contracts that are concluded with consumers in order to obtain larger amounts of data. Currently, there are no guidelines on how these can be formulated in a legally compliant manner. Especially with regard to the GTC law, companies should at least ensure that such data usage contracts are clearly formulated and that consumers at least do not sweepingly relinquish all rights to their data.
4. How are trade secrets protected?
Many companies are currently concerned that the Data Act will lead to disclosure of their trade secrets. There is expressly no obligation under the Data Act to disclose trade secrets (Arti. 8 (6) Data Act). Rather, data holders may, in principle, take all necessary measures to protect their trade secrets before disclosing them. If this is not sufficient, it can also be contractually agreed that the user or data recipient is obliged to take further technical and organizational measures to protect the data. In exceptional cases, data holders may even refuse disclosure if the company anticipates serious and irreparable economic damage. However, the refusal must be reported to the competent authority, which will in turn check its plausibility. Any use of the data for the development of competing products is prohibited in any case (Art. 4 (4) Data Act).
Even if the data holder unjustifiably refuses to issue the data, users may not access the data by exploiting security gaps. Protective measures against unauthorized access, on the other hand, are permissible as long as they do not prevent the user from exercising their right to have the data provided to them or third parties.
If a recipient nevertheless obtains or uses data of the data holder without authorization, they must destroy it and any goods derived therefrom as well as pay compensation (Art. 11 (2) Data Act) unless no damage has occurred or this is disproportionate.
5. Checklist: Preparing for the Data Act
Medium and large enterprises:
- Adapt or develop networked products in such a way that all collected data can be made available directly via the product, but in any case in real time, free of charge and continuously in a machine-readable format;
- Before conclusion of the contract: Information on how to initiate data access and disclosure to third parties (data portability);
- Upon conclusion of the contract: Information about the nature and scope of the data, data generation continuously or in real time, use for own purposes or provision to third parties, identity of the data holder, means of communication, right of complaint;
- Use of the data for own purposes only by express contractual agreement;
- Observe and implement regulatory recommendations and case law on data usage agreements with consumers;
- Ideally, base contracts with data recipients on model contractual clauses (as soon as available);
- Avoid the following pitfalls: Unfair contractual clauses, discrimination against individual data recipients, exclusive provision to only one data recipient;
- Agreement of reasonable consideration that does not exceed the costs of collecting and providing the data for small and micro enterprises;
- In the event of an issue request, ensure that personal data is only disclosed to the data subjects or on the basis of a legal basis under data protection law;
- Protect trade secrets when providing data;
- Provision of certain data if public authorities request this because it is of great public interest in the event of an exceptional situation (e. g. floods, forest fires) (for example, aggregated and anonymized data from mobile phone operators); anonymize or pseudonymize personal data if possible.
Data processing provider:
- Enable data portability and interoperability by ensuring simple (free) data sharing;
- Adapt contracts, in particular with regard to notice periods and transitional periods.
Small and micro enterprises should, above all, ensure that they agree on fair contract terms regarding data issuance by large enterprises, ideally the model contract terms as soon as they are made available by the Commission.