On 14th July 2023 the Chairman of the Council of the European Union’s Committee of the Permanent Representatives of the Governments of the Member States to the EU (Coreper), announced the approval of the text of the Data Act, as amended as a result of the political agreement reached with the European Parliament in June 2023. The Chairman of Coreper clarified that if the European Parliament adopts the revised text without amendments in the first reading, the Council will approve the Parliament’s position, and the Act would be adopted accordingly. Once adopted, it will be published on the Official Journal of the European Union and compliance will be mandatory after 20 months.
This article provides an overview of the key features of the Data Act and briefly outlines practical steps companies should consider implementing to fulfil the new requirements.
Background: The Data Act
The Data Act, a regulation proposed by the European Commission, is part of the European Commission’s 2020 European strategy for data. It serves as a key measure to promote digital transformation in line with EU values: The overarching objective is to unlock the potential of the European digital market by establishing rules on fair use of data and harmonised conditions for data access. The act also addresses the recent and ongoing surge of IoT devices and its impact.
The key novel provisions it introduces are:
- Data fairness for users of Internet of Things (IoT) devices: The Data Act introduces specific transparency obligations to safeguard users of IoT devices. It also establishes clear rights for users, granting them more control over the data generated by connected products through easy data portability.
- Ensuring consistency and fairness in data access: The Data Act aims to establish consistency in data access rights, reducing confusion and ambiguity. It promotes legal certainty for companies and consumers regarding data usage and conditions. Particular attention is given to protecting SMEs, which will gain more opportunities to compete and innovate based on their generated data.
- Clearer conditions for public sector access to data: The Data Act allows public sector bodies to access private sector data (including metadata that is necessary to interpret and use that data) under certain circumstances.
- Increasing competitiveness in the data processing services market: The Data Act introduces rules for efficient data interoperability and switching between data-processing service providers. It aims to unlock the EU cloud market and encourage data service competition.
The Main Amendments in the Revised Text
As a result of the above mentioned political agreement between the Council and the European Parliament, a number of amendments to the Data Act were agreed upon, such as:
- Enhanced safeguards for data access: The amended text guarantees stronger and clearer access rights for users of connected devices to product and related service data. This will compel IoT providers to craft their products with a design that facilitates increased user access to data. This serves to counteract the prevalent practice of exclusive data harvesting commonly observed within the IoT sector, where manufacturers often gain the most from data generated through the use of IoT devices.
- Clearer scope of application: The scope of application of the Data Act is further clarified within the revised Article 1 of the text. It provides more detailed clarification regarding the types of data covered, applicable contexts, impacted stakeholders, as well as encompassed services and products.
- Stronger safeguards to prevent abuse of B2B contractual imbalance: The text reinforces measures to prevent abuse of contractual imbalances in data sharing contracts. It provides additional guidance on reasonable compensation for businesses costs in making data available (pursuant to the Act) and establishes adequate dispute settlement mechanisms.
- Additional requirements to ensure effective switching between providers and interoperability requirements: The revised text introduces extra obligations for data processing service providers, aiming to facilitate smooth transitions for customers who wish to switch between providers. These obligations span the whole customer lifecycle, with the goal of eliminating barriers to switching.
- Enhanced measures to prevent unlawful international governmental access and transfer of data: Data processing service providers must take appropriate measures to prevent any such access or transfer contrary to EU law. The revised text also introduces a transparency requirement: Providers of data processing service will have to make available on their website information on the jurisdiction which the IT infrastructure (used for the service) is subject to, and a description of the measure adopted to protect data from unauthorised government access.
- Greater consistency between the Data Act and existing legislation: The relationship between the provisions of the Data Act and other legislation is made clearer through the adoption of consistent definitions and references. For instance, some of the definitions provided under the General Data Protection Regulation are reiterated.
Steps toward Practical Implementation
Given the strong focus on enhancing data accessibility and fair contractual conditions, to comply with the Data Act companies should consider reviewing at least the following essential elements:
- Data governance and data sharing agreements: Ensure that they comply with the restrictions and obligations imposed by the Act. For instance, ensuring that, access rights of users can be safeguarded, the specific content and transparency requirements are fulfilled, and that any unfair terms are eliminated.
- Procedures to handle and comply with requests from public bodies: Adopt a dedicated procedure to verify and process such requests that come under the Act. Particular attention should be paid to access requests that relate to personal data.
- Data governance practises to enable data portability: Implement measures that allow customers to switch efficiently between different providers.
- Standards for data processing: Given the focus on improving interoperability among data processing services, organisations should use specifications and standards to ensure interoperability, better digital asset portability, and functional equivalence.
- Contractual Requirements for IoT Providers: Ensure all contracts provide in clear terms the information required by the Act to ensure enhanced transparency and fairness in the access, use and sharing of data produced by IoT products.
In addition to these requirements public bodies should be aware of what data they may be able to access once the Act is in force. Under the act non-personal data can be accessed by public bodies where they can demonstrate that they have exhausted all other avenues to retrieve the data and the data is necessary in fulfilling a task assigned to them by law in the public interest. Personal data can be accessed where public bodies can prove it is needed to respond to a public emergency and that non-personal data is insufficient to that end.
Creating a compliance plan to address new regulations involves careful consideration of the impact on business procedures and documentation to ensure a smooth and efficient transition. It is advisable to develop this plan well in advance of the compliance deadline. While this text is not the final, agreed version, it is likely to form the core of what is finally agreed. Should only a few amendments be necessary, it could come into force as early as Spring/Summer 2025. Trilateral’s Data Protection and Cyber-Risk Team has significant experience in assisting organisations in developing compliance plans to address regulatory requirements, especially in relation to data protection. Feel free to contact our advisors if you would like to receive expert assistance in data protection compliance.