Data has become increasingly important to achieve the social and commercial goals of companies and other organisations. The European Commission expects the data economy in the EU to be worth €829 billion by 2025. In order to achieve effective data governance, every organisation will have to go through a number of steps. A good understanding of the relevant current and future laws and regulations is of great importance to make optimal use of the potential.
In addition to the previously announced Data Governance Act, the list of future legislation should also include the Data Act. With this European regulation proposed in February 2022, the European Commission has taken a new step in its European data strategy. With this strategy, the European Union aims to become a role model for a society in which data dominates. The Data Act fits into a trend where the focus is no longer on personal data, but includes all kinds of data. The Data Act contains a number of far-reaching obligations for a wide range of market parties.
Internet of Things products and services
Companies are required to design their Internet of Things products and services in such a way that users can easily access all data generated by their use. Moreover, before such products and services are sold to users in the EU, detailed information must be provided to the user on the data that is generated. Not only the use of personal data, but also the use of other data is restricted and is no longer allowed without a contractual relationship with the user.
The data generated by Internet of Things products and services must be made available to the user of the relevant product or service without undue delay, free of charge and (where applicable) in real time. Under the same conditions, the user may request that this data will be made available to a third party, but not to so-called gatekeepers designated under EU digital market act. In practice, this means that interfaces will have to be built or reviewed.
The European Commission has provided some safeguards for the providers of this data. For example, the data may not be used by the recipient to develop competing products or services. Also, data containing trade secrets may only be disclosed under specific confidentiality arrangements (but the data must still be made public). It remains to be seen exactly what this restriction will mean in practice.
Cloud services
The Data Act contains several proposals that aim to ease the switching between different cloud services, as well as the transfer of all cloud services to an on-premises solution. These proposals include various contractual guarantees, a limitation of the duration of the switching process to 30 days, the phasing out of any switching costs, and obligations to ensure a technically smooth transition. These requirements apply to a wide range of cloud services, from simple data storage services to advanced software-as-a-service solutions.
The draft regulation also contains strict restrictions on international data sharing by cloud services. Cloud providers must take all necessary measures to prevent international access to or transfer of non-personal data retained in the EU when this would be in breach of EU or Member State law, for example in light of rules protecting the fundamental rights of a person, the national security interests of a Member State or intellectual property rights. So, in contrast to the regime in the General Data Protection Regulation, international transfers are allowed, unless EU or Member State law opposes this.
Requests for access to data from third countries can only be met if they are based on international agreements (for example a mutual legal assistance treaty) or if the legal system of the third country offers protection similar to the Data Act.
Status Data Act
In addition to the above topics, the Data Act contains relevant proposals in several other areas, such as detailed rules on the conditions under which data holders must make data available if they are required to do so (fair, reasonable and non-discriminatory), the establishment of harmonised interoperability standards for data exchanges, and the act addresses requests for access to data by public authorities across the EU.
Since the Data Act is a regulation, it will in due course become directly applicable in the European Union without transposition into national law. Before that happens, the European Parliament and the Council of the European Union will have to come up with their own text proposal. Negotiations will then take place in order to reach an agreed text (trilogue). The European Commission proposes to delay the entry into force of the regulation by 12 months.
