European Commission moves ahead with proposed 'Data Act' regulating access to data in B2B and B2G relationships

EU

On 28 May, the European Commission launched an initial consultation on its plans for a ‘Data Act’, which would – if adopted – introduce rules for access to and use of data, both in business-to business (B2B) and business-to-government (B2G) relationships. The aim of the Data Act initiative is to ensure fairness in “how the value from using data is shared among businesses, consumers and public bodies”. The Commission will further consider complementing the Data Act through initiatives for individual sectoral data spaces or for data access, and for use in specific sectors or markets (e.g. access to vehicle data).

The Data Act initiative is part of the “European strategy for data”, which the Commission published in 2020 and aims at the creation of a European Single Market for data fostering innovation and job creation and contributing to the efficiency and international competitiveness of industries across all sectors. Beyond the European Single Market, the EU wants to ensure an “open, but assertive approach” towards international data flows, based on European values. With the Data Act, the Commission now wants to tackle issues that – according to its extensive research – prevents the EU from realising the full potential of data-driven innovation in the economy.

In the Commission’s view, access and use of data in the EU must be facilitated to allow more public and private actors to benefit from Big Data and technologies, such as machine learning. The Commission’s initiative will look at data-usage rights in industrial value chains and how they are distributed. This raises issues of fair competition, which the Commission wants to offer solutions for in the Data Act.

Usage and access to data are subject to different sets of rules. This creates legal uncertainties and companies providing or requesting access to and using data may encounter severe legal pitfalls. The Commission’s initiative will look at various pieces of regulation including:

  • ePrivacy rules (currently under review);

  • the Database Directive;

  • the Trade Secrets Directive;

  • the General Data Protection Directive (GDPR), in particular Article 20 GDPR (the right to port data);

  • standards for smart contracts developed by the European Standardisation Organisation;

  • codes of conduct for cloud service portability, as mandated by the Regulation on the Free Flow of Non-personal Data;

  • Safeguards for non-personal data in international contexts.

The Data Act is intended to be consistent with these regulations and provide clarity on their interpretation, where appropriate. Regulation due for revision or further development can be aligned with the Data Act.

In addition to the issues in B2B relationships, the Commission is concerned that the public sector is currently limited in using privately held data, which is necessary to serve the public interest. The Data Act initiative will therefore seek to facilitate access to data by public bodies in the public interest. Overall, the Commission aims to seek the “right balance between rights to access data and incentives to invest in data, without changing the current data protection rules”.

In concrete terms, the Commission is considering the following policy options:

1. Improved access to private sector data for the public sector (B2G):

Introduction of a framework for access and use of private sector data sources by the public sector, including data-sharing requirements, transparency requirements and safeguards. This could cover both ad hoc and more regular access to and use of big data. The most far-reaching policy option would lay down the right of the public sector to access privately held data for a range of defined public-interest purposes.

2. Fairness of data access and use in business-to-business (B2B) relationships:

  1. Specific transparency obligations for manufacturers of connected objects on the rights to access and use non-personal data for users.

  2. B2B fairness rules for access and use of data (for IoT or wider data sharing situations), complemented possibly by model contract terms recommended by the Commission.

  3. Data access and use rights, potentially on the basis of fair, reasonable, proportionate, transparent and non-discriminatory (FRAND) terms for non-personal data (for IoT or wider data sharing situations).

  4. Harmonisation of horizontal modalities for access to data rights established in specific sectoral rules. The modalities would provide general principles for access data, while potential sector specific data access would be established by sector specific rules.

  5. Adaptations of the Database Directive (Directive 96/9/EC) to facilitate data access and use, in particular clarification of the relationship between the sui generis right and machine-generated data.

  6. Technical specifications for portability rights under the GDPR. For example, makers of home appliances, wearables and home assistants could be obliged to provide technical interfaces that allow real-time portability of data collected by their devices.

  7. Introduction safeguards for easy cloud service portability by prescribing Standard Contractual Clauses or providing legal requirements.

  8. Definition of essential requirements for smart contracts’ interoperability and a a potential mandate for the European Standardisation Organisations for setting technical standards for smart contracts.

  9. Protection of data in cloud computing against access from non-EU governments by introducing an obligation to (i) notify users of a request for access to data by foreign authorities, (ii) to inform the Commission of all different laws of non-EU jurisdictions with extraterritorial effect to which they are subject and (iii) to take appropriate measures to prevent the transfer of or access to non-personal data of companies established in the EU to third countries’ governmental authorities, where such transfers or access would be in conflict with EU or member state laws.

The Commission consultation on its “Inception Impact Assessment”, which describes the Commission's plans for the Data Act in more detail, is open until 25 June 2021 and can be accessed on the Commission’s “have your say” website. Stakeholders can share their views on the Commission's plans. In particular, they may comment on the possible impact of the different policy options considered by the Commission and provide relevant information to the Commission. The Commission has also announced workshops, targeted dialogues with SMEs as well as sectoral events for specific areas such as health, industrial manufacturing or agriculture for later this year. The adaptation of a legislative proposal by the Commission is expected in the fourth quarter of 2021.

For more information, contact your CMS client partner or CMS experts Dr Björn Herbers and Dr Reemt Matthiesen.