Data Act, a new initiative in the framework of the European Data Strategy

Updated 02/29/24

At the end of 2021, an agreement was reached between the European Parliament and Member States to push forward the proposed Data Governance Act. The aim was to create processes and structures to facilitate the exchange of data between all relevant actors.

Shortly thereafter, it was followed by another new regulatory initiative launched by the European Commission: the so-called Data Act. It is a new regulation that aims to promote harmonised rules on access and fair use of data within the framework of the European Strategy. Once the appropriate public consultation has been completed and, in view of the conclusions of the corresponding impact analysis, this proposal has been formulated, which is set to profoundly transform the European regulatory framework on data.

What are the objectives of the new regulation?

The initiative is based on a basic premise: despite the progress made, there is still a general problem regarding the insufficient availability of data in the European Union as a whole. In this sense, it has been noted that this is not simply a problem specific to the national sphere, so that it has seemed necessary to promote a new European regulation whose main objectives are:

• To increase legal certainty with regard to rights relating to access to and use of data, especially in a technological environment of interconnected objects.
• To address imbalances in contractual relations between companies whose subject matter concerns the availability of data.
• Establish the conditions under which private entities should provide data to public bodies in exceptional situations.
• Promote a framework for efficient interoperability of data from a cross-sectoral perspective.
• Establish minimum guarantees for users of data processing services when they change provider.

Let us look at each of these points in detail.

Boosting access to and use of data

One of the main novelties of the Regulation concerns the adoption of measures to facilitate access to data generated by connected objects (IoT). In particular, it has been identified that there are insufficient incentives for data owners to make data available to the users of the objects and services, who are ultimately the ones who generate the data when they use or enjoy them. In this respect, the lack of adequate regulation means that there is clear uncertainty about the rights and obligations that correspond to each of the parties, i.e. manufacturers of the objects, persons using them and, where appropriate, third parties providing services.

The approach is to oblige manufacturers of the objects to share, under appropriate conditions, data generated during the use of products or services - which may even include reasonable compensation - with the users themselves and even with third parties, in particular for the purpose of facilitating after-sales and maintenance services. As a result, rights of access and use are assigned, as opposed to the recognition of exclusive rights arising from the greater ability to control that would initially be vested in manufacturers and designers.

Moreover, specific measures are laid down to strengthen the legal position of those who use the objects, in particular with regard to data generated during the enjoyment of the related products or services. In this respect, the right to information prior to purchase is reinforced, and the user must be informed of the nature and volume of the data to be generated, how he can access the data and how it will be generated, or, inter alia, who will use the data or how to request that it be shared with third parties. Moreover, the manufacturer of the object or service provider is required to guarantee the user access to the data generated, without being able to require any additional information from the user beyond what is strictly necessary to verify the user's status as a user.

Contractual imbalances between companies

As regards business-to-business relations, the Regulation has established measures aimed at ensuring that there is a reasonable balance and, in particular, at avoiding unfair impositions in business-to-business contracts when negotiating conditions relating to access to and use of data. Thus, on the one hand, the cases in which a clause is considered unfair for a micro/small/medium-sized enterprise are specified, as would be the case, for example, when it would be prevented from making a copy of the data it has itself generated or when undue restrictions are imposed on the means of redress in the event of non-compliance. Moreover, it is specified in which circumstances the conditions have been unilaterally imposed in an undue manner, with the onus being on the company that proposed the clause to prove that there has been no such imposition. The mandatory nature of these measures is reinforced by the express prohibition to ignore them even if there is an agreement to that effect between the two parties.

Provision of data to public entities

With regard to relations between companies and public bodies, the Regulation envisages the mandatory provision of certain data to meet exceptional needs linked to emergencies or even situations where the public interest so requires. This is a measure that would not be applicable to smaller companies and that, in any case, would be subject to a series of limits and conditions, among which the following stand out:

• The requirement to demonstrate the exceptional need that justifies making the data available, specifying the purpose of the use and its duration.
• The regulations on open data and re-use of public sector information shall not apply to the data provided.
• If the purpose of the provision relates to personal data, reasonable measures for pseudonymisation shall be required, provided that this is not incompatible with the intended purpose.
• The purpose of making the data available is for the performance of a task of public interest, the existence of a legal provision is required and that the data could not have been obtained by any other means, including their purchase on the market.
• In any case, this regulation does not affect cases in which the provision of the data by the companies takes place within the framework of the fulfilment of legal obligations derived from the exercise of surveillance or verification functions, as would be the case, in particular, with the performance of inspection tasks by the public authorities.

In any case, this regulation does not affect cases in which the provision of data by companies takes place in the framework of the fulfilment of legal obligations derived from the exercise of surveillance or verification functions, as would be the case, in particular, with the performance of inspection tasks by public authorities.

A strong commitment to interoperability

One of the main problems that the new Regulation seeks to address is the high level of fragmentation of data, in particular due to the existence of "silos" that prevent their interconnection in the absence of effective rules on interoperability. In this respect, an obligation is laid down for data space operators to comply with a number of minimum requirements to facilitate interoperability, in particular as regards the specification of technical and legal conditions allowing automated data processing. Specific conditions are also laid down for smart contracts, i.e. software that executes and settles transactions on the basis of pre-determined conditions from the perspective of data provision, including a European declaration of conformity system and even the establishment of standardisation criteria.

Interoperability requirements may be general in scope or, where appropriate, sector-specific, for which a broad legal approach will be essential, taking into account the requirements of the respective regulatory frameworks applicable in each case. To this end, the definitive boost to European data spaces can undoubtedly be of great importance in order to specify the scope of regulation in some areas of great strategic relevance and of unquestionable public interest.

Safeguards against switching providers

Another of the main novelties of the proposal consists of recognising minimum rights for users of data processing services when they change provider, so as to extend their ability to choose and ensure that they can dispose of their data, applications and other digital assets without unjustified restrictions. It also establishes certain minimum contents that must be included in the corresponding contract with providers, including the obligation to facilitate and actively collaborate in the migration process, the exhaustive identification of the categories of exportable data and applications or, among other aspects, the establishment of a minimum period for the recovery of data once the contract is terminated.

Although all these aspects may represent significant improvements in terms of facilitating access to data, the fact is that the proposal has raised some doubts, especially with regard to the mandatory nature of their transfer in B2B and B2G environments, the possible increase in costs that the new data processing conditions would entail or, among other aspects, the possible contradiction with the principle of minimisation in force in the area of personal data protection and, in general, the coherence with the rest of the European regulatory framework. These are undoubtedly important challenges whose regulation will have to take shape in the coming months during the long and intense process that is now beginning.

Download the infographic in PDF here

This infographic is also available in two pages

Content prepared by Julián Valero, professor at the University of Murcia and Coordinator of the Research Group "Innovation, Law and Technology" (iDerTec). Contents and points of view expressed in this publication are the exclusive responsibility of its author.