The EU Data Act - A look at the data-sharing obligations imposed.
The EU Data Act
In February 2022, the European Commission has published its proposal for the EU Data Act (EDA). Following the adoption of the EU Data Governance Act (DGA), the EDA constitutes the second legal instrument through which the European Strategy for Data (ESDA) will be implemented in the Union. Once adopted in its final version, the EDA will provide a range of substantive data-sharing obligations addressed mainly to manufacturers of connected products (Internet of Things devices, such as smart home technology or technology used in self-driving cars), providers of cloud services and some other data holders. You can read more about Europe’s data strategy to improve the access to valuable data for innovation and research here. More information about the EDA’s counterpart, the DGA, can be found here. In this post, we will address the substantive data-sharing obligations imposed by the EDA as well as scrutinise its interplay with the GDPR where the data in question constitutes personal data.
Scope of application
The EDA is directed to all data generated by connected objects. These encompass for instance smart-home technology devices including smart speakers, cleaning robots etc. as well as connected objects used in industry. It equally applies to providers of cloud or edge computing services. Excluded are however products which have as their principal function to process data or to display content. These are for instance personal computers, tablets or smartphones. The term ‘data’ is broadly defined in its article 2, including “any representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recoding.” Hence, essentially all data generated and collected by the concerned objects is included, both of a personal and non-personal nature.
Chapter II of the Proposal contains the substantive data access and sharing obligations arising both in business to consumer and business to business relations. Art. 3 EDA starts with a general obligation to make data generated by the use of products or related services accessible to their users. If possible, products must be designed and manufactured in such a way, that users can easily access the data generated through their use. Prior to the purchase or rent of a product, users should be adequately informed about the data generated and possibilities to access it. This obligation resembles the concept of privacy by design as we know it from the GDPR according to which privacy should already be considered when first engineering a product.
Art. 4 EDA then regulates the cases in which users cannot directly access the data generated by the product. In this case, they must be able to instead request access through electronic means. For this, the ‘data holder’, normally the manufacturer or provider of the product, cannot require the provision of more information than necessary to identify the ‘user’ of the product. Certain limited exceptions tackle the cases in which the data holder is not required to share the data, mainly where the data contains protected trade secret or is intended to be used for the development of a product competing with the one of the data holder. If the data contains personal data of a third party, data can only be made available where a valid legal basis under the GDPR is applicable. Here, one might for instance think of a user who has lent his self-driving car to a friend or whose smart speaker has recorded the voices of his neighbour.
Art. 5 EDA further extends the data-sharing obligations in relation to third parties. The user must be allowed to request the data holder to transfer data generated by his product to a chosen third party. This can help individuals to obtain more individualised services as they could for instance ask the provider of their smart fitness watch to transfer the generated data to a company providing personal training plans or dietary advice. The Act excludes companies defined as gatekeepers under the Digital Markets Act from the definition of third parties. These are core platform services, mainly ‘Big Tech’ companies such as Google or Facebook. Again, the data holder can only require the provisions of information necessary to verify the quality as a ‘user’ and ‘third party’, certain restrictions apply to ensure fair competition or to data protected by trade secrets and personal data can only be made available in accordance with the GDPR.
Art. 6 EDA contains certain obligations for the third parties receiving data at the request of the user. They can only make the data available for the purposes and under the conditions agreed with the user and must delete the data if it is no longer necessary for the agreed purposes. Where the data constitutes personal data, the rights of the data subject must be respected. Additionally, certain actions performed on the data are entirely prohibited, e.g. its use for profiling purposes or to create a competing product with the one from which the accessed data originates.
Art. 7 EDA stipulates that the preceding data sharing obligations do not apply to micro or small enterprises. Art. 8 EDA contains certain obligations as to how data holders must make the data available where required to do so under Art. 5 or 6 EDA. Amongst others, data must be made available under fair, reasonable and non-discriminatory terms and in a transparent manner. The terms for making the data available shall be agreed upon with the data recipient. In practice, this will probably be done via data-sharing agreements. In this regard, Chapter IV contains a list of unfair terms related to data access and use between enterprises. Here, Art. 13 lists for instance unfair contractual terms unilaterally imposed on micro, small or medium-sized enterprises which are deemed to be invalid. Additionally, data holders shall not discriminate between comparable categories of data recipients. In any case, data sharing obligations shall not require the disclosure of trade secrets. Art. 9 EDA allows data holders to demand a (monetary) compensation for making their data available as long as the compensation is reasonable. The remainder of the Act contains provisions on dispute settlement (art. 10), technical protection measures to prevent unauthorised use or disclosure of data (art. 11), the obligation to make data available to public sector bodies and union institutions where the body demonstrates ‘an exceptional need to use the data requested’ (Chapter V), provisions on data sharing to facilitate the switching between different data processing services (Chapter VI), provisions on international transfers of non-personal data to third states (Art. 27 EDA), interoperability of data spaces (Chapter VIII) and the implementation and enforcement of the Act (Chapter IX).
Interplay with the GDPR
The data coming within the scope of the EDA’s data sharing and access obligations comprises non-personal as well as personal data. For the latter, the General Data Protection Regulation (GDPR) lays down strict rules under which data of EU citizens may be processed. In its recital 7, the EDA explicitly stipulates that it is “without prejudice to Union law on data protection and privacy”, in particular the GDPR. Additionally, the data sharing obligations of Arts. 4-5 EDA explicitly demand that the sharing of personal data with a user who is not the data subject in relation to that data can only take place with the data subject’s consent or based on another legitimate basis provided for in the GDPR. However, how the sharing of data relating to such third-party data subject will look like in practice is still unclear.
To better understand this issue, one can for instance think about a self-driving car. These autonomous cars collect massive amounts of data, including passenger and owner information, location data and sensor data, many of which constitutes personal data in the sense of Art. 4 (1) GDPR. The owner of such car could theoretically demand access to this data for himself or for a chosen third party under the EDA. If this concerns data about his own person, he is deemed to be the data subject, and the transfer can be lawfully conducted under the GDPR based on his consent. However, as soon as he lents the car to a friend and personal data relating to the friend is generated, the owner is no longer the data subject in relation to this data. In this case, the data could only be accessed if the friend has consented to this access or another lawful basis under Arts. 6 or 9 GDPR applies. It becomes even more complicated where the personal data in question does not only relate to a friend of the car’s owner, but the car’s sensors have for instance recorded other bystanders in the surroundings of the car. Here again, if the owner requests access to personal data of which unknown bystanders are the data subjects, it is often impossible to obtain consent of each of them. If no other applicable lawful basis can be found under the GDPR, the user cannot access the data. In addition, recital 24 EDA unambiguously specifies that the Act does not create a legal basis under the GDPR to make data available where the user is not the data subject. Hence, users cannot invoke Art. 6 1 (c) GDPR, according to which data can be processed where this is “necessary for compliance with a legal obligation to which the controller is subject”.
This leaves data holder in the difficult situation of properly assessing whether the data concerned constitutes personal data and, if so, whether there is a suitable legal basis under the GDPR to make the data available to the user or a designated third party. Access requests should be carefully reviewed as companies otherwise risk to be subjected to the high fines which supervisory authorities can impose for violations of the GDPR. Conversely, if a company unduly refuses access to data which could have been made available under the GDPR, it risks a fine under Art. 33 (3) EDA, which allows for fines of a similar height as the GDPR. It remains to be seen whether the final version of the EDA better addresses its interplay with the GDPR or whether additionally guidelines for companies concerned will be adopted at the European level. In any case, the provisions of the EDA only become binding once it has been adopted in its final version and officially entered into force.