The European Data Act
What is the European Data Act?
The European Data Act makes more data available for use, and sets up rules on who can use and access what data for which purposes across all economic sectors in the EU.
According to Article 1, Subject matter and scope (proposal 23.2.2022):
1. This Regulation lays down harmonised rules on making data generated by the use of a product or related service available to the user of that product or service, on the making data available by data holders to data recipients, and on the making data available by data holders to public sector bodies or Union institutions, agencies or bodies, where there is an exceptional need, for the performance of a task carried out in the public interest:
2.This Regulation applies to:
(a) manufacturers of products and suppliers of related services placed on the market in the Union and the users of such products or services;
(b) data holders that make data available to data recipients in the Union;
(c) data recipients in the Union to whom data are made available;
(d) public sector bodies and Union institutions, agencies or bodies that request data holders to make data available where there is an exceptional need to that data for the performance of a task carried out in the public interest and the data holders that provide those data in response to such request;
(e) providers of data processing services offering such services to customers in the Union.
Understanding the European Data Act.
The volume of data generated by humans and machines has been increasing exponentially. Unfortunately, most data are unused, or are collected by a few large companies. Low trust, conflicting economic incentives and technological obstacles impede the full realisation of the potential of data-driven innovation. It is crucial for the EU to unlock such potential by providing opportunities for the reuse of data, and removing barriers to the development of the European data economy. This is in line with the mission of the EU to reduce the digital divide, so that everyone benefits from these opportunities. Ensuring greater balance in the distribution of the value from data in step with the new wave of non-personal industrial data and the proliferation of products connected to the Internet of Things means there is enormous potential for boosting a sustainable data economy in Europe.
The Data Act was the next logical step after the European Data Governance Act. It is the second main legislative initiative following the February 2020 European strategy for data, which makes the EU a leader in the data-driven society.
The Data Governance Act, presented in November 2020 and agreed by co-legislators in November 2021, creates the processes and structures to facilitate data sharing by companies, individuals and the public sector. The Data Act clarifies who can create value from data and under which conditions. The Data Act removes barriers to access data, for both the private and the public sector, while preserving incentives to invest in data generation by ensuring a balanced control over the data for its creators.
When we buy a ‘traditional' product, we acquire all parts and accessories of that product. However, when we buy a connected product (e.g. a smart home appliance or smart industrial machinery) generating data, it is often not clear who can do what with the data. Or it may be stipulated in the contract that all data generated is exclusively harvested and used by the manufacturer.
The Data Act gives individuals and businesses more control over their data through a reinforced data portability right, copying or transferring data easily from across different services, where the data are generated through smart objects, machines and devices. For example, a car or machinery owner could choose to share data generated by their use with its insurance company. Such data, aggregated from multiple users, could also help to develop or improve other digital services, e.g. regarding traffic, or areas at high risk of accidents.
It will be easier to transfer data to and between service providers and this will encourage more actors, including SMEs, to participate in the data economy.
For example, aftermarket service providers will be able to improve and innovate their services and compete on an equal footing with comparable services offered by manufacturers. Therefore, users of connected products (including consumers, farmers, airlines, construction companies or owners of buildings) could opt for a cheaper repair and maintenance provider (or maintain and repair themselves) and benefit from lower prices on that market. This could extend the lifespan of connected products, thereby contributing to the Green Deal objectives.
Also, availability of data about the functioning of industrial equipment will allow factories, farms or construction companies to optimise operational cycles, production lines and supply chain management, including based on machine-learning.
In precision agriculture, IoT analytics of data from connected equipment can help farmers analyse real time data like weather, temperature, moisture, or GPS signals and provide insights on how to optimise and increase yield, improve farm planning and make smarter decisions about the level of resources needed.
Increased business and manufacturing efficiency should lead to a reduction of waste, energy consumption and CO2 emissions.
The Data Act unlocks the value of data from private companies in exceptional situations of high public interest, such as floods or wildfires. The current data access mechanisms by the public sector are inefficient or non-existent in public emergency situations. With the new rules, there will be an obligation on businesses to provide certain data, under key conditions (which businesses can enforce in case of abuse).
If the data is necessary to address a public emergency, it will be provided for free. In other situations: to prevent or recover from a public emergency, or to fulfil a public-interest mandate imposed by law -- the data holder may request compensation. It should greatly improve evidence-based decision-making, in particular effective and rapid response to crises, such as floods and wildfires.
For example, during the COVID-19 pandemic, aggregated and anonymised location data from mobile network operators was essential for analysing the correlation of mobility and the spread of the virus, including informing early warning systems for new outbreaks and taking the right measures to combat the crisis.
The Data Act also improves the conditions under which businesses and consumers can use cloud and edge services in the EU. It becomes easier to move data and applications (from private photo archives to entire business administrations) from one provider to another without incurring any costs, because of new contractual obligations that the proposal presents for cloud providers, and a new standardisation framework for data and cloud interoperability.
In addition, the Data Act raises trust by introducing mandatory safeguards to protect data held on cloud infrastructures in the EU. This will avoid unlawful access by non-EU/EEA governments. With these measures, the Data Act supports cloud adoption in Europe, which in turn stimulates efficient data sharing within and across sectors.
8 December 2022 - New compromise text on the Data Act.
The new compromise text on the Data Act, circulated on Thursday (8 December), introduces significant changes to the part intended to facilitate the switching from one cloud provider to the other.
The Czech presidency of the EU Council did not manage to broker a common position on the file at a ministerial meeting on Tuesday but worked on a new compromise text to address some of the outstanding issues.
23 February 2022 - We have the text of the Proposal on harmonised rules on fair access to and use of data (Data Act).
The proposal’s objectives are:
1. Facilitate access to and the use of data by consumers and businesses, while preserving incentives to invest in ways of generating value through data. This includes increasing legal certainty around the sharing of data obtained from or generated by the use of products or related services, as well as operationalising rules to ensure fairness in data sharing contracts. The proposal clarifies the application of relevant rights under Directive 96/9/EC on the legal protection of databases (the Database Directive) 9 to its provisions.
2. Provide for the use by public sector bodies and Union institutions, agencies or bodies of data held by enterprises in certain situations where there is an exceptional data need. This primarily concerns public emergencies, but also other exceptional situations where compulsory business-to-government data sharing is justified, in order to support evidence-based, effective, efficient, and performance-driven public policies and services.
3. Facilitate switching between cloud and edge services. Access to competitive and interoperable data processing services is a precondition for a flourishing data economy, in which data can be shared easily within and across sectoral ecosystems. The level of trust in data processing services determines the uptake of such services by users across sectors of the economy.
4. Put in place safeguards against unlawful data transfer without notification by cloud service providers. This is because concerns have been raised about non-EU/European Economic Area (EEA) governments’ unlawful access to data. Such safeguards should further enhance trust in the data processing services that increasingly underpin the European data economy.
5. Provide for the development of interoperability standards for data to be reused between sectors, in a bid to remove barriers to data sharing across domain-specific common European data spaces, in consistency with sectoral interoperability requirements, and between other data that are not within the scope of a specific common European data space. The proposal also supports the setting of standards for 'smart contracts’. These are computer programs on electronic ledgers that execute and settle transactions based on pre-determined conditions. They have the potential to provide data holders and data recipients with guarantees that conditions for sharing data are respected.
The European Data Act and its connection to other directives and regulations.
The European Data Act is consistent with existing rules on the processing of personal data, including the General Data Protection Regulation (‘GDPR’), and protecting the private life and the confidentiality of communications, as well as any (personal and non-personal) data stored in and accessed from terminal equipment (the ePrivacy Directive), that will be replaced by the ePrivacy Regulation currently the subject of legislative negotiations. This proposal complements existing rights, specifically rights regarding data generated by a user’s product connected to a publicly available electronic communications network.
The Free Flow of Non-Personal Data Regulation put in place a key building block of the European data economy, by ensuring that non-personal data can be stored, processed and transferred anywhere in the Union. It also presented a self-regulatory approach to the problem of ‘vendor lock-in’ at the level of providers of data processing services, by introducing codes of conduct to facilitate switching data between cloud services (the industry-developed ‘Switching Cloud Providers and Porting Data (SWIPO)’ Codes of Conduct). The European Data Act further builds on this, helping businesses and citizens to make the most of the right to switch cloud providers and port data. It is also fully consistent with the Unfair Contract Terms Directive as regards contract law. With regard to cloud services, as the self-regulatory approach seems not to have affected market dynamics significantly, this proposal presents a regulatory approach to the problem highlighted in the Free Flow of Non-Personal Data Regulation.
The Database Directive protects databases that have been created as a result of a substantial investment, even if the database itself is not an original intellectual creation protected by copyright. Building on the substantial amount of case-law interpreting the provisions of the Database Directive, the European Data Act addresses ongoing legal uncertainties about whether databases containing data generated or obtained by the use of products or related services, such as sensors, or other types of machine-generated data, would be entitled to such protection.
The Platform to Business Regulation imposes transparency obligations, requiring platforms to describe for business users the data generated from the provision of the service.
The Open Data Directive sets out minimum rules on the re-use of data held by the public sector and of publicly funded research data made publicly available through repositories.
The Interoperable Europe initiative seeks to introduce a cooperative interoperability policy for a modernised public sector.
The European Data Act complements the Data Governance Act, which aims to facilitate the voluntary sharing of data by individuals and businesses and harmonises conditions for the use of certain public sector data, without altering material rights on the data or established data access and usage rights.
The European Data Act complements the proposal for a Digital Markets Act, which requires certain providers of core platform services identified as ‘gatekeepers’ to provide, inter alia, more effective portability of data generated through business and end users’ activities.
Contact us
Cyber Risk GmbH
Dammstrasse 16
8810 Horgen
Tel: +41 79 505 89 60
Email: george.lekatis@cyber-risk-gmbh.com
Web: https://www.cyber-risk-gmbh.com
We process and store data in compliance with both, the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). The service provider is Hostpoint. The servers are located in the Interxion data center in Zürich, the data is saved exclusively in Switzerland, and the support, development and administration activities are also based entirely in Switzerland.
Understanding Cybersecurity in the European Union.
2. The European Cyber Resilience Act
3. The Digital Operational Resilience Act (DORA)
4. The Critical Entities Resilience Directive (CER)
5. The Digital Services Act (DSA)
6. The Digital Markets Act (DMA)
7. The European Health Data Space (EHDS)
10. European Data Governance Act (DGA)
11. The Artificial Intelligence Act
12. The European ePrivacy Regulation
13. The European Cyber Defence Policy