DATA ACT: legal and strategic implications

The Data Act complements the Data Governance Act to provide legal clarity in relation to access to and use of data, contributing between these two pieces of legislation to the consolidation of a single market for data in the European Union (EU). The Data Act is also closely related to other pieces of European legislation such as the Digital Services Regulation (DSA) and, in particular, the General Data Protection Regulation (GDPR), as its scope covers both personal and non-personal data.

Purpose and scope of the Data Act

The Data Act has an ambitious purpose: to increase competitiveness, innovation and sustainable economic growth within the EU digital ecosystem through the adoption of a framework for data exchange and interoperability between businesses, users and public bodies.

To achieve this goal, the Data Act focuses on the use, retention and sharing of data derived primarily from the use by businesses and individuals of connected products and the internet of things (IoT) network.

The increased availability of data generated by these technologies enables manufacturers and designers to develop new connected products, refine existing ones, and create related services based on those products. For example, by launching a device to measure sports data, such as a smart watch, services related to the data generated by that device can emerge, such as health monitoring applications.

In this way, the implementation of the Data Act will have a major impact on the activity of companies operating in the digital economy, as they must take into account a series of measures and obligations to use and share data generated through the design, manufacture, marketing and use of connected products and related services, including virtual assistants.

However, the Data Regulation provides a relevant exemption for micro and small enterprises acting as manufacturers or suppliers of connected products or related services, provided that they are not linked to a medium or large enterprise. In these cases, such organisations will not be obliged to provide access to the data generated by such products or services. In the case of medium-sized companies, the Data Act provides for a temporary exemption, limited to the first year after ceasing to be an SME, and provided that they meet certain additional requirements.

Under this premise, the Data Regulation distinguishes between the figures of "data controller" and "recipient", attributing to the former the right or obligation to provide access to the data and to the latter the status of legitimate recipient of the data.

For the purposes of the Data Act, a data recipient may be a natural or legal person, a consumer, a public body or a non-profit organisation.

On the other hand, a user, as defined in the Data Act, is a natural or legal person who owns a connected product or to whom temporary rights of use of that connected product have been transferred by contract, or who receives related services.

In addition, the Data Act establishes a number of safeguards to protect data generated, used and shared within its scope, regardless of whether it is personal or non-personal data. These measures not only seek to safeguard the right to the protection of personal data of individuals, but are also intended to protect the confidentiality and trade secrets of companies, especially in scenarios of forced data sharing.

In relation to these guarantees, the Data Act establishes that any data processing (i.e. any operation, automatic or otherwise, involving use, communication, storage, modification, etc.) through which a natural person can be identified must be carried out in accordance with the GDPR, which will prevail in the event of a conflict between the two rules (Art. 1.5 of the Data Act). It also expressly recognises in favour of the data subject the right to implement appropriate technical and organisational measures to prevent unauthorised access to the data, including metadata, as well as to prevent the recipients of the data from modifying or removing such security measures.

In parallel, the Data Act limits the use that data recipients can make of the information received, expressly prohibiting its use to develop products that compete with those of the data subject, unless expressly authorised. These provisions respond to the objective of avoiding an imbalance in competition and ensuring an environment of trust and legal certainty in the European digital ecosystem.

The Data Regulation also seeks to make it easier for users to switch between data processing service providers (especially in cloud computing environments) and to promote technical and legal interoperability in data flows within the internal market. Furthermore, limitations on the abusive use of contractual clauses imposed by a dominant party, especially to the detriment of SMEs, are established to ensure fair and non-discriminatory contractual relations.

The Data Regulation clarifies that its application does not imply the recognition of an automatic subjective right in favour of the data subject to use the information generated by the use of a connected product or a related service, unless this derives from the applicable law or an express contractual agreement.

Finally, in certain exceptional circumstances, the Data Act empowers public sector bodies to request access to data held by private entities, provided that such data are necessary for the performance of a specific task carried out in the public interest and/or in case of public emergency. This power should be interpreted restrictively and is subject to the principle of proportionality.

2. Key measures of the data act

In line with the purpose and objectives pursued, the Data Act provides for the regulation of the following main issues:

• Business-to-business data sharing at the request of consumers: sets out the measures through which users of a connected product (whether natural or legal persons), can access, use and carry the data they generate through the use of the connected product or a related service.
• Mandatory business-to-business data sharing: the Data Act sets out the rules to govern situations in which a business, as "data owner", has an obligation to make data under its ownership available to another business ("data recipient"), including the provision of reasonable compensation for these communications.
• Exchange of data between companies and public administrations: the rule regulates the provision of data by data owners to public sector bodies, so that public bodies may obtain, in specific cases and under certain conditions, essential data when an exceptional situation or public emergency arises. It also lays down rules and safeguards for requests for access by a foreign public sector body to non-personal data held in the European Union.
• Make it easier for customers of digital services (especially cloud services) to switch between data processing services without barriers or associated costs. This sets out minimum requirements for the content of contracts with service providers that allow access to ubiquitous and on-demand networks.
• Establish measures to protect businesses (in particular SMEs) from non-negotiated or abusive contract terms imposed by companies in a stronger bargaining position in relation to data access and use. To this end, the Data Act adopts a non-exhaustive list of terms that are always considered unfair and terms that are presumed to be unfair, which will have to be reviewed by the entity that imposed the term to demonstrate that they are not unfair.
• Development of interoperability standards to facilitate access, transfer and use of data and thereby strengthen the flow of data, encourage research and development of new related products and services.
• Introduction of safeguards against unlawful access by third parties to non-personal data, which apply to any private sector data held in the territory of the European Union, including data processed by data processing service providers.
• Although the Data Act does not directly establish a uniform EU-wide sanctions regime, it obliges Member States to lay down rules on offences and penalties for non-compliance with the Data Act, which must be effective, proportionate and dissuasive. This implies that companies could face inspections, injunctions or financial penalties depending on the degree of non-compliance.

3. Practical application of the Data Act

The Data Regulation is a dense regulation with a high technical content, so its deployment and implementation requires structured planning and a cross-cutting approach in organisations whose business is affected by the provisions of the Data Act.

Ultimately, the implementation of the Data Act will require organisations within its scope to undertake strategic planning for its implementation, an early review of their contractual relationships and a progressive reconfiguration of their data-driven business models.

Information note written by the Intellectual Property area of ECIJA Madrid.