European Commission Proposes Legislation Facilitating Data Access and Sharing
On February 23, 2022, the European Commission ("Commission") published a proposal for a Data Act which aims at enhancing data access and use within the European Union ("EU").
The Data Act will be applicable to both personal and non-personal data, and will be relevant for all companies generating, holding, or transferring data in the EU, in particular in the Internet of Things ("IoT") context or for Artificial Intelligence applications.
In a nutshell, the proposed Data Act seeks to:
- Facilitate access to and use of data by businesses and consumers, while preserving incentives to invest: Business and consumers must have access to data generated by the product/services they own, rent, or lease (e.g., when using virtual assistants or IoT connected devices). Such access should be integrated by default in products/services, and the data must be provided directly or upon request, free of charge and in a timely manner (where applicable continuously and in real-time). There is also an obligation for data holders to port data to a third party authorized by the users, but for digital gatekeepers under the Digital Market Act. The Data Act also set up the access conditions and compensation principles in case of data porting obligations (under the Data Act or pursuant to specific sectorial data access regulations).
- Prevent unfair contract terms for data sharing imposed on SMEs, such as inappropriate liability restrictions, remedies limitations, unilateral contract interpretation and termination, restrictions to the data usages, etc.
- Ensure easy switching between cloud, edge, and other data processing services, through mandatory contractual terms (e.g., ensuring a transition period of maximum 30 days), the gradual withdrawal of switching charges, and technical equivalence.
- Provide for safeguards against unlawful data transfer/access by non-EEA governments, requiring justifications for transfers such as the existence of mutual legal assistance treaty, appropriate review by courts, and user notification.
- Review the Database Directive to exclude machine-generated data from its protection.
- Provide for the access by public sector bodies and EU institutions of data held by enterprises in emergency and other exceptional situations.
- Provide for the development of interoperability standards for data to be reused between sectors/data spaces, and minimal requirements for smart contracts for data sharing.
The proposal must now be adopted by the European Parliament and EU Member States. If adopted, the Data Act will be a Regulation directly applicable in the entire EU, 12 months after its entry into force. It will be enforced by national regulators with the ability to impose fines.