On 23 February 2022, the EU Commission proposed measures regulating the use and access of data, not being ‘personal data’ as understood by the GDPR, within the European Union across all economic sectors. The regulation of the use of data is essential given that data continues to be generated yet underutilised. The draft Regulation is to be read in conjunction with the EU’s Data Governance Act. The aim of the Data Act is to lay down common standards on the re-use of data across sectors. In this manner, the Act operates together with other legislation that has failed to address these issues entirely. Several obligations and common standards are also laid down in the Data Act to cater for unfair commercial practices together with the lack of data availability.
The Act makes certain data, which is often held solely by the manufacturers, available to users of connected and/or ‘smart’ devices, and allows them to share that data with third parties, providing users with more control over the data generated by them. Such data could include anything from how much water one’s washing machine uses to how worn out one’s tires get over the course of a week according to the device’s data gathering systems.
The Act also prevents contractual imbalances, assisting SMEs in gaining negotiation power in data sharing contracts. Accordingly, model contractual terms are set to be developed by the EU Commission to enable fair contractual negotiations. The Act also provides means, where this proves necessary, for public bodies to be able to access and use data found in the private sector in certain instances, for example in the exceptional cases of floods, wildfires, and the Covid-19 pandemic. Therefore, there are three stakeholders on which the Data Act has an impact, being: individuals and businesses, SMEs and governments.
There is also an interplay between the Data Act and the EU GDPR since they are both data-related legislation, though there are key divergences. The Data Act differs from the GDPR, primarily in that while the GDPR regulates solely personal data (data that can identify natural persons), the Data Act also regulates non-personal data, including almost any type of digitised information and this, whether or not the data is ‘anonymous’. Furthermore, although the GDPR introduced the right to data portability, such right requires further clarification as to its scope and it excludes non-personal data. Therefore, the Data Act adds new value to the right of data portability attributed to individuals under the GDPR. However, the Data Act remains in line with and complements the rules contained in the GDPR, meaning the GDPR itself will not be amended in any way.
Differing opinions have been expressed in relation to the Act, with some being optimistic that it will pave the way for new opportunities and greater use and access to data; and others questioning whether the measures and obligations laid down may interfere with good practice. Moving forward, stakeholders of the Data Act should continually follow the legislative developments closely to avoid any surprises at a later stage and to harness any new opportunities.
The Data Act is currently in the trialogue stage, being debated in the EU Parliament and Council and is likely to enter into force around mid-2024. The current text can be read here.