Data Act published by the European Commission

The EC has published its draft Data Act. The draft Data Act (which takes the form of a Regulation) clarifies who can create value from data (personal and non-personal) and under what conditions.  It is the second major legislative initiative of the European Strategy for Data and follows on from the Data Governance Act which creates the processes and structures to facilitate data sharing.

The Act is intended to unlock industrial data by giving business users access to data they contribute to creating, and giving individuals more control over all their data, not just personal data.  This is focused particularly on data created using connected devices and related services, for example voice assistants.  It is partially aimed at largescale manufacturers and service providers of IoT products who are likely to lose their data advantage to a degree.  Third party business users will not be able to use obtained data to develop directly competing products, but they will be able to use it to create other products and services.

The new rules will make more data available for reuse and are expected to create €270 billion of additional GDP by 2028.

The proposal for the Data Act includes:

• New rules allowing customers to effectively switch between different cloud data-processing services providers and putting in place safeguards against unlawful data transfer.
• Measures to allow users of connected devices to gain access to data generated by them, which is often exclusively harvested by manufacturers; and to share such data with third parties to provide aftermarket or other data-driven innovative services. It maintains incentives for manufacturers to continue investing in high-quality data generation, by covering their transfer-related costs and excluding use of shared data in direct competition with their product.
• Measures to rebalance negotiation power for SMEs by preventing abuse of contractual imbalances in data sharing contracts. The Data Act will shield them from unfair contractual terms imposed by a party with a significantly stronger bargaining position. The Commission will also develop model contractual terms in order to help such companies to draft and negotiate fair data-sharing contracts.
• Means for public sector bodies to access and use data held by the private sector that is necessary for exceptional circumstances, particularly in case of a public emergency, such as floods and wildfires, or to implement a legal mandate if data are not otherwise available. Data insights are needed to respond quickly and securely, while minimising the burden on businesses.

In addition, the Data Act reviews certain aspects of the Database Directive, which was created in the 1990s to protect investments in the structured presentation of data. Notably, it clarifies that databases containing data from Internet-of-Things (IoT) devices and objects should not be subject to separate legal protection. This will ensure they can be accessed and used.

Implementation and enforcement

Member States must designate supervisory authorities which will have powers to sanction non-compliance in line with GDPR-level fines for certain breaches.

The legislation now begins the path to approval and is expected to come into effect 12 months after coming into force