EU Data Act and Data Governance Act - cornerstones of new data ecosystems
11 January 2024
11 January 2024
While the whole world is immersed in the fascination of ChatGPT and the hardly foreseeable effects of artificial intelligence (AI), the decisive foundations lie in the availability of large amounts of data for machine learning. What began with a debate about "data ownership" – which was rightly terminated early stages – has led to a broad framework of rules on data access and sharing of non-personal data as well as the role of intermediaries in data spaces under the heading of "data sovereignty".
The EU Data Act and the EU Data Governance Act are the cornerstones needed in order to create new data ecosystems beyond the dominant platform operators. As part of the European digital and data strategy, they stand alongside the Digital Markets Act (competitive regulation of gatekeepers), the Digital Services Act (content regulation of platform operators), the AI Regulation and the EU Directive on AI Liability. Businesses and institutions are facing far-reaching changes in the handling of data that go far beyond data protection law.
The Data Act has entered into force on 11 January. The individual chapters of the Act will apply in stages from 12 September 2025 until full scope application on 12 September 2027. A large part of the Act will already apply from 12 September 2025, including the right for business users and consumers to access and share data from IoT devices.
The Data Act combines two fundamental objectives: (a) strengthening data sovereignty for commercial and private users of connected devices (IoT products) through transparency obligations for data holders and data access rights; and (b) opening up a data cycle through data sharing rights, in which small and medium-sized enterprises (SMEs) also participate and which in-creases innovation and value creation from data.
The EU is thus striving for an alternative to the platform-based data economy anchored in European values, which has so far been dominated by a few – predominantly non-European – "hyper-scalers". The "right to data portability" of the General Data Protection Regulation (GDPR) serves as a guiding principle, even if it has played a subordinate role in practice to date.
The Data Act applies extraterritorially to manufacturers of IoT products and data holders based out-side the EU if the products and associated services are used within the EU. It applies across all sec-tors and explicitly lays the foundation for further sector-specific regulation. With the FIDA Regulation, the EU Commission presented the first draft of open data regulation in the financial sector immediately after the trilogue on the Data Act had ended (the final negotiations between the EU Parliament, EU Commission and the European Council on the Data Act). Increased transparency requirements and user control, including through "Financial Data Access Permission Dashboards", will trigger far-reaching changes in this area – independent of any IoT products.
At the centre of the Data Act is the legal relationship between the data holder by virtue of its de facto control over IoT data and the user of a connected product and recipient of related services. The Data Act strengthens the position of the user and gives him – beyond an existing contractual relationship – the right to access and be provided with "readily available data" in a common machine-readable for-mat. Manufacturers must design and develop their IoT products to make available such data. The data access rights include the metadata, i.e. the descriptive elements of the raw data collected. Manufacturers, sellers or lessors of IoT products must inform the user about the type, quantity, personal use and availability of the collected data when the contract is concluded.
Certain restrictions apply if the user wishes to share this data with a third party. In particular, the third party may not use it to create competing IoT products. However, that third party is free to develop new, data-based services and products based on the shared data with the user's consent. This is the decisive regulatory step towards a diversified data economy, by moving beyond the linear, bilateral data usage and monetisation models of device manufacturers by giving the user wider control over that data.
The consequences of this "enabling regulation" are considerable: device manufacturers and other data holders must organise their data governance in a fundamentally different manner, and at the same time develop their data strategy beyond the mere data protection compliance and data security perspective. Companies focussed on innovation are already looking at the possibilities of proactively procuring IoT data and strategic alliances for data sharing.
One of the fundamental challenges, but also concerns of data holders, is the balance between ac-cess and sharing rights on the one hand and the protection of the data holder's trade secrets on the other. The Data Act deprives data holders of the opportunity to easily invoke (alleged) trade secrets as a defence against data access and data sharing claims. In principle, the data holder must also disclose such data that contains trade secrets. To this end, the data holder must precisely identify the data sets subject to trade secret protection and instruct the user on the necessary technical measures to protect the trade secrets when handing the data over. Only if the data holder can credibly demonstrate the risk of significant economic (irreparable) damage resulting from the disclosure of a trade secret may he refuse access to and release of the data in question. But that's not all: the data holder must notify the competent supervisory authority and give solid ground why he refused disclosing the trade secret.
It remains to be seen whether this approach will be successful: SMEs in particular are considerably concerned about being exposed to unwanted transparency on their business processes (e.g. ma-chine utilisation, efficient production processes, etc.) when confronted with data access claims. It is likely that, only over time, court decisions on the extent of the trade secret defence will provide more clarity on this issue.
The Data Act opens a new regulatory chapter on processing personal and non-personal IoT data. The GDPR applies if a natural person can be identified (e.g. the private user of connected products). The Data Act itself does not create new legal basis for such processing of personal data. Rather, the data holder – as the data controller – must comply with all relevant obligations under the GDPR (including determining the suitable legal basis for data processing, information and documentation obligations, technical data protection, safeguarding the rights of data subjects, etc.). If a business user has asserted its data access claim against another company (B2B) and then wishes to share that data with a third party, that business user may end up in the role of a data controller for the personal data of the original data holder (e.g. end device data of its employees). As a consequence the business user would need to bear all the consequences of GDPR compliance after such a controller-to-controller transfer (C2C), including establishing the proper legal basis of processing (e.g. consent, fulfilment of a contract with the data subject, legitimate interest or other justifications).
As part of its future data strategy, every company will need to consider its approach towards licensing-in and licensing-out data ("inbound" and "outbound"), be it in the role of users of IoT devices in asserting data access claims ("inbound") as well as in enabling a transfer of such data to third parties ("outbound"), or be it in the role of data holders that are exposed to data access and sharing claims and making available IoT data to the third parties at the request of the user.
The data holder is subject to the general obligation of non-discriminatory data sharing (FRAND principles) and may demand appropriate remuneration in the B2B area to cover costs plus a profit margin. When sharing data with other companies (B2B), the data holder must observe a catalogue of rules on inadmissible, unilaterally imposed contractual clauses, which serve to implement general fairness rules for data licensing, including questions of liability and warranty for poor data quality, as well as termination rules. Those who are familiar with the German law on general terms and conditions will recognise these restrictions on contractual clauses. That said, it is questionable whether those rules of civil contract law for the B2B sector actually fall within the regulatory competence of the EU Com-mission. Disputes about the constitutionality of these provisions in the Data Act seem inevitable.
Irrespective of its reference to IoT products, the Data Act also regulates the issue of changing providers of "data processing services" (not to be confused with the role of data processors under the GDPR that act on behalf of the data controller). Detailed rules are aimed at reducing the "lock-in" effects that the EU Commission believes have arisen due to technical, contractual and economic parameters to the detriment of customers. Providers of cloud services must prepare to fulfil additional obligations as regards providing the right information, as well as meeting the technical and contractual requirements to provide data hosted in a cloud environment as to actively support the customer switching to a competitor, for not more than a compensation of a reasonable cost cover-age ("egress charges"). Again, this part of the Data Act is bound to bring profound change for both, the major providers as well as specialised niche providers of cloud services.
The Data Act aligns with the GDPR's regulatory approach of having national supervisory authorities and a European body (the European Data Innovation Board) to supervise, interpret and enforce the regulation. The establishment of separate supervisory authorities is not trivial. In contrast to the GDPR, which was based on the EU Data Protection Directive and the established supervisory authority framework, new expertise must be built up, including expertise in contract law. The extension of data protection authority powers (as indicated by some Member States such as Germany) will require a considerable "mind shift" in Member States that pursue a very restrictive, limiting regulatory approach in order to make the shift to an enabling practice ("from restricting to enabling").
The European Data Innovation Board will act as a coordination body between the national supervisory authorities and in support of the EU Commission in the development of legislation. It will issue guidelines and recommendations on law enforcement, the development of implementation measures, certifications, smart contracts for data exchange and reasonable costs for cloud switching as well as interoperability standards in the area of European data spaces. This will soon require considerable legal and non-legal expertise in data economy issues, the combination of which has so far been scarce on the market.
In addition, the Data Act provides a particularly interesting dispute settlement procedure. Member States will set up certified dispute settlement bodies. They will be available to data holders, users and third-party recipients of IoT data in the event of disputes over access and sharing rights, as well as cloud service providers and customers in the event of disputes over switching to another cloud provider. The dispute settlement bodies must issue their decision within 90 days, including the rea-sons for their decisions and an award on the costs of proceedings, after hearing the parties and writ-ten submissions. Decisions are binding if the parties have mutually agreed to this at the beginning of the proceedings. However, these dispute settlement proceedings do not preclude recourse before ordinary courts or other arbitral panels – in which case the dispute settlement body could reject taking a case. The dispute settlement bodies will publish annual experience reports, including any their recommendations on dispute avoidance and best practices. This highly innovative approach is important for the interpretation of the law and to quickly reach practical experience in solving conflicts under this entirely new, unprecedented piece of legislation. It is to be hoped that data holders, users and third parties will strongly make use of this mechanism, in order to rapidly development legal practice and precedents on a broader basis.
In an effort to find viable alternatives to the platform economy, the EU Commission has proclaimed its Data Space Strategy in 2020. In this strategy, data intermediaries play a central role in realising data sovereignty for data providers and data users in decentralised network structures. The Data Governance Act addresses this by way of a "soft regulation" in that data intermediaries must register with the competent authorities (no authorisation requirement). They must ensure sufficient independence within the scope of their activities and may not themselves engage in any data analysis or commercialisation of data beyond the provision of technical services to maintain the data space and the services offered therein.
Catena-X is the first reference model that implements the principle of data sovereignty through de-centralised, platform-independent data exchange models in accordance with the principles of the International Data Spaces Association and Gaia-X. Manufacturing-X could follow suit. The planned regulation on a European data space for health data and the Health Data Utilisation Act show that an exciting development lies ahead for data spaces, with a considerable need for design and inevitable potential for disputes in the future.
Dr Alexander Duisberg, Partner in the Digital Economy department at Ashurst LLP, is a legal expert on issues relating to digitalisation and the data economy. He has repeatedly taken part in expert hearings organised by the EU Commission on the EU's Digital Strategy.