Ashurst Data Bytes 2: How UK's Data (Use and Access) Act and the EU Data Act are approaching smart data schemes

Rhiannon:

Hello, I'm Rhiannon Webster, partner and head of data at Ashurst. Welcome back to our Ashurst Data Bytes podcast, on the Data Use and Access Act series where today we're going to do a deeper dive into looking at how the Act regulates non-personal data, in particular through the framework, it's setting up the smart data schemes.

So it's right at the beginning of the Act, part one, and it introduces the concepts of customer data and business data and sets out the framework in the form of a "smart data scheme" under which such data can be shared and received for the customer themselves, or authorised third-party recipients at the customer's request.

These obligations will come into effect under secondary legislation introduced by the Secretary of State for Treasury. It's just a framework for the moment.

Smart data schemes are seen by the UK government as a way to increase competition and create greater opportunities for innovation, save time for consumers, reduce costs, and increase the quality of services. They also look to improve the security of data sharing and increase the trust in data sharing mechanisms.

To bring it to life, open banking is an example of a smart data scheme that already operates in the UK. Open banking enables UK consumers and businesses to permit authorised third-parties to access their banking data in order to provide them with financial services. And the UK government hopes that this new legislation will extend that success with that smart data model and be used beyond the open banking sector.

So for our European listeners, the concept of a scheme which extends to business data has immediate parallels to the EU Data Act. So on that note, I'd like to welcome Alex Duisberg, who is a partner in our Munich office and our resident Ashurst expert on the EU Data Act. Welcome Alex. Thanks for joining us today. Could you tell us a little bit more about the Data Act, what it governs and what it doesn't?

Alex:

Yes. Well, the Data Act actually is in place already since 11 January 2024, and will go live in terms of the obligations in 12 September 2025, so really just in two months from now.
The core of the Data Act is actually focusing on regulation which enables users of connected products to access data that tends to be in the hands of the so-called data holders, which are those who have control over these connected products. So at heart, the Data Act is actually giving rights to users of these products, allowing them to access that data and actually share it also with third-parties. And the intent of the regulation is to that way unleash the potential of data out of IoT products.

Rhiannon:

So the first point of difference that has struck me is that that is specific to connected products, whereas the UK legislation looks like it could go much wider and could apply to all different sectors and all different types of services. And it seems to me, but Alex, I welcome your thoughts on this too, that this has mirrors with our approach to AI regulation too. So in the EU we have the AI Act, which is a technology-specific legislation which goes across all different sectors, whereas here in the UK our Government is committed to doing sector by sector-based adoption, to the extent it's needed, to regulate AI.

Alex:

Yeah, I think that's right. And it's an interesting observation that the European regulator has set up with the Data Act and likewise with the AI Act, but with the Data Act a basis of if you like horizontal regulation, which goes across all sectors, it lays out fundamental principles of data access and data sharing. It does also complement the regulation also by certain rights around cloud switching, which are not necessarily connected to IoT products.

However, with those principles, yes it is tied to a certain appearance of technology and then with that it is intending to cover all sectors. It is to be said that the EU Commission has announced that they will be potentially developing sector-specific secondary legislation or guidance such as for example, for the automotive sector. But that's still to be seen to come through.

Rhiannon:

Oh, interesting. So it could be following a UK approach after all.

Alex:

Or the other way around.

Rhiannon:

Or the other way around.

Yeah. So I thought it might be helpful for our listeners if we did a walkthrough and a comparison of some of the key provisions in the Data Use and Access Act as against the EU Data Act.
So from my reading of the framework, there's going to be an obligation to make data accessible to users. So there's concept of data holders who will maybe asked to produce, collect or retain customer data or business data and to make changes to customer data, including rectification of customer data at the customer's request. And also the regulations may allow, so the secondary legislation, may allow data holders to charge fees to meet expenses occurred by them in complying with the scheme, but the Bill doesn't, or sorry, the Act now does not expressly deal with circumstances in which a data holder may refuse to provide customer data or business data. But it does envisage that this could be specified in applicable regulation. Is that similar to the Data Act?

Alex:

Yes, I think it is. So I mean the Data Act itself is very explicit, very extensive also in the, if you like, totality of its provisions. At heart, yes, the data access right obliges the data holder to make available the so-called readily available data. So what falls in its hands by virtue of the user using the product and beyond that gives them the user the right also to share that data with a third-party. The access to the data is free of charge for the user. When it comes to the data sharing with a third-party, then the data holder may also charge a fee, but a fee which is not intended to be like a endorsed data monetization, it's more about recovering the cost and ensuring a certain margin on top for the data holder. So this actually in the Act itself already quite prescriptive. And yes, there are other explanations. The EU Commission has come up with an FAQ document, which is kind of trying to give guidance on how to interpret this. There will be also potentially further regulatory guidance coming through.

But I would say what is in the EU legislation intentionally left to secondary legislation to a larger extent is already contained in the EU Data Act.

Rhiannon:

Am I right that there's an exemption for trade secrets under the Data Act?

Alex:

That's right. There are certain, let's say "checks and balances" built into the legislation and one is around trade secrets. Now historically in the whole legislative process, to which I was involved in a couple of hearings, there was great concern of the data holders (particularly in the industrial environment, so machinery, toolmakers, automotive manufacturers) that the level of transparency of data and what's going on in the systems of the data holder could easily cross the border to forcing the data holder to disclose trade secrets. And the way it's been solved in the Data Act is actually, if you like, not so strongly in favour of trade secrets so the exemption is not a very strong exemption. What the wording says, what the text says is that if, and to the extent a data holder can actually claim trade secret protection, which there are a couple of thresholds to meet under the EU trade secret regulation, then still the data holder will need to disclose this data, which may contain trade secrets, to the user subject to additional safeguards on disclosure obligations and so forth.

The test for the data holder to actually refuse disclosure of the data is that he would suffer irreparable harm by disclosing that information. So ultimately, we will still need to see in which cases the trade secret defence is a hard one or not, and there are a couple of additional conditions that would need to be met in that context.
So at the end of the day, those who are hoping to deny data access based on trade secrets need to look into the legislation very carefully and I wouldn't be over optimistic that that type of defence is successful.

Rhiannon:

I think the UK government are envisaging something similar under the secondary legislation in the UK, because it does say that in the secondary legislation, the Secretary of State for the Treasury must have regards to the effect of a proposed smart data scheme on data holders and the likely effect on innovation and competition in the market. So I think it's conceivable that the regulations could deal with the protection of data holders' trade secrets, but I heed your warning that I think it's probably going to be interpreted very narrowly.

Alex:

Now, two further limitations, which are interesting also to mention, which are in the Data Act itself, which regard the usage of the data.

And so there are two restrictions which are notable.

One is that the user may not use the data for himself or also by sharing it with third-party to develop a competing competitive product. So if I am a user of a connective vehicle, the vehicle's obviously nothing else, then an IoT product, I have access to that data from the car. And assuming I'm not a private consumer who would probably not think about this, but if I were some kind of a business user, I may not use that information to construct another car to put it as simplified terms. And at the same time I may not share that information with a third-party who would have that interest. That's one limitation.

The other one is also interesting, which ties into the wider picture of EU legislation that I may not share that data with a so-called gatekeeper on the Digital Markets Act, which are the common hyperscalers we know. So the very large platform operators which are accumulating data as part of the business model will not benefit directly or indirectly under this data access sharing right under the Data Act.

Rhiannon:

And again, I think I see that reflected, well, going to be potentially reflected in that obligation for the secondary legislation to consider the likely effects on the innovation and competition in the market aI expect that the drafters and that those coming up with the smart data schemes will be looking to the EU for inspiration on those exceptions.

So moving on, the regulations established that the smart data scheme may require data holders to provide data to third-parties that are authorised by customers to receive the data. And those third-parties may be required by applicable regulations to receive the data using specified means. We see that by APIs. And in compliance with specified standards or to establish an interface body. I understand Alex, it's very similar under the Data Act. Is that the case?

Alex:

Yes. I think even the Data Act is probably more prescriptive even. So yes, it does lay out conditions under which the data holders made data available to not only the user but also to the third-parties. And indeed the whole basis of these, if you like data access and data sharing rights are obviously then certain contracts under which the data will be shared. And so the way the regulation works is defining or setting certain requirements on these contractual conditions. And to the extent, and I find it's quite far-reaching that we see in the field of data holders sharing or affecting the data sharing with interested third-parties, so in my automotive example, you may or may not be aware of the telematics insurance example where user leverages the data access right against the car manufacturer to hand over the data to the insurer. In that scenario, the Data Act actually sets out clear contractual requirements on what must be in the agreement and particularly also certain clauses which need to be avoided. So to actually establish let's say fair and non-discriminatory data usage clauses in those types of agreements.

So in that sense, the Data Act is quite precise and will be interesting to see how far UK secondary legislation goes. There's been so much debate in developing the Data Act that the outcome is very, very detailed and we'll see how well that actually works in practice. But what we're also seeing in that context is that there are also already model contract clauses that the EU Commission has been developing to help data holders and users write proper data usage agreements.

Rhiannon:

I'm going to be very interested about that contract point, because I understood that the Data Act has got quite prescriptive contract requirements and there doesn't seem to be any hint of that in the current drafting under the Data Use and Access Act. Obviously it could come in the smart data schemes themselves, but it's not being envisaged at the moment.

And I think the other prescriptive thing I wanted to touch on is the transparency requirements. So it does look like that the smart data schemes will require data holders or third-party recipients to publish specified information, including information about rights of customers and about the activities carried out by data holders or third-parties. Is there anything in the Data Act that you think could be used for inspiration there?

Alex:

Yes, very much so. I think that the Data Act is very clear on the information that the data holders need to provide to the users, if you like, upfront. So in any kind of sales agreement, lease agreement, whatever type of agreement under which a connected product is actually made available to the user, it comes along with these information obligations: when and how and where the data is accessible; whether it is available in real-time; which is a very important aspect going further down. So if the data holder has access to the data in real-time, he must treat the user at par level and also provide that data access in real-time. So this type of information all goes into, if you like, mandatory information duties that the data holder needs to fulfil. The concept is kind of similar to what we know from GDPR, right? So it's not just waiting and sitting for the data subject to raise the claim, but it's proactive obligation for GDPR (for the controller), under the Data Act (the data holder) to inform the user about the availability of data.

Rhiannon:

Interesting. I wonder whether that will then be folded into privacy notices or whether they'll be separate notices then for these smart data schemes.

Alex:

The parties are free to choose and the data holder might just complement their privacy notices by that additional information. It's of course very important to be aware of that the Data Act deals with personal and non-personal data. Maybe the emphasis is actually on the non-personal data side of it. So a privacy notice per se might be slightly limited or also misleading, because people would just expect those rightfully to deal with personal data, whereas the Data Act is in that sense much wider.

Rhiannon:

Yes, it calls for a different notice, a different type of notice.

One final question for you Alex, because I know that you are very busy at the moment helping companies in Europe preparing to implement the Data Act. So can you just give us a brief overview of what companies are doing, how you're helping them, and what UK companies could in time learn from that implementation process?

Alex:

Yeah, thank you. I think it's a very, very interesting task and starting with in-house counsel, which are typically direct counterparts, we're seeing and we're very aware of that this goes in different stages.

The first stage is of course the awareness side of it. So really building out the knowledge on the client side of what it implies.

The second, let's say dimension to this is understanding that the Data Act is not just a compliance exercise. In that sense, it's very much also about data strategy and business opportunities, because anyone who is genuinely on the side of a data holder can also think about scenarios where they themselves are also users versus other data holders. So there is this strategic side to it and then it goes very much into setting up interdisciplinary teams, because you have reaches onto the, if you like, pure compliance side, which may be sitting close to those who are dealing with personal data, so GDPR compliance plus X.

You do have very much the contractual side, which can be a commercial contractual side in the legal department you have a very strong impact and interface with those who are dealing with IP, in particular the trade secrets we mentioned. You have an essential part of your Data Act readiness programme to speak with those who are in charge of product development, because they are the ones who need to design their products to be ready to comply with the Data Act in the future. And you have all sorts of other aspects like cyber security: so making sure that the data is also safe and secure; that it is made available; all these interfaces are set up. So in that sense we find that typically there's a very new and interesting role for legal counsel who needs to interact with many different stakeholders in the organisation. We also find that these projects need a senior executive lead, so an understanding that this is important, that this is about opportunity as well as also compliance. And then it becomes a very interesting journey.

I think the real challenge is that the go live date of 12 September is so close in the near future and many, many companies are just starting to shape their mind of how this could work.

Rhiannon:

Thank you, Alex. That was super-insightful and I expect there'll be lots that we can learn from you and in similar teams as these smart data schemes come into force in the UK.
And just reflecting what you're saying about data lawyers, I mean from my experience, data lawyers used to be just privacy lawyers, now they're AI lawyers and I think now they're going to have to grasp the obligations of smart data schemes as well. So it's a true multidisciplinary data lawyer breed that's coming to the fore and I think this new legislation will make that even more.

Alex:

Thank you very much, Rhiannon. It's been a real pleasure and I would say it's huge opportunity for those involved and interested in delving into this new topic. Even the more, as we have the EU Data Act, as well as the UK legislation to see how it fares out. It is quite a unique approach. We don't have that in other hemispheres, other jurisdictions. So paving the way and leading the crowd is a real opportunity you don't get so often in a legal career.

Rhiannon:

Alex, thank you so much for joining me and providing such practical insights. And thank you for listening to our podcast. Please do share the podcast with interested colleagues and look out for the upcoming podcasts on the Act, which we're aiming to release every week. Thank you and goodbye.