Privacy & Information Security Law Blog

On February 23, 2022, the European Commission adopted a Proposal for a Regulation designed to harmonize rules on the fair access to and use of data generated in the EU across all economic sectors (the “Data Act”). The Data Act is intended to “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all.” Importantly, the Data Act applies to all data generated in the EU, not only personal data, which is regulated by the General Data Protection Regulation (“GDPR”).

The Data Act is part of the European Commission’s European Strategy for Data, which complements the Data Governance Act, a draft Act designed to facilitate data sharing across sectors and EU Member States.

Key elements of the Data Act include:

• Reinforced data portability measures allowing connected device users to gain access to, and share with third parties, data generated by connected devices, thereby allowing cheaper aftermarket and other data-driven innovative services (such as predictive maintenance).
• Measures to rebalance the negotiating power of small and medium-sized enterprises (“SMEs”) by preventing the abuse of contractual imbalances in data sharing contracts. Model contracts also will be developed by the European Commission to help companies draft and negotiate fair data-sharing contracts.
• Grants public sector bodies the authority to access and use data held by private companies in circumstances of high public interest, such as natural disasters, subject to specific conditions.
• Data and cloud interoperability rules that allow end users to effectively switch between cloud and edge service providers, and establish safeguards against unlawful data transfer and access by non-EU governments.
• A clarification that databases containing data from Internet-of-Things (IoT) devices and objects should not be subject to separate legal protection, thereby allowing data generated by IoT devices to be accessed and used more easily by end users.

According to the European Commission, “(t)he Data Act is fully consistent with and builds on the [GDPR] rules,” particularly with respect to the GDPR’s right to data portability. Under the GDPR, the right to data portability is not absolute and applies only to personal data processed pursuant to specific legal bases. The Data Act would enhance the right to data portability for connected devices so that end users can access and export any data generated by the device, both personal and non-personal.

Read the European Commission’s Press Release on the Data Act.

Read the Q&As and Factsheet on the Data Act.

Read the full text of the Data Act.