Author: Vassilia Orfanou, CMO of Gaia-X
Editor: Gaia-X editorial team
At the end of February 2022, the EU Commission presented the “Data Governance Act” draft. In April, the same draft was approved in the European parliament, whereas later in May of this year, the Council of the European Union put a final stamp on the act.
The Data Governance Act is an EU regulation to harmonise rules for fair access to data and its use. As an EU regulation, the new requirements will apply immediately after coming into force across all EU member states.
The act contains obligations of stakeholders to make data available to public bodies and third parties; how these are particularly enforced, and the associated fines when breaching such regulations.
What is the EU Data Governance Act?
The Data Governance Act is the new regulatory framework created by the European Union to promote data exchange between companies and public institutions and take advantage of the economic and scientific potential of the data. After its approval in the European Parliament and Council, the Data Governance Act is now a reality.
The EU institutions have been working on this regulation since 2020 to promote the circulation, exchange, and availability of data between the public and private sectors, strengthening trust in data intermediaries.
“We want to give consumers and companies even more control over what can be done with their data, clarifying who can access data and on what terms,” according to the Executive Vice-President of the European Commission, Margrethe Vestager. “This is a key Digital Principle that will contribute to creating a solid and fair data-driven economy and guide the Digital transformation by 2030”, she added.
This new law would align with other EU rules on personal data protection, consumer protection, and competition law. With the digitisation of companies and public bodies and a society where data is increasingly relevant, both for improving it and for fostering the economy, the EU Data Act seeks to strengthen the different data exchange mechanisms and promote the availability of data for the promotion of advanced applications and solutions in the field of Artificial Intelligence, personalised medicine, ecological mobility or intelligent manufacturing, among other fields that can benefit from data exchange and its analysis.
“Data only has value if it is aggregated, refined and used in the right way,” said Angelika Niebler (EPP, Germany), the MEP who steered the legislation through Parliament. “Some businesses might not even know what can be done with data from, for example, their industrial machines. Through more data sharing new business models can emerge, more efficiency can be achieved, or products can be improved.”
The Data Governance Law seeks to establish those mechanisms that allow the re-use of specific categories of protected data from the public sector, the exchange of data between companies, and the transfer of data from individuals through reliable data intermediation services that promote the exchange and transfer data altruist throughout the EU.
The ultimate goal of this new law is to provide the EU with competitive advantages in an economy that is increasingly dependent on data and concretely reverse the position of dominance over data that the big tech companies currently have, in order that these data are also available to the public administration, smaller companies, SMEs and start-ups, thus opening up new business opportunities for all.
“Successful digital transformation and achieving our climate goals depend on data-driven innovation, which relies on the availability of data. It is therefore crucial to increase trust in data sharing,” according to Boštjan Koritnik, the Slovenian Minister for Public Administration, President of the European Council. “This law will not oblige anyone to share their data, but for those who want to make their data available for certain purposes, it creates a safe and easy way to do it and to stay in control”, he highlighted.
The Data Act is intended to set new standards for access to, provision of, and use of data generated in the EU. The aim is to contribute to a fair, innovative, and efficient digital economy in the EU. Access to existing (industrial) data should be facilitated, with legal certainty truly promoting trust in the shared use of data, and the removal of technical obstacles purely paving the way to an interoperable and agile data economy.
The regulation proposals
The regulations provided are extensive and far-reaching. They affect various areas of the digital economy and many different actors, in particular manufacturers of smart, connected products. Their implementation will entail considerable effort and offer opportunities, such as enabling new business models.
According to the act, the regulation lays down the following: “Conditions for the re-use, within the Union, of certain categories of data held by public sector bodies; a notification and supervisory framework for the provision of data sharing services; and a framework for voluntary registration of entities which collect and process data made available for altruistic purposes.”
We will therefore introduce you to the different regulatory areas of the Data Act and explain the innovations and the expected effects in practice.
There are 7 focus and follow-up points that frame the basis of the regulatory areas in the final proposal of the Data Act:
Access rights to data
Data is regularly generated, collected, or received when using a connected product or a related service. In the future, every user of such a product or service will be able to access or gain access to this data. In addition, the user can decide whether and to what extent third parties have access to this data and for what purposes and under which conditions they may use it.
Chapter II is, therefore, the heart of the new Data Act and possibly the most far-reaching chapter for all providers of networked products and services: Providers must open their products to users and, among other things, provide comprehensive metadata. This poses technical challenges and will have a very significant commercial impact on product development.
Obligations to make data available to third parties
Suppose a law standardises access to data, such as Chapter II of the Data Act. In that case, the provisions of Chapter III must also be observed: The provision of data to professional data recipients (not the product users) must be transparent, and on fair terms, the consideration demanded must be reasonable.
Obligations to provide data to public bodies
To deal with public emergencies and even – if “there is no other way” – to fulfill public tasks, public authorities will in the future be able to request data from companies to a reasonable extent. Companies then need to provide this data according to the requirement.
However, according to the act, “Conditions for re-use shall be non-discriminatory, proportionate and objectively justified regarding categories of data and purposes of re-use and the nature of the data for which re-use is allowed. These conditions shall not be used to restrict competition.”
Prohibiting unfair terms in data access and respective contract clause enforcement
Contractual agreements about access to and use of data, liability, and remedies for breach or termination of agreements are central to the commercial evaluation of data deals. In the case of contracts with small and medium-sized companies, these clauses will be specifically checked in the future. In the even that such clauses are abusive, they will not be effective.
Anything that “grossly” deviates from a good business practice and indeed violates good faith and morality is particularly considered abusive. To this end, the EU Commission will also present model contract clauses.
Switching between data processing services – data portability
The European Commission prohibits exclusive business advantages and effects in another area with the Data Act: Providers of data processing services, such as cloud providers must ensure that customers can switch to another data processing service in the future. Commercial, technical, contractual, and organisational precautions that prevent customers from doing so must be seized.
In practice, data migration needs to be significantly easier across the board. The Data Act contains several detailed specifications. For example, data, applications, and digital assets must be migrated with a maximum transition period of 30 days.
The previous provider must support the transition process and, as far as technically feasible, completed, unrestricted continuity in the provision of the relevant functions or services must be guaranteed. What consideration the migrating previous provider may demand for this is also regulated by the Data Act and will be reduced to zero in the future.
International transfer of non-personal data
Providers of data processing services must also take appropriate technical, legal, and organisational measures for non-personal data in the future to prevent the international transmission or government access to data stored in the Union (from outside) if such transmission or access would lead to a conflict with Union law or the national law of the Member State concerned.
Part of chapter 2, Article 5 of the act reads: “When data requested is considered confidential, in accordance with Union or national law on commercial confidentiality, the public sector bodies shall ensure that the confidential information is not disclosed as a result of the re-use.”
Even for non-personal data, there is an obligation to protect data (which is weakened compared to the GDPR) when it meets areas outside the EU.
A “single market for data”, the fundamental goal of the EU digital strategy, is achievable if it is easier to trade, exchange and use data. Thus, the obligation to create improved interoperability becomes the backbone of the EU digital strategy.
The Data Act on interoperability addresses three main areas:
- Data room operators must meet basic interoperability requirements, including sufficiently describing the content of the datasets, usage restrictions, licenses, etc., so that the recipient can find, access, and use the data.
- Data processing services must comply with certain specifications, including improving the portability of digital assets between different data processing services covering the same service type.
- Smart contracts must also meet specific requirements, including being designed to prevent tampering by third parties or providing data archiving of the smart contract transaction data, logic, and code to preserve the record of past transactions made to the operations performed on data.
Scope and relation to other legislation
According to the act, the ordinance will apply to:
- Manufacturers and users of products and services that generate, provide, or use data.
- Data owners and data recipients in the EU.
- Public bodies that need data to perform a task in the public interest and the data owners who can or should make such data available.
- Providers of data processing services in the EU.
In various places, the Data Act privileges SMEs, i.e., small, and medium-sized enterprises, for example, in providing data (reasonable consideration only if costs are covered) and the contractual clauses (specific control of abuse).
In addition to the Data Act, the GDPR and ePrivacy Directive remain unaffected. In fact, the Data Act supplements the existing regulations but does not restrict or modify them.
Enforcement and Fines for Breaching the Regulation
Enforcement of the new regulation will be entrusted to one or more authorities in each Member State, with the supervision of personal data being the responsibility of the data protection supervisory authorities. The entrusted authorities must be equipped with sufficient instruments and assertiveness.
The act also stipulates how monitoring and compliance is ensured.
“The competent authority shall monitor and supervise compliance of entities entered in the register of recognised data altruism organisations with the conditions laid down in this Chapter,” reads Article 21 of Chapter 4.
The authorities will also serve as a complaints body and should be given the power to impose fines determined by the respective member states. A warning can be issued over an infringement of the regulation. However, if it is a matter of violations concerning the processing of personal data, a reprimand, temporary or definitive ban, and the fines of the General Data Protection Regulation (GDPR) would apply. This means fines of up to 4% of the annual group turnover or 20 million euros, as stipulated by the European Commission.
The Data Governance Act is another big hit from the EU Commission. As part of its digital strategy, it aims to set the standards for the future regulation of the “digital economy.” In this respect, the Data Act joins the growing list of relevant drafts, particularly the AI Regulation and the Data Markets Act. With the Data Act, the EU is now getting involved in regulating the actual data business for the first time.