Data Act: the most important ques­ti­ons about the EU’s new data law

With its pro­po­sal for a Data Act (PDF), the EU Com­mis­si­on is plan­ning com­pre­hen­si­ve rules for a fair and inno­va­ti­ve data eco­no­my. To this end, the plan­ned EU regu­la­ti­on is to spe­ci­fy in par­ti­cu­lar who may make com­mer­cial use of non-personal data gene­ra­ted in the EU and who may have access to it. As a buil­ding block of the EU’s new data and cyber­se­cu­ri­ty law, the Data Act will have a huge impact on the com­mer­cial use of data by com­pa­nies. We would the­r­e­fo­re like to inform you in advan­ce about the most important ques­ti­ons and ans­wers in con­nec­tion with the Data Act.

What does the Data Act govern?

The Data Act is inten­ded to app­ly across indus­tries and ensu­re a fai­rer dis­tri­bu­ti­on of value in the explo­ita­ti­on of non-personal data. To this end, access is to be crea­ted to data that was pre­vious­ly reser­ved exclu­si­ve­ly for a few play­ers. The Data Act the­r­e­fo­re con­ta­ins spe­ci­fic requi­re­ments, par­ti­cu­lar­ly for manu­fac­tu­r­ers and pro­ducts and for pro­vi­ders of rela­ted ser­vices. In the future, the­se com­pa­nies will be requi­red to make data gene­ra­ted by the use of pro­ducts or asso­cia­ted ser­vices available to a grea­ter ext­ent than befo­re. To this end, the Data Act pro­vi­des for a right of access by both pri­va­te and com­mer­cial users to data gene­ra­ted by the use of pro­ducts or rela­ted ser­vices, as well as a right to share such data. The regu­la­ti­ons on inter­ope­ra­bi­li­ty should also be unders­tood in this light. Becau­se of its broad scope, every com­pa­ny in Euro­pe will have to deal with the Data Act in one way or ano­ther. The Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR) con­ti­nues to app­ly to the pro­ces­sing of per­so­nal data by manu­fac­tu­r­ers of pro­ducts and pro­vi­ders of ser­vices (only in Ger­man), as well as to the right of access to per­so­nal data.

What are the chal­lenges for companies?

The EU Com­mis­si­on has reco­g­nis­ed the eco­no­mic importance of data in an incre­asing­ly digi­ta­li­sed world and wants to regu­la­te the fair hand­ling of data by law. In our view, this is basi­cal­ly wel­co­me, but at the same time pres­ents com­pa­nies with major chal­lenges. Inde­ed, some regu­la­ti­ons inter­fe­re very stron­gly in the still nas­cent mar­ket for data, wit­hout this see­mingly being abso­lut­e­ly neces­sa­ry. One exam­p­le of this is Chap­ter 4 of the draft, which inter­fe­res very stron­gly with the free­dom of con­tract bet­ween com­pa­nies and seeks to pro­hi­bit cer­tain regu­la­ti­ons on access to and use of data as abu­si­ve terms. Howe­ver, simi­lar to the pro­po­sal for an AI regu­la­ti­on (only in Ger­man), more fle­xi­bi­li­ty and more free­dom for the deve­lo­p­ment of mar­kets and tech­no­lo­gies would be desi­ra­ble. The regu­la­ti­ons on the inter­na­tio­nal exch­an­ge of non-personal data also seem excessive.

Com­pa­nies curr­ent­ly alre­a­dy face enorm­ous chal­lenges in the inter­na­tio­nal exch­an­ge of per­so­nal data, as the deba­tes sur­roun­ding the ECJ’s “Schrems II” decis­i­on and the EU-US Pri­va­cy Shield show. In this situa­ti­on, making the inter­na­tio­nal trans­fer of non-personal data more dif­fi­cult is pro­ble­ma­tic and unneces­sa­ry in view of the objec­ti­ves of the Data Act. Moreo­ver, becau­se data pro­ces­sing flows are alre­a­dy high­ly com­plex, the­re is a risk of cha­os in cla­ri­fy­ing respon­si­bi­li­ties and imple­men­ting the Data Act in prac­ti­ce. The sim­pli­stic view con­tai­ned in the cur­rent pro­po­sal, in which the­re appears to be only one data-holding body that is also respon­si­ble for the pro­duct, does not yet take suf­fi­ci­ent account of this.

What’s next and what should com­pa­nies do now?

The EU Commission’s pro­po­sal for a Data Act will now be fur­ther dis­cus­sed and deba­ted in the tri­lo­gue nego­tia­ti­ons bet­ween the EU Com­mis­si­on, the EU Coun­cil of Minis­ters and the EU Par­lia­ment. This should result in fur­ther chan­ges, which will hop­eful­ly also cor­rect the afo­re­men­tio­ned short­co­mings. Howe­ver, it is alre­a­dy clear that the­re will be new rules for the eco­no­mic use of non-personal data. Cor­re­spon­ding requi­re­ments, such as the data por­ta­bi­li­ty, should the­r­e­fo­re be taken into account by com­pa­nies and appro­pria­te pro­ces­ses for the basic imple­men­ta­ti­on of the requi­re­ments in pro­ducts and ser­vices should be eva­lua­ted as part of the com­pli­ance manage­ment sys­tem (only in Ger­man). In addi­ti­on, tho­se com­pa­nies that have not yet had access to data should alre­a­dy be exami­ning what data they will be able to obtain in the future on the basis of the Data Act and what eco­no­mic oppor­tu­ni­ties will result from this.