Data Act: the most important ques­ti­ons about the EU’s new data law

With its pro­po­sal for a Data Act (PDF), the EU Com­mis­si­on is plan­ning com­pre­hen­si­ve rules for a fair and inno­va­ti­ve data eco­no­my. To this end, the plan­ned EU regu­la­ti­on is to spe­ci­fy in par­ti­cu­lar who may make com­mer­cial use of non-personal data gene­ra­ted in the EU and who may have access to it. As a buil­ding block of the EU’s new data and cyber­se­cu­ri­ty law, the Data Act will have a huge impact on the com­mer­cial use of data by com­pa­nies. We would the­r­e­fo­re like to inform you in advan­ce about the most important ques­ti­ons and ans­wers in con­nec­tion with the Data Act.

What does the Data Act govern?

The Data Act is inten­ded to app­ly across indus­tries and ensu­re a fai­rer dis­tri­bu­ti­on of value in the explo­ita­ti­on of non-personal data. To this end, access is to be crea­ted to data that was pre­vious­ly reser­ved exclu­si­ve­ly for a few play­ers. The Data Act the­r­e­fo­re con­ta­ins spe­ci­fic requi­re­ments, par­ti­cu­lar­ly for manu­fac­tu­r­ers and pro­ducts and for pro­vi­ders of rela­ted ser­vices. In the future, the­se com­pa­nies will be requi­red to make data gene­ra­ted by the use of pro­ducts or asso­cia­ted ser­vices available to a grea­ter ext­ent than befo­re. To this end, the Data Act pro­vi­des for a right of access by both pri­va­te and com­mer­cial users to data gene­ra­ted by the use of pro­ducts or rela­ted ser­vices, as well as a right to share such data. The regu­la­ti­ons on inter­ope­ra­bi­li­ty should also be unders­tood in this light. Becau­se of its broad scope, every com­pa­ny in Euro­pe will have to deal with the Data Act in one way or ano­ther. The Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR) con­ti­nues to app­ly to the pro­ces­sing of per­so­nal data by manu­fac­tu­r­ers of pro­ducts and pro­vi­ders of ser­vices (only in Ger­man), as well as to the right of access to per­so­nal data.

What are the chal­lenges for companies?

The EU Com­mis­si­on has reco­g­nis­ed the eco­no­mic importance of data in an incre­asing­ly digi­ta­li­sed world and wants to regu­la­te the fair hand­ling of data by law. In our view, this is basi­cal­ly wel­co­me, but at the same time pres­ents com­pa­nies with major chal­lenges. Inde­ed, some regu­la­ti­ons inter­fe­re very stron­gly in the still nas­cent mar­ket for data, wit­hout this see­mingly being abso­lut­e­ly neces­sa­ry. One exam­p­le of this is Chap­ter 4 of the draft, which inter­fe­res very stron­gly with the free­dom of con­tract bet­ween com­pa­nies and seeks to pro­hi­bit cer­tain regu­la­ti­ons on access to and use of data as abu­si­ve terms. Howe­ver, simi­lar to the pro­po­sal for an AI regu­la­ti­on (only in Ger­man), more fle­xi­bi­li­ty and more free­dom for the deve­lo­p­ment of mar­kets and tech­no­lo­gies would be desi­ra­ble. The regu­la­ti­ons on the inter­na­tio­nal exch­an­ge of non-personal data also seem excessive.

Com­pa­nies curr­ent­ly alre­a­dy face enorm­ous chal­lenges in the inter­na­tio­nal exch­an­ge of per­so­nal data, as the deba­tes sur­roun­ding the ECJ’s “Schrems II” decis­i­on and the EU-US Pri­va­cy Shield show. In this situa­ti­on, making the inter­na­tio­nal trans­fer of non-personal data more dif­fi­cult is pro­ble­ma­tic and unneces­sa­ry in view of the objec­ti­ves of the Data Act. Moreo­ver, becau­se data pro­ces­sing flows are alre­a­dy high­ly com­plex, the­re is a risk of cha­os in cla­ri­fy­ing respon­si­bi­li­ties and imple­men­ting the Data Act in prac­ti­ce. The sim­pli­stic view con­tai­ned in the cur­rent pro­po­sal, in which the­re appears to be only one data-holding body that is also respon­si­ble for the pro­duct, does not yet take suf­fi­ci­ent account of this.

What’s next and what should com­pa­nies do now?

The EU Commission’s pro­po­sal for a Data Act will now be fur­ther dis­cus­sed and deba­ted in the tri­lo­gue nego­tia­ti­ons bet­ween the EU Com­mis­si­on, the EU Coun­cil of Minis­ters and the EU Par­lia­ment. This should result in fur­ther chan­ges, which will hop­eful­ly also cor­rect the afo­re­men­tio­ned short­co­mings. Howe­ver, it is alre­a­dy clear that the­re will be new rules for the eco­no­mic use of non-personal data. Cor­re­spon­ding requi­re­ments, such as the data por­ta­bi­li­ty, should the­r­e­fo­re be taken into account by com­pa­nies and appro­pria­te pro­ces­ses for the basic imple­men­ta­ti­on of the requi­re­ments in pro­ducts and ser­vices should be eva­lua­ted as part of the com­pli­ance manage­ment sys­tem (only in Ger­man). In addi­ti­on, tho­se com­pa­nies that have not yet had access to data should alre­a­dy be exami­ning what data they will be able to obtain in the future on the basis of the Data Act and what eco­no­mic oppor­tu­ni­ties will result from this.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.