With its proposal for a Data Act (PDF), the EU Commission is planning comprehensive rules for a fair and innovative data economy. To this end, the planned EU regulation is to specify in particular who may make commercial use of non-personal data generated in the EU and who may have access to it. As a building block of the EU’s new data and cybersecurity law, the Data Act will have a huge impact on the commercial use of data by companies. We would therefore like to inform you in advance about the most important questions and answers in connection with the Data Act.
What does the Data Act govern?
The Data Act is intended to apply across industries and ensure a fairer distribution of value in the exploitation of non-personal data. To this end, access is to be created to data that was previously reserved exclusively for a few players. The Data Act therefore contains specific requirements, particularly for manufacturers and products and for providers of related services. In the future, these companies will be required to make data generated by the use of products or associated services available to a greater extent than before. To this end, the Data Act provides for a right of access by both private and commercial users to data generated by the use of products or related services, as well as a right to share such data. The regulations on interoperability should also be understood in this light. Because of its broad scope, every company in Europe will have to deal with the Data Act in one way or another. The General Data Protection Regulation (GDPR) continues to apply to the processing of personal data by manufacturers of products and providers of services (only in German), as well as to the right of access to personal data.
What are the challenges for companies?
The EU Commission has recognised the economic importance of data in an increasingly digitalised world and wants to regulate the fair handling of data by law. In our view, this is basically welcome, but at the same time presents companies with major challenges. Indeed, some regulations interfere very strongly in the still nascent market for data, without this seemingly being absolutely necessary. One example of this is Chapter 4 of the draft, which interferes very strongly with the freedom of contract between companies and seeks to prohibit certain regulations on access to and use of data as abusive terms. However, similar to the proposal for an AI regulation (only in German), more flexibility and more freedom for the development of markets and technologies would be desirable. The regulations on the international exchange of non-personal data also seem excessive.
Companies currently already face enormous challenges in the international exchange of personal data, as the debates surrounding the ECJ’s “Schrems II” decision and the EU-US Privacy Shield show. In this situation, making the international transfer of non-personal data more difficult is problematic and unnecessary in view of the objectives of the Data Act. Moreover, because data processing flows are already highly complex, there is a risk of chaos in clarifying responsibilities and implementing the Data Act in practice. The simplistic view contained in the current proposal, in which there appears to be only one data-holding body that is also responsible for the product, does not yet take sufficient account of this.
What’s next and what should companies do now?
The EU Commission’s proposal for a Data Act will now be further discussed and debated in the trilogue negotiations between the EU Commission, the EU Council of Ministers and the EU Parliament. This should result in further changes, which will hopefully also correct the aforementioned shortcomings. However, it is already clear that there will be new rules for the economic use of non-personal data. Corresponding requirements, such as the data portability, should therefore be taken into account by companies and appropriate processes for the basic implementation of the requirements in products and services should be evaluated as part of the compliance management system (only in German). In addition, those companies that have not yet had access to data should already be examining what data they will be able to obtain in the future on the basis of the Data Act and what economic opportunities will result from this.back