Draft Regulation on Harmonized Rules on Fair Access to and Use of Data (Data Act) was proposed by European Commission (Commission) and had been published on its website on 23 February. Data Act has not yet entered into force. Data Act is the second main legislative initiative resulting European Union’s (EU) data strategy along with Data Governance Act discussed in EU (Data Governance Act). Main goal of these regulations is to “create a single market that allow data to flow freely within the EU and across sectors for the benefit of businesses, researchers, public administrations, and society at large”.
Why Data Act? While the volume of data is growing over the time, 80% of industrial data is never used according to Commission’s press release regarding Data Act. Data Act aims to make more data available for reuse while addressing the legal, economic, and technical issues preventing the use of data to its potential.
To utilize data better, Data Act regulates the data transfer and accessibility of data between businesses (B2B), businesses and consumers (B2C), and businesses and governments (B2G). Commission is also planning to develop model contractual terms for B2B data sharing and standard contractual clauses for cloud computing contracts.
Key Proposals in Data Act
Data sharing obligations: According to Data Act, products shall be designed and manufactured, and related services shall be provided, in such a manner that data generated by their use are, by default, easily, securely and, where relevant and appropriate, directly accessible to the user. With this provision, Commission intends to set up the legal ground to make data, including Internet of Things (IoT) data, available to users, other businesses and third parties that users may want to share their data with.
Making data available: Data Act includes provisions ensuring that data holders make data available to recipients under fair, reasonable, and non-discriminatory terms and in a transparent manner.
Making data available to public sector bodies and EU institutions: In case of an exceptional need for the data by public sector bodies and EU institutions, such as in public emergencies, businesses will be under the obligation to provide certain data.
Switching between data processing services: Data Act aims to achieve an interoperability between providers of cloud systems and allow consumers to switch between competitive and trustworthy cloud and edge services in EU.
Non-personal data safeguards: Data Act adopts a provision to ensure the safety of non-personal data. According to the relevant provision, providers of data processing services must take all reasonable technical, legal and organizational measures in order to prevent unlawful third-party access, international transfer or governmental access to non-personal data held in the EU.
With Data Act, EU is getting one step closer to achieving a single market with regards to data. Entering into force of Data Act will remove the barriers against the use of and access to data. It is significant for private sector players to get familiar with the rules and to take necessary steps to adapt them into their practice. The importance not only stems from the benefits they can achieve, but also the risk of penalties that may face from non-compliance as great as the highest of 20 million Euros or 4% of their annual global turnover.
Joint Opinion of EDPB ve EDPS on Data Act
European Data Protection Supervisor (EDPS) and European Data Protection Board (EDPB) published their joint opinion (Opinion) on the Data Act on 4 May. In the Opinion, general reservations about the protection of personal data were expressed and it was recommended to improve the Data Act, especially in light of GDPR and the ePrivacy Directive.
In the Opinion, EDPS and EDPB stated that they comprehend the importance of facilitating innovation and increasing data portability more effectively, which is one of the aims of Data Act. However, they expressed concerns about the protection of personal data under all circumstances and presented suggestions for improvements in Opinion.
Main Proposals in Opinion
- It was stated that the definition of “data” included in the Data Act also includes personal data; therefore it is underlined that the definitions of “personal data” and “non-personal data” should be included in the relevant provision.
- When personal data is processed; it is mentioned that when there is a conflict between the Data Act and the data protection legislation, the provisions in the data protection legislation should prevail. It is highlighted that it should either be mentioned that the requirement for the Data Act to have legal grounds in scope of the GDPR when processing and transferring personal data remains or that specific provisions are only valid for the processing of non-personal data.
- It was underlined that explicit limitations and prohibitions should be regulated in cases where the data created using a product or service is used by any other irrelevant person, particularly when this data enables it to reach definite results related to the private lives of persons or pose high risks about their rights and freedoms. Also, it was stated that additional safeguards should be taken for the privacy of private life and the protection of personal data in practice.
- It was stated that EDPB and EDPS have concerns about the legality, necessity and proportionality of the obligation to share data with public institutions and European Union institutions, agencies or bodies in case of “extraordinary need”. It was underlined that any limitation on the control of the data subjects over their personal data should be based on a sufficiently accessible and predictable legal basis.
- It is advised that when the personal data created through the use of a product and service for the purposes of direct marketing and advertisement, employee monitoring, credit scoring or determining the eligibility for health insurance, the use of personal data should be limited.
Data Act, which was prepared for the free mobilization of data within the European Union, was criticized by the EDPB and EDPS with concerns regarding the protection of personal data on the grounds that it did not contain sufficient safeguards for the protection of personal data. In this context, it was recommended to update the Data Law in accordance with the Opinion. It is a matter of curiosity how the Data Act will change with the impact of the Opinion.