EU proposals for new data act

The European Commission recently published a draft EU Data Act (Data Act), harmonising rules on fair access to and use of data. 

The proposals cover personal and non-personal data, and they build on and are intended to be read in parallel with the EU GDPR. They aim to ensure fairness by creating a competitive data market; increasing data-driven innovation; and improving data accessibility by providing a legal framework to promote data sharing. The Data Act covers aspects of business to business and government to business data access, and applies to holders, manufacturers, recipients and users of data, public bodies, and data processing service providers in the EU across all sectors.

The proposed measures include:

• Allowing users of connected devices (i.e. Internet of Things devices) to access and share the data generated by them, which until now has been typically harvested solely by manufacturers
• Increasing SMEs’ bargaining strength by protecting them from unfair contractual terms, with terms unilaterally imposed on SMEs by a party with significant bargaining advantage not considered binding where they do not pass a fairness test
• Enabling public sector bodies to access data held by the private sector in situations of public emergency (e.g. natural disasters or public health emergencies), without undue delay and free of charge
• Providing for customers to switch between different cloud and edge data-processing service providers
• New safeguards against unlawful data transfers
• Developing interoperability standards for data to be reused between sectors
• Further requirements for smart contracts and obligations for smart contract providers and
• A review of current database rights under the EU Database Directive 96/9/EU (created in the 1990s), clarifying that databases containing data from IoT devices should be accessible and not subject to separate legal protection in a class of their own.

Building on the Data Governance Act (DGA) which facilitates data sharing by companies, the Data Act clarifies and regulates who can access and generate value from data, and forms part of the EU’s overall European Data Strategy. The DGA will become applicable in 2023 and promotes the reuse of public sector data, sets up a licensing regime for data intermediaries, encourages altruistic data access (for scientific research, inter alia), and takes steps towards restricting transfers of non-personal data.

Both the DGA and the Data Act form part of the EU’s legislation and so will not apply domestically in the UK. That said, UK businesses which operate in the EU data market will have to comply with relevant EU law. The UK government has expressed its intention to create domestic legislation which will align with the EU provisions, as evidenced in the UK’s data reform consultation "Data: A new direction" published 10 September 2021. The Data Act has only just been submitted for approval and may undergo significant changes before coming into force – see our Insights section as we continue to monitor developments.