An important step in the development of EU data law is the publication of the first draft of the Data Act, which took place on 23 February. The proposal is based on the EU's data strategy of 2020. The proposal seeks to create harmonised rules that promote access to data, the sharing of data assets within a regulated framework, and the ability to switch between certain data processing services (especially cloud services). Accordingly, the proposal goes beyond data protection and has other legal aspects, especially competition law, copyright. 

1. What is the purpose of the regulation, what does it cover?

The Regulation lays down harmonised rules

• on making data generated by the use of a product or related service available to the user of that product or service,
• on the making data available by data holders to data recipients, and
• on the making data available by data holders to public sector bodies or Union institutions, agencies or bodies, where there is an exceptional need, for the performance of a task carried out in the public interest.

The Regulation applies to 

• manufacturers of products and suppliers of related services placed on the market in the Union and the users of such products or services;
• data holders that make data available to data recipients in the Union;
• data recipients in the Union to whom data are made available;
• public sector bodies and Union institutions, agencies or bodies that request data holders to make data available where there is an exceptional need to that data for the performance of a task carried out in the public interest and the data holders that provide those data in response to such request;
• providers of data processing services offering such services to customers in the Union.

The Regulation shall be applicable in line with the GDPR and the ePrivacy Directive (Directive 2002/58/EC) and, if adopted, the ePrivacy Regulation.

2. Some important definitions of the Regulation 

• It is important to note that the Data Act covers both personal and non-personal data. According to the Regulation, data means any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording.
• User means a natural or legal person that owns, rents or leases a product or receives a service.
• Data holder means a legal or natural person who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personal data and through control of the technical design of the product and related services, the ability, to make available certain data.
• Data recipient means a legal or natural person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a product or related service, to whom the data holder makes data available, including a third party following a request by the user to the data holder or in accordance with a legal obligation under Union law or national legislation implementing Union law. 
• The concept of processing, like in the GDPR, covers a very wide range and essentially any operation on data processed in electronic format, regardless of whether it is automated or not. (Processing means any operation or set of operations which is performed on data or on sets of data in electronic format, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.)
• Data processing service means a digital service other than an online content service (as defined in Article 2(5) of Regulation (EU) 2017/1128), provided to a customer, which enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources of a centralised, distributed or highly distributed nature. 
• Smart contract means a computer program stored in an electronic ledger system wherein the outcome of the execution of the program is recorded on the electronic ledger. 

The Regulation is likely to have a significant impact on the manufacturers of connected products (e.g. IoT products) and providers of related services in the EU, as well as on the users of these products and services (including business users and consumers).

Facilitating the switching between providers of data processing services, including in particular cloud service providers, is a key objective of the Regulation.

3. Main areas covered by the Data Act

• B2C and B2B data sharing: Products shall be designed and manufactured, and related services shall be provided, in such a manner that data generated by their use are, by default, easily, securely and, where relevant and appropriate, directly accessible to the user (Article 3, Point 1). The Data Act also lays down transparency (information) requirements that may enable the users to exercise their rights under the Regulation. The proposal also covers cases where personal data would be shared and the user with access is not a data subject under the applicable data protection rules. The Data Act regulates the possibility of sharing data with third parties at the request of the user. However, any undertaking providing core platform services for which one or more of such services have been designated as a gatekeeper (on the basis of the Digital Markets Act that is also in the negotiations phase), shall not be an eligible third party. 
• Data sharing obligations of data holders: In order to avoid restrictive or discriminatory agreements, the Data Act also sets out requirements for data sharing agreements and the Regulations also lays down that any compensation agreed between a data holder and a data recipient for making data available shall be reasonable. Dispute settlement rules are also provided in case of potential breaches of such obligations. 
• Unfair contractual terms unilaterally imposed on a micro, small or medium-sized enterprise: The Data Act defines the cases in which unilateral contractual terms for data sharing between businesses are considered unfair if the party to whom the terms in question apply is a micro-enterprise or an SME.
• B2G data sharing: Upon request, a data holder shall make data available to a public sector body or to a Union institution, agency or body demonstrating an exceptional need to use the data (e.g. in case of medical emergency, like the COVID crisis). An exceptional need to use data within the meaning of the Regulation shall be deemed to exist in any of the following circumstances:(a) where the data requested is necessary to respond to a public emergency; (b) where the data request is limited in time and scope and necessary to prevent a public emergency or to assist the recovery from a public emergency; (c) where the lack of available data prevents the public sector body or Union institution, agency or body from fulfilling a specific task in the public interest that has been explicitly provided by law; and such data cannot be obtained by alternative means or obtaining the data in line with the procedure laid down in the Regulation  would substantively reduce the administrative burden for data holders or other enterprises. Data made available to respond to a public emergency shall be provided free of charge. (Where the data holder claims compensation for making data available in compliance with a request made pursuant to points (b) or (c), such compensation shall not exceed the technical and organisational costs incurred to comply with the request including, where necessary, the costs of anonymisation and of technical adaptation, plus a reasonable margin.)
• Facilitate switching between data processing services: The proposal contains rules to avoid “lock-in” situations. This is e.g. may be applicable to cloud services, but may also apply to other data processing services. The draft also sets out rules for interoperability that may be a relevant prerequisite for switching.
• International transfer of non-personal data: The transfer of non-personal data outside the EU is also regulated. These rules are less elaborate and detailed than in the case of the GDPR and other EU rules on data protection, but they indicate a strong aspiration for data sovereignty in the EU, which has become increasingly apparent in recent years in terms of regulation and enforcement.
  

Each Member State shall designate one or more competent authorities as responsible for the application and enforcement of this Regulation. Member States may establish new authorities or rely on existing authorities. (The national competent authority responsible for the application and enforcement of rules on switching between data processing services shall have experience in the field of data and electronic communications services.) Of course, the authorities competent for the protection of personal data can act on the personal data aspects of the Regulation. With regard to fines, Member States shall lay down the rules on penalties applicable to infringements of the Regulation and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive and of course, without prejudice to e.g. the rules on fines laid down in the GDPR. The Commission will also be able to publish model contractual terms that may be used in data sharing collaborations.

4. Next steps

The proposal will be examined by the Parliament and the Council, and a trialogue between the parties could begin afterwards. It is expected that the final text may be adopted in 2023 and it is expected that the Regulation may become applicable in mid-2024 (12 months after the promulgation of the Regulation).