The European Commission adopts a proposal for a Data Act

22/04/2022

Watches, thermostats, lights, cameras, TVs, robots, scales… these objects all have in common that they present versions of themselves in so-called connected object versions; and the list is not exhaustive, as it could be so long. However, connected objects produce data (personal and/or non-personal) whose conditions of access and use are subject to a legal vagueness that hinders their exploitation – to such an extent that, according to the European Commission, 80% of industrial data would not be exploited [1].

The “Data Act” proposal « Data Act »[2], adopted by the European Commission on February 23th, 2022, aims to clarify the situation by harmonizing the rules of access and use of this data for all stakeholders: individuals, companies and public institutions.

Societal, economic and legal context

Did you say connected object? The Telecommunications Vocabulary defines it as an object in any field (transport, health, home automation, industry…) “capable, in addition to its main function, of sending or receiving information via a telecommunications network”. This connection is not neutral: it can have the effect of “extending or diversifying the functions of the object”.[3].

Ces objets connectés s’inscrivent dans la catégorie plus générale de « l’internet des objets » (Internet of ThinThese connected objects are part of the more general category of the “Internet of Things” (IoT), which is “the set of connected objects as well as telecommunication networks and platforms for processing the collected information associated with them”. These networks are also diverse: the Internet, radio communication networks with mobiles, specialized low-speed networks, etc.[4].

However, the use of connected objects reflects the exponentially increasing volume of data produced in the world[5]. Estimates suggest a six-fold increase in the volume of data produced between 2018 and 2025, from 33 to 175 zettabytes, which Europe sees as “an opportunity to become the world leader in this field”[6]; the Commission speaks of a “digital age”[7]. In addition to the societal context, it is the economic potential that motivates the adoption of this “data regulation” or “data law”. Its rapporteur, Thierry Breton, estimates the additional GDP generated in Europe between 270 and 300 billion euros by 2028[8] thanks to these new rules – to be compared with the value of Internet of Things services estimated at between 5,000 and 11,000 billion euros in 2030 worldwide.[9].

From the point of view of the legal context, the proposed Data Act is part of a broader European legal framework dedicated to the protection of data – both personal and non-personal – and the development of a data-driven economy[10]. Chronologically, we recall the existence of other normative texts with which the Data Act must be articulated, such as :

  • La directive sur lThe directive on the legal protection of databases of March 11th, 1996[11]. Article 35 of the Data Regulation provides in this respect that “the sui generis right provided for in Article 7 of Directive 96/9/EC shall not apply to databases containing data obtained or generated by the use of a related product or servic
  • The “privacy and electronic communications” directive of July 31st, 2002[12] ;
  • The General Data Protection Regulation of April 27th, 2016 (GDPR)[13] ;
  • The Regulation on the protection of personal data by Union institutions, bodies, offices and agencies and on the free movement of such data of October 23th, 2018[14] ;
  • The Regulation of November 14th, 2018 establishing a framework for the free flow of non-personal data in the European Union[15], which allows non-personal data to be stored, processed and transferred anywhere in the EU;
  • The April 17th, 2019 cybersecurity regulation that includes a requirement for security by default and by design for ICT products, services and processes[16] ;
  • The 20 of June 2019 directive on open data and the re-use of public sector information[17] ;
  • The November 25, 2020 proposal for a regulation on European data governance (Data Governance Act), which was the subject of a political agreement between the European Parliament, Commission and Council and is awaiting approval by the Parliament and Council[18].
  • The proposed Digital Market Act (DMA) and related regulation to come[19].

Also, as early as February 19th, 2020, the European Commission announced its “European Data Strategy” in which it advocated that data should be “accessible to all, public or private, small or large, start-ups or giant companies” within the single market – while guaranteeing “high standards of privacy, security, safety and ethical norms”[20]. The possibility of a data law by 2021 was mentioned[21], and a regulation on data governance[22].

The Data Act proposal

Chronologically speaking, (i) the proposed Data Governance Regulation ( November 25th, 2020) came before (ii) the proposed Data Regulation (February 23rd, 2022). They are both foreseen by the European Data Strategy

  • The first one aims at facilitating the sharing of data between sectors and between member states. It was related in particular to the question of “which data can be used in which situations”.[23], and put in place the “processes and structures to facilitate data sharing by businesses, individuals and the public sector”[24].
  • The second complements the first and clarifies who can create value from data. It is about “who can use and access the data generated in the EU in all economic sectors”[25]. It concerns the relationships between data actors and encourages “cross-sectoral sharing of horizontal data”.[26].

In its scope, the proposed data regulation is intended to be horizontal, in the sense that it is a common base that is intended to apply to all sectors in terms of data access and use. The pre-existing sectoral regulations will nevertheless continue to apply, but their future versions (mobility, health, finance, etc.) will have to be adopted in line with the Data Act to ensure their convergence.[27].

The scope of the data concerned is vast: the Data Act covers all types of data (personal or non-personal). The text proposes the following definition of “data”:

« toute représentation numérique d’actes, de faits ou d’informations et toute compilation de ces actes, faits “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of a sound, visual or audiovisual recording” (art. 2.1.).

However, the fundamental right to the protection of personal data is guaranteed by other normative instruments with which it must be articulated and to which it cannot be detrimental[28]. Thus, for example, the specific guarantees provided for by the RGPD will be fully applicable as soon as the personal data of European individuals are concerned. The real issue of the regulation is therefore first and foremost the conditions of access and use of non-personal data.

Dans sa struIn its structure, the proposed Data Act is divided into 42 articles, grouped into 11 chapters entitled respectively:

(i) general provisions ;
(ii) business-to-business and business-to-individual data sharing;
(iii) obligations of data holders to make data available;
(iv) Unfair conditions for access and use of data between businesses;
(v) availability of data to public sector entities and Union institutions, bodies and agencies in case of exceptional need;
(vi) on the change of data processing services;
(vii) safeguards related to non-personal data in an international context;
(viii) interoperability;
(ix) implementation and enforcement;
(x) sui generis rights under Directive 1996/9 (on databases);
(xi) final provisions.

In essence, the main thrusts of the proposed data regulation are as follows:

  • For users: their rights to the data generated by their use of related products or services

While it was common for only manufacturers to collect the data generated[29], a principle of obligation to make these data easily accessible to the user, by default and in a secure manner, is now established (art. 3.1.). It should be noted that small and micro enterprises (SME) are not concerned by this obligation and those related to them (art. 7).

L’obligation d’information de l’utilisateur est également précisée. Avant tout achat, location ou leasing The obligation to inform the user is also specified. Before any purchase, rental or leasing of a linked product or service generating data, a set of information must be brought to the user’s attention; this information concerns both the data generated and the user’s rights over them (art. 3.2.).

Corrélativement, est consacré le droit des utilisateurs d’accéder et d’utiliser les données générées par lAt the same time, the right of users to access and use the data generated by their use of the linked products and services is established. This must be provided free of charge, without delay and in principle continuously. It is the responsibility of the data holder, if the user cannot access the product data himself (art. 4.1.).

Likewise, the user has the right to share the data with third parties. This right is free of charge, without delay, continuous and in real time; it is imposed on the data holder upon simple request from the user (art. 5.1.). It is important to note that “third parties” do not include “access controllers” as defined in the forthcoming DMA regulation (art. 5.2.).

Data sharing – from data holder to data recipient – must be fair, reasonable, transparent and non-discriminatory (art. 8.1) :

An agreement between them must provide for matters relating in particular to questions of liability (art. 8.2.) ;

Unless otherwise provided for by European law, this sharing must ensure that no trade secrets are disclosed (art. 8.6).

Unless otherwise provided for by law, it is carried out in return for reasonable financial compensation which, when the recipient of the data is an SME, may not exceed the technical cost of the transfer concerned (art. 9.1. and 9.2.).

The data holder must put in place appropriate technical data protection measures (art. 11).

Various prohibitions and obligations are incumbent on third parties to protect the data and the rights of users (art. 5.2.). The data are used by them in compliance with the principles of purpose and limitation of storage (art. 5.1.).

The expected benefits of this open access to data are[30] : (i) lowering the price of after-sales and maintenance services for connected objects (users are no longer obliged to use the manufacturer’s services alone, but can authorize access to data to third-party repair services, which are assumed to be cheaper) (ii) the development of new services based on the cross-referencing of data from different connected objects (the user who owns several connected objects will be able to give access to the data generated by different objects to the same actor – and not only to the respective manufacturers – in order to develop new personalized services).
  • Pour les PME : pFor SMEs: prevent excessive contractual imbalances to rebalance their bargaining power in data sharing contracts

The proposed regulation aims to protect SMEs from unfair terms imposed by a party with significantly greater bargaining power.

In this sense, a clause relating to access, use, liability or remedies in the event of a data breach is unfair and unenforceable if it is imposed unilaterally on an SME (Art. 13.1.). The regulation provides a series of criteria to identify whether a clause is or should be presumed unfair (Art. 13.3. and 13.4.) and under what conditions a clause should be considered unilaterally imposed (Art. 13.5.).

  • For public organizations: access to data held in exceptional circumstances

In the event of an exceptional circumstance that justifies it, a data holder must, as a matter of principle, allow access to and use of any required data to a public body, at its request (art. 15) and without delay (art. 18.1.) – the latter being required to specify which data are concerned, to provide proof of the exceptional circumstance, to explain the purpose, the intended use and its duration, as well as the legal basis on which it is based, and the period of time within which the data must be made available (art. 17).

Such exceptional circumstances are deemed to exist either in the case of a public emergency already existing and to be treated, or to be created and to be prevented, or when the public body cannot fulfil a public service mission provided for by law for lack of data (art. 15). The data collected in this way must not, however, be used for the purposes of criminal or administrative proceedings (art. 16).

In principle, this service is provided free of charge (art. 20.1.), but the technical costs (anonymization, adaptation, etc.) may be reimbursed when it is carried out for preventive reasons or to provide a public service (art. 20.2.).

  • On the possibility of changing data processing services and on data interoperability

Providers of data processing services, including in the cloud, must remove any commercial, technical, contractual or organizational obstacle that might prevent customers from effectively changing service providers (Art. 23). An agreement between the service operating the transfer and the customer must stipulate the conditions under which the transfer takes place and the data concerned – this transfer taking place in principle within 30 days (art. 24.1.a.).

Aussi, des standards d’opérabilité s’imposent aux fournisseurs de services pour assurer la bonne réalisation des transferts (art. 26.3. et 28 et s.).

  • On guarantees for international transfers of non-personal data

Data service providers must take all technical, legal and organizational measures to prevent international transfers or access by third governments to non-personal data hosted in the European Union – where such transfer is likely to conflict with Union or Member State law (Art. 27.1.).

Such a transfer can only take place lawfully if there is a decision by a court or an administrative authority and an international agreement in force between the requesting State and the EU or an EU country (art. 27.2).

Certain specific conditions are provided for – in the absence of such an international agreement – to allow the supplier covered by a court order or an administrative authority of a third State to lawfully carry out such a transfer or access (art. 27.3.).

The proposal for a data regulation, if adopted by the Commission on February 23, 2022, still needs to be negotiated by the European Parliament and Council.

[1] Alice Vitard, Brussels wants to exploit the growth potential of industrial data, L’usine Digitale, February 23th, 2022 (link)

[2] Proposal for a Regulation of the European Parliament and of the Council on harmonized rules on fair access to and use of data (Data Act), 2022/0047 (COD) (link)

[3] Telecommunications vocabulary, “connected object” entry, Journal Officiel de la république française, January 11th, 2018, text 135 of 164 (link)

[4] Telecommunications vocabulary, “connected object” entry, Journal Officiel de la république française, January 11th, 2018, text 135 of 164 (link)

[5] IDC White Paper, Data Age 2025 : The Evolution of Data to Life-Critical, 2017, p.7 (link)

[6] European Commission, A European Data Strategy, COM (2020) 66 final, February 19th, 2020, p. 2 (link)

[7] Proposal for a Data Act, 2022/0047 (COD), p. 1 (link) ; 2022/0047 (COD) préc., p.6 (link)

[8] Ingrid Vergara, Avec le Data Act, l’UE veut pouvoir mieux exploiter ses données, Le Figaro, February 23th, 2022 (link)

[9] Com. Eur. data regulation, the way forward for the digital decade, February 23th, 2022 (link)

[10] V., Proposal for a Data Act, 2022/0047 (COD), pp. 3-7.

[11] Directive 96/9 of March, 11th 1996 on the legal protection of databases (link).

[12] Directive 2002/5Directive 2002/58 on privacy and electronic communications of July 12th, 2002 (link)

[13] Règlement 2016/679 du 27 Regulation 2016/679 of April 27th, 2016, known as the General Data Protection Regulation (link)

[14] Regulation 2018/1725 of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the institutions, bodies, offices and agencies of the Union and on the free movement of such data (link)

[15] Regulation 2018/1807 of 14 November 2018 establishing a framework for the free flow of non-personal data in the European Union (link). Recital 10: “Under Regulation (EU) 2016/679,” i.e., the GDPR, “Member States may neither restrict nor prohibit the free movement of personal data within the Union on grounds relating to the protection of individuals with regard to the processing of personal data. This Regulation establishes the same principle of free movement within the Union of non-personal data unless a restriction or prohibition is justified on grounds of public security.

[16] Article 51, i) of the Cybersecurity Regulation (EU) 2019/881 of April 17th, 2019 (link)

[17] Directive 2019/1024 of 20 June 2019 on open data and the re-use of public sector information (link)

[18] Com. Eur, Commission welcomes political agreement to boost data sharing and support European data spaces, Nov. 30th 2021 (link)

[19] Proposed legislation on digital markets of December 15th, 2020 (link)

[20] U. Von Der Leyen, Political Guidelines for the next European Commission 2019-2024 (lien) and quoted in the proposed Data Act, p. 1

[21] ComCom. A European Data Strategy, COM (2020) 66 final, February 19th, 2020, p.1 and 16(link)

[22] Ibid, p.14

[23] COM (2020) 66 final, February 19th, 2020, pp. 15-16

[24] Com. Eur. data regulation: Commission proposes measures for a fair and innovative data economy, February 23th, 2022 (link)

[25] Com. Eur. data regulation: Commission proposes measures for a fair and innovative data economy, February 23th, 2022 (link)

[26] COM (2020) 66 final, Fébruary 19th, 2020, préc., pp. 14

[27] Proposal for a Data Act, 2022/0047 (COD), p.5

[28] See in particular Recitals 7, 24, 30 and Article 1.3 of the proposed Data Act

[29] Com. Eur. data regulation: Commission proposes measures for a fair and innovative data economy, February 23th, 2022 (link)

[30] Com. Eur. data regulation: Commission proposes measures for a fair and innovative data economy, February 23th, 2022 (link)