Explanatory Memorandum to COM(2022)68 - Harmonised rules on fair access to and use of data (Data Act)

Please note

This page contains a limited version of this dossier in the EU Monitor.



1. CONTEXT OF THE PROPOSAL

Reasons for and objectives of the proposal

This explanatory memorandum accompanies the proposal for a Regulation on harmonised rules on fair access to and use of data (Data Act).

Data is a core component of the digital economy, and an essential resource to secure the green and digital transitions. The volume of data generated by humans and machines has been increasing exponentially in recent years. Most data are unused however, or its value is concentrated in the hands of relatively few large companies. Low trust, conflicting economic incentives and technological obstacles impede the full realisation of the potential of data-driven innovation. It is therefore crucial to unlock such potential by providing opportunities for the reuse of data, as well as by removing barriers to the development of the European data economy in compliance with European rules and fully respecting European values, and in line with the mission to reduce the digital divide so that everyone benefits from these opportunities. Ensuring greater balance in the distribution of the value from data in step with the new wave of non-personal industrial data and the proliferation of products connected to the Internet of Things means there is enormous potential for boosting a sustainable data economy in Europe.

Regulating data access and use is a fundamental prerequisite for seizing the opportunities presented by the digital age we live in. The President of the Commission, Ursula von der Leyen, stated in her political guidelines for the 2019-2024 Commission that Europe must ‘balance the flow and use of data while preserving high privacy, security, safety and ethical standards’ 1 . The Commission Work Programme 2020 2 set out several strategic objectives, including the European strategy for data 3 , adopted in February 2020. That strategy aims at building a genuine single market for data and at making Europe a global leader in the data-agile economy. For this reason, the Data Act is a key pillar and the second major initiative announced in the data strategy. In particular, it contributes to the creation of a cross-sectoral governance framework for data access and use by legislating on matters that affect relations between data economy actors, in order to provide incentives for horizontal data sharing across sectors.

The European Council’s Conclusions of 21-22 October 2021 underlined ‘the importance of making rapid progress on existing and future initiatives, in particular unlocking the value of data in Europe, notably through a comprehensive regulatory framework that is conducive to innovation and facilitates better data portability, fair access to data and ensures interoperability’ 4 . On 25 March 2021, the European Council reiterated ‘the importance of better exploiting the potential of data and digital technologies for the benefit of the society and economy’ 5 . On 1-2 October 2020, it stressed ‘the need to make high-quality data more readily available and to promote and enable better sharing and pooling of data, as well as interoperability’ 6 . On cloud services, on 15 October 2020, the EU Member States unanimously adopted a Joint Declaration on building the next generation cloud for businesses and the public sector in the EU. This would require a next generation of EU cloud offering that reaches the highest standards in in portability and interoperability, for example 7 .

The European Parliament resolution of 25 March 2021 on a European strategy for data urged the Commission to present a data act to encourage and enable greater and fairer flow of data in all sectors, from business-to-business, business-to-government, government-to-business and government-to-government 8 . In its resolution of 25 March 2021, the European Parliament also highlighted the need to create common European data spaces for the free flow of non-personal data across borders and sectors and between businesses, academia, relevant stakeholders and the public sector. From this perspective, it encouraged the Commission to clarify utilisation rights, especially in business-to-business and business-to-government settings. It stressed that market imbalances arising from the concentration of data restrict competition, increase market entry barriers and diminish wider data access and use.

In its resolution, the European Parliament also pointed out that business-to-business contractual agreements do not necessarily guarantee adequate access to data for small and medium-sized enterprises (SMEs). The reason for this is that there are disparities in negotiation power and expertise. The European Parliament therefore stressed the need for contracts to set out clear obligations and determine liability for accessing, processing, sharing and storing data in order to limit its misuse.

As such, the Commission and EU Member States were asked to examine actors’ rights and their obligations to access data they have been involved in generating and to improve their awareness of, in particular, the right to access data, to port it, to urge another party to stop using it, or to rectify or delete it, while also identifying the holders and delineating the nature of such rights.

On the business-to-government front, the European Parliament requested that the Commission set out the situations, conditions and incentives under which the private sector should be obliged to make data available for use by the public sector, such as due to its necessity for the organisation of data-driven public services, and also examine compulsory business-to-government data sharing schemes, for instance in situations that are beyond people’s control.

In this context, the Commission puts forward the proposed Data Act with the aim of ensuring fairness in the allocation of value from data among actors in the data economy and to foster access to and use of data.

The proposal will help achieve the broader policy goals of ensuring EU businesses across all sectors are in a position to innovate and compete, effectively empowering individuals with respect to their data, and better equipping businesses and public sector bodies with a proportionate and predictable mechanism to tackle major policy and societal challenges, including public emergencies and other exceptional situations. Businesses will be able to easily switch their data and other digital assets between competing providers of cloud and other data processing services. Data sharing within and between sectors of the economy requires an interoperability framework of procedural and legislative measures to enhance trust and improve efficiency. The creation of common European data spaces for strategic sectors of the economy and domains of public interest will contribute to a genuine internal market for data enabling data sharing and use across sectors. This Regulation therefore contributes to these governance frameworks and infrastructure as well as data sharing outside data spaces.

The proposal’s specific objectives are outlined below.

–Facilitate access to and the use of data by consumers and businesses, while preserving incentives to invest in ways of generating value through data. This includes increasing legal certainty around the sharing of data obtained from or generated by the use of products or related services, as well as operationalising rules to ensure fairness in data sharing contracts. The proposal clarifies the application of relevant rights under Directive 96/9/EC on the legal protection of databases (the Database Directive) 9 to its provisions.

–Provide for the use by public sector bodies and Union institutions, agencies or bodies of data held by enterprises in certain situations where there is an exceptional data need. This primarily concerns public emergencies, but also other exceptional situations where compulsory business-to-government data sharing is justified, in order to support evidence-based, effective, efficient, and performance-driven public policies and services.

–Facilitate switching between cloud and edge services. Access to competitive and interoperable data processing services is a precondition for a flourishing data economy, in which data can be shared easily within and across sectoral ecosystems. The level of trust in data processing services determines the uptake of such services by users across sectors of the economy.

–Put in place safeguards against unlawful data transfer without notification by cloud service providers. This is because concerns have been raised about non-EU/European Economic Area (EEA) governments’ unlawful access to data. Such safeguards should further enhance trust in the data processing services that increasingly underpin the European data economy.

–Provide for the development of interoperability standards for data to be reused between sectors, in a bid to remove barriers to data sharing across domain-specific common European data spaces, in consistency with sectoral interoperability requirements, and between other data that are not within the scope of a specific common European data space. The proposal also supports the setting of standards for 'smart contracts’. These are computer programs on electronic ledgers that execute and settle transactions based on pre-determined conditions. They have the potential to provide data holders and data recipients with guarantees that conditions for sharing data are respected.

Consistency with existing policy provisions in the policy area

This proposal is consistent with existing rules on the processing of personal data (including the General Data Protection Regulation, (‘GDPR’) 10 ), and protecting the private life and the confidentiality of communications, as well as any (personal and non-personal) data stored in and accessed from terminal equipment (the ePrivacy Directive 11 , to be replaced by the ePrivacy Regulation currently the subject of legislative negotiations). This proposal complements existing rights, specifically rights regarding data generated by a user’s product connected to a publicly available electronic communications network.

The Free Flow of Non-Personal Data Regulation 12 put in place a key building block of the European data economy, by ensuring that non-personal data can be stored, processed and transferred anywhere in the Union. It also presented a self-regulatory approach to the problem of ‘vendor lock-in’ at the level of providers of data processing services, by introducing codes of conduct to facilitate switching data between cloud services (the industry-developed ‘Switching Cloud Providers and Porting Data (SWIPO)’ Codes of Conduct). This proposal further builds on this, helping businesses and citizens to make the most of the right to switch cloud providers and port data. It is also fully consistent with the Unfair Contract Terms Directive as regards contract law 13 . With regard to cloud services, as the self-regulatory approach seems not to have affected market dynamics significantly, this proposal presents a regulatory approach to the problem highlighted in the Free Flow of Non-Personal Data Regulation.

International data processing and storage and data transfers are governed by the GDPR, World Trade Organization (WTO) trade commitments, the General Agreement on Trade in Services (GATS) and bilateral trade agreements.

Competition law 14 is applicable in the context of amongst others merger control, data sharing by companies or an abuse of a firm’s dominant position.

The Database Directive 15 provides for the sui generis protection of databases that have been created as a result of a substantial investment, even if the database itself is not an original intellectual creation protected by copyright. Building on the substantial amount of case-law interpreting the provisions of the Database Directive, this proposal addresses ongoing legal uncertainties about whether databases containing data generated or obtained by the use of products or related services, such as sensors, or other types of machine-generated data, would be entitled to such protection.

The Platform to Business Regulation 16 imposes transparency obligations, requiring platforms to describe for business users the data generated from the provision of the service.

The Open Data Directive 17 sets out minimum rules on the re-use of data held by the public sector and of publicly funded research data made publicly available through repositories.

The Interoperable Europe initiative seeks to introduce a cooperative interoperability policy for a modernised public sector. The initiative arose out of the ISA2, a Union funding programme that ran from 2016 to 2021 and supported the development of digital solutions to enable interoperable cross-border and cross-sector public services 18 .

This proposal complements the recently adopted Data Governance Act, which aims to facilitate the voluntary sharing of data by individuals and businesses and harmonises conditions for the use of certain public sector data, without altering material rights on the data or established data access and usage rights 19 . It also complements the proposal for a Digital Markets Act, which will require certain providers of core platform services identified as ‘gatekeepers’ to provide, inter alia, more effective portability of data generated through business and end users’ activities 20 .

This proposal does not affect existing rules in the areas of intellectual property (except the application of the sui generis right of the Database Directive), competition, justice, and home affairs and related (international) cooperation, trade-related obligations, or the legal protection of trade secrets.

Legislative adaptations for promoting the digital transition are required in several areas. Clear rules on access to specific data necessary for circularity and sustainability of certain products throughout their life cycle and in non-exceptional situations will be established under the European Digital Product Passport (as part of the Sustainable Products Initiative) 21 . Private law rules are a key element in the overall framework. This Regulation therefore adapts contract law and other rules to improve conditions for data reuse in the Internal Market, and to prevent parties to contracts abusing imbalances in negotiating power to the detriment of weaker parties.

As a horizontal proposal, the Data Act envisages basic rules for all sectors as regards the rights to use data, such as in the areas of smart machinery or consumer goods. However, the rights and obligations on data access and use have also been regulated to varying degrees at sectoral level. The Data Act will not change any such existing legislation, but future legislation in these areas should in principle be aligned with the horizontal principles of the Data Act. Convergence with the Data Act’s horizontal rules should be assessed when sectoral instruments are reviewed. This proposal leaves room for vertical legislation to set more detailed rules for the achievement of sector-specific regulatory objectives.

Given existing sectoral legislation, with regard to the creation of the Green Deal data space, the review 22 of the INSPIRE Directive 23 will enable further open availability and reuse of spatial and environmental data. This initiative aims to make it easier for EU public authorities, businesses and citizens to support the transition to a greener and carbon-neutral economy and reducing administrative burden. It is expected to support reusable data services on a large scale to assist in collecting, sharing, processing and analysing large volumes of data relevant for assuring compliance with environmental legislation and priority European Green Deal actions. It will streamline reporting and burden reduction through better reuse of existing data, automatic reporting generation through data mining and business intelligence.

The EU Electricity Regulation 24 requires transmission system operators to provide data to regulators and for resource adequacy planning, while the EU Electricity Directive 25 provides for the transparent and non-discriminatory access to data and mandates the Commission to develop related interoperability requirements and procedures to facilitate this. The Payment Services Directive 2 26 opens some types of payment transactional and account information under certain conditions, thereby enabling business-to-business data sharing in the area of Fintech. In the mobility and transport sector, there is a wide variety of data access and sharing rules. Repair and maintenance information from motor vehicles and agricultural machines is subject to specific data access/sharing obligations under type approval legislation 27 . However, new rules are needed to ensure that existing vehicle type-approval legislation is fit for the digital age and promotes the development of clean, connected and automated vehicles. Building on the Data Act as a framework for the access and use of data, these rules will address sector-specific challenges, including access to vehicle functions and resources.

In the framework of the Intelligent Transport Systems Directive 28 , several delegated regulations have been developed and will continue to be developed, notably to specify data accessibility for road and multimodal passenger transport, in particular through National Access Points. In air traffic management, non-operational data is important for improving inter-modality and connectivity. Operational data related to air traffic management would come under the specific regime defined in the framework of the Single European Sky 29 . In vessel traffic monitoring, vessel related data (tracking and tracing) is important for improving inter-modality and connectivity: this data falls under the specific regime defined in the VTMIS Directive 30 . It also falls within the remit of the Digital Maritime System and Services. 31 The proposal for a Regulation on the deployment of alternative fuels infrastructure 32 specifies the relevant data types to be made available, in synergy with the general framework established in the Intelligent Transport Systems Directive.

Consistency with other Union policies

This proposal is in line with the Commission’s priorities to make Europe fit for the digital age and to build a future-ready economy that works for people 33 , where the digitalisation of the internal market is characterised by a high degree of trust, security, safety and choice for consumers. The digitalisation of the internal market is highly competitive thanks to a framework that favours transparency, competition and innovation, and which is technology neutral. It supports the Recovery and Resilience Facility 34 , learning lessons from the COVID-19 pandemic and the benefits of more easily accessible data where necessary.

This proposal supports the critical role of data in achieving the European Green Deal objectives in various ways. First, by deepening the understanding of governments, businesses and individuals of the impacts on society and the economy of products, services and materials across entire supply chains. Second, by mobilising the existing wealth of relevant private sector data in order to tackle climate-, biodiversity-, pollution- 35 and natural resource-related in line with objectives of the European Green Deal 36 , the relevant Council conclusions 37 and positions 38 of the European Parliament. Third, by closing knowledge gaps and managing related crises through enhanced mitigation, preparedness, response and recovery actions.

In line with the Industrial Strategy 39 , the proposal deals with highly strategic technologies such as cloud computing and artificial intelligence systems: areas whose full potential the EU has yet to harness, on the cusp of the next industrial data wave. It implements the Strategy for Data 40 goal of businesses to being better able to innovate and compete on the basis of EU values, and the principle of free flow of data within the internal market. It also tallies with the Intellectual Property Action Plan 41 in which the Commission undertook to review the Database Directive.

This proposal should also comply with the principles under the European Pillar of Social Rights (EPSR) Action Plan 42 and the accessibility requirements of the Directive (EU) 2019/882 on the accessibility requirements for products and services 43 .

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

Legal basis

The legal basis for this proposal is Article 114 of the Treaty on the Functioning of the European Union, whose objective is the establishment and functioning of the internal market by enhancing measures for the approximation of national rules.

This proposal intends to further the completion of the internal market for data in which data from the public sector, businesses and individuals is put to the best possible use, while respecting rights in relation to such data and the investments made in order to collect it. The provisions on switching between data processing services aim to establish fair and competitive market conditions for the internal market in cloud, edge and related services.

The protection of confidential business data and trade secrets is an important aspect of the well-functioning of the internal market, as is the case for other contexts in which services are exchanged and goods are traded. This proposal ensures respect for trade secrets in the context of data use between businesses or by consumers. The initiative will allow the Union to benefit from the scale of the internal market, since products or related services are often developed using data from different Member States, and later commercialised across the Union.

Some Member States have taken legislative action to address the problems described above, in business-to-business and business-to-government scenarios, whereas others have not. This can lead to legislative fragmentation in the internal market and different rules and practices across the Union and related costs by companies that would have to comply with different regimes. It is therefore important to ensure that the proposed measures are applied consistently across Member States.

Subsidiarity (for non-exclusive competence)

Given the cross-border nature of the use of data and the many areas of impact of the Data Act, the issues this proposal deals with cannot be effectively addressed at Member State level. Fragmentation arising out of differences between national rules should be avoided, as it would lead to higher transactional costs, lack of transparency, legal uncertainty and undesirable forum shopping. Avoiding this is particularly important in all situations concerning the data aspects of business-to-business relations, including fair contractual terms and the obligations of manufacturers of Internet of Things products or related services, aspects that require homogeneity of the framework throughout the Union.

An assessment of the cross-border aspects of data flows in the area of business-to-government data sharing also demonstrates the need to act at Union level. Many private actors who hold relevant data are multinational companies. These companies should not be confronted with a fragmented legal regime.

Cloud computing services are rarely offered in one Member State only. In line with the GDPR and the Free Flow of Non-Personal Data Regulation that enable consumers and businesses to process personal and non-personal data anywhere they want in the Union, the cross-border processing of data within the Union is essential for conducting business in the internal market. It is therefore crucial that provisions on switching data processing services are applied at Union level, to avoid harmful fragmentation in an otherwise unified market for data processing services.

Only common action at the Union level can enable the achievement of the objectives laid down in this proposal, including the creation of an innovative and competitive level-playing field for data-driven businesses and the empowerment of citizens. This common action is a confident step forward in the realisation of the vision to create a genuine internal market for data.

Proportionality

This proposal balances the rights and interests of affected stakeholders with the general objective to facilitate wider use of data for a broad range of actors. It creates an enabling framework that does not go beyond what is necessary to achieve the objectives. It addresses existing barriers to fuller realisation of the potential value of data among businesses, consumers and the public sector. It also sets out a framework for future sectoral rules to avoid fragmentation and legal uncertainty. It clarifies existing rights and, where necessary, provides access rights to data, thereby helping to develop an internal market for data sharing. The initiative leaves a significant amount of flexibility for application at sector-specific level.

This proposal will give rise to financial and administrative costs. These are to be borne mainly by national authorities, manufacturers and service providers, so that they comply with the obligations set out in this Regulation. However, the exploration of different options and their expected costs and benefits has resulted in a balanced design of the instrument. Similarly, the costs to data users and holders will be counterbalanced by the value to be derived from broader access and use of data, as well as the market uptake of novel services.

Choice of the instrument

The choice of a regulation was made because it is the best mechanism to serve the broader policy goals of ensuring all businesses in the Union are put in a position to innovate and compete, consumers are better able to take control of their data, and Union institutions, agencies and bodies are better equipped to tackle major policy challenges, including public emergencies. A regulation is necessary in light of the goal of comprehensive harmonisation pursued by the proposal, in order to ensure legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide legal and natural persons in all Member States with the same level of legally enforceable rights and obligations, to ensure consistent enforcement in all Member States, as well as effective cooperation between the competent authorities of different Member States.

The proposal will strengthen the internal market for data by increasing legal certainty and guaranteeing a uniform, horizontal and coherent legal framework.

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

Ex-post evaluations/fitness checks of existing legislation

This proposal partially builds on the latest evaluation of the Database Directive and the Commission’s study supporting the review of the Directive 44 . The Database Directive introduced, among other things, a specific sui generis right to protect databases if the producer of a database substantially invested in obtaining, verifying and presenting the data. Since its first adoption, the Directive has been evaluated twice. Both evaluations have been supplemented with Commission communications on policy for the data economy 45 .

The Court of Justice of the European Union has sharpened the understanding of substantial investments in a database, clarifying that the sui generis right aims at protecting the investments in the collection, not the creation of data 46 as a by-product of another economic activity. However, uncertainty remains as to the accidental or unintended application of the sui generis right to databases containing machine-generated data, i.e. data obtained from or generated by the use of products or related services. There is a need to balance the policy objectives of IP protection of such databases in the context of the data economy, where the exclusivity of data as a non-rival good is in general considered an impediment to innovation. To ensure consistency with the regulatory interventions proposed in this proposal, the intervention on the sui generis right specifically addresses the identified problematic application of the sui generis right in the Internet of Things context. The Commission is also currently preparing the evaluation of Regulation (EU) 2018/1807, expected for November 2022. Initial reports by external contractors have shown the limited effect of the SWIPO Codes of Conduct on cloud switching.

Stakeholder consultations

Extensive work was initiated during the mandate of the previous Commission on identifying the problems that are preventing the Union from realising the full potential of the data-driven innovation in the economy. The proposal builds on past consultation actions, such as the 2017 public consultation supporting the Commission Communication “Building a European data economy” 47 , the 2017 public consultation on the evaluation of the Database Directive, the 2018 public consultation on the revision of the Directive on the reuse of public sector information, the 2018 SME panel consultation on business-to-business data sharing principles and guidance, and the Commission online open consultation on the Data Strategy 48 from February to May 2020.

An Inception Impact Assessment was published on the Better Regulation portal on 28 May 2021 and was left open for feedback for 4 weeks. The Commission received 91 contributions on the Better Regulation Portal 49 , mainly from businesses.

A public online consultation on the Data Act was subsequently published on 3 June 2021. It closed on 3 September 2021. The consultation addressed the items covered in the initiative with relevant sections and questions. It targeted all types of stakeholders, gathering input on data sharing, access and use in business-to-business and business-to-government contexts, on consumer empowerment and data portability, the potential role of technical measures such as smart contracts, user’s ability to switch between cloud services, intellectual property rights (meaning the protection of databases), and safeguards for non-personal data in the international context. After carrying out an in-depth analysis of the replies, the Commission published a summary report on its website 50 .

In total, 449 contributions were received from 32 countries. Business entities constituted the largest number of contributions, comprising 122 business associations and 105 companies/business organisations. In addition, 100 respondents were public authorities and 58 were individual members of the public. Generally, the responses confirmed that there is a whole host of obstacles to effective and efficient data sharing in all types of data relations.

In the business-to-business context, despite data sharing between businesses being a common practice, respondents who had experienced difficulties identified obstacles such as those of a technical nature (formats, lack of standards – 69%); outright refusal to grant access not linked to competition concerns (55%) or the abuse of a contractual imbalance (44%). On contractual issues, almost half of respondents were in favour of introducing an unfairness test (46%), while more than double of those were not in favour (21%). SMEs showed strong support (50%) for an unfairness test, and a significant number of large companies were also in favour (41%) of it. Similarly, 46% of stakeholders across sectors showed support for general access rules based on fair, reasonable and non-discriminatory terms (46%). 60% of respondents, SMEs and micro companies in particular (78%), agreed that model contractual terms could contribute to increased data sharing. 70% of stakeholders expressed the opinion that there is a fairness problem with data generated in the Internet of Things context, and that manufacturers of connected products or related services should not be able to decide unilaterally on what happens to the data generated by such products. 79% of respondents considered that smart contracts could be an effective tool to technically implement data access and use in the context of co-generated Internet of Things data.

Legal uncertainty and barriers, commercial disincentives, and a lack of appropriate infrastructure were amongst the main factors impeding business-to-government data sharing identified by respondents. Almost all public authorities consider that action (Union or Member State) on business-to-government data sharing is needed, compared to 80% of academic/ research institutions and 38% of companies/ business organisations/ associations. A clear majority of stakeholders (in particular citizens and public administrations) also expressed the opinion that business-to-government data sharing should be compulsory, with clear safeguards for specific use-cases with a clear public interest in emergencies and for crisis management purposes, for official statistics, for environmental protection and for a healthier society in general.

Respondents also confirmed the usefulness of a right to switchability for business users of cloud computing services. As regards safeguards for non-personal data in international contexts, 76% of respondents perceive potential access to data by foreign authorities on the basis of foreign legislation as a risk to their organisation, with 19% indicating that it is a major risk.

Collection and use of expertise

1.

The proposal was supported by several studies, workshops and other expert input:


–Study to support this Impact Assessment on enhancing the use of data in Europe, including interviews with targeted stakeholders. This included two cross-sectoral workshops on business-to-business and business-to-government data sharing, and a final validation workshop organised in spring 2021.

–Study on model contractual terms, fairness control in data sharing and in cloud contracts and on data access rights assessed, in particular, fairness aspects in business-to-business data sharing relations and included targeted stakeholder interviews and a validation workshop.

–Study on the economic detriment from unfair and unbalanced cloud computing contracts. This included an online survey of a sample of SMEs and start-ups using cloud computing for conducting their business.

–Study on the switching of cloud service providers, including a cross-sectorial workshop in the second quarter of 2017.

–Study in support of the review of the Database Directive, including interviews with targeted stakeholders. It has assisted the Commission in the preparation of this Impact Assessment to accompany the review of the Database Directive, in the context of the Data Act and in the achievement of their intertwined objectives.

–Methodological support to impact assessment of using privately held data by official statistics. This exercise provides input to the assessment of the impact of business-to-government data reuse in official statistics by developing a methodological approach and by describing the benefits and costs of data reuse and of selected use cases for different statistical domains and different types of private sector data. In addition, it contributes to ongoing research and deliberations in order to arrive at a better understanding of business-to-government data sharing.

–Webinars on personal data platforms and industrial data platforms. Three webinars were organised on 6, 7 and 8 May 2020. They brought together the relevant data platform projects in the Big Data Value Public-Private Partnership portfolio.

–High-Level Expert Group Report on Business-to-Government data sharing. The report provides an analysis of the problems surrounding business-to-government data sharing in the Union and offers a set of recommendations in order to ensure scalable, responsible and sustainable business-to-government data sharing in the public’s interest. In addition to the recommendation to the Commission to explore the option of a legal framework in this area, it presents several ways of encouraging private companies to share their data. These include monetary and non-monetary incentives, for example tax incentives, investment of public funds to support the development of trusted technical tools and recognition schemes for data sharing.

–Workshop on labels for / certification of providers of technical solutions for data exchange. Around one hundred participants from businesses (including SMEs), European institutions and academia attended this webinar on 12 May 2020. Its aim was to examine whether a labelling or certification scheme could boost the business uptake of data intermediaries by enhancing trust in the data ecosystem.

–Ten workshops organised between July and November 2019 involved more than 300 stakeholders and covered different sectors. The workshops discussed how the organisation of data sharing in certain areas, such as the environment, agriculture, energy or healthcare, could benefit society as a whole, helping public actors to design better policies and improve public services, as well as private actors to produce services contributing to facing societal challenges.

–SME Panel consultation. This panel consultation, organised from October 2018 to January 2019, sought the views of SMEs on the Commission’s business-to-business data sharing principles and guidance issued in the Communication “Towards a common European data space” and accompanying the Staff Working Document of 25 April 2018 51 .

–The latest Eurobarometer on the impact of digitisation. This general survey on the daily lives of Europeans includes questions on people’s control over and sharing of personal information. Published on 5 March 2020, it provides information on the willingness of European citizens to share their personal information, including under which conditions.

–The Opinion of the European Data Protection Supervisor (EDPS) on the European strategy for data 52 . On 16 June 2020, the EDPS adopted Opinion 3/2020 on the European strategy for data. The EDPS welcomed the strategy, considering its implementation an opportunity to set an example for an alternative data economy model.

Impact assessment

This proposal is accompanied by an impact assessment 53 , submitted to the Regulatory Scrutiny Board (RSB) on 29 September 2021 and 13 December 2021. On 21 January 2022, the Board issued a positive opinion subject to reservations.

Regulatory fitness and simplification

By clarifying that the sui generis right under the Database Directive (Directive 96/9/EC) does not apply to databases containing data generated or obtained by the use of products or related services, the proposal ensures that the sui generis right will not interfere with rights for businesses and consumers to access and use data and to share data provided for in this Regulation. The clarification will align the application of the sui generis right with the aim of the legislative proposal and have a positive impact on the uniform application of rules in the internal market and for the data economy.

By facilitating data access and use, the Data Act should reduce burdens, both in the public sector and among businesses, mainly as a result of lowering transaction costs and in terms of efficiency gains. In the scope of the ‘one in, one out’ approach 54 , which aims to minimise burdens for citizens and businesses related to the implications and costs of applying legislation, the Data Act’s estimated net administrative burden, based on the Impact Assessment, accounts for benefits that are likely not only to offset but to far outweigh the associated administrative costs.

Fundamental rights

The proposal is in compliance with the Union legislation on the protection of personal data and the privacy of communications and terminal equipment and envisages additional safeguards where access to personal data can be concerned, as well as in cases subject to intellectual property rights.

In Chapter II, a high level of consumer protection is reinforced with the new right to access user generated data in situations previously not covered by Union law. The right to use and dispose of lawfully acquired possessions is reinforced with a right to access data generated from the use of an Internet of Things object. This way, the owner may benefit from a better user experience and a wider range of, for example, repair and maintenance services. In the context of consumer protection, the rights of children as vulnerable consumers deserve specific attention and the rules of the Data Act will contribute to clarity about data access and use situations.

The Internet of Things data access right for third parties upon the user’s request limits the freedom to conduct a business and the freedom of contract of the manufacturer or designer of a product or related service. The limitation is justified in order to enhance consumer protection, in particular to promote consumer’s economic interests. The manufacturer or designer of a product or related service typically has exclusive control over the use of data generated by the use of a product or related service, which contributes to lock-in effects and hinders market entry for players offering aftermarket services. The Internet of Things data access right addresses this situation by further empowering consumers using products or related services to meaningfully control how the data generated by their use of the product or related service is used and enabling innovation by more market players. Consumers can therefore benefit from a wider choice in aftermarket services, such as repair and maintenance, and no longer depend on only the manufacturer’s services. The proposal facilitates the portability of the user’s data to third parties and thereby allows for a competitive offer of aftermarket services, as well as broader data-based innovation and the development of products or services unrelated to those initially purchased or subscribed to by the user.

The limitation of the manufacturer’s or designer’s freedom to contract and conduct a business is proportionate and mitigated by the unaffected ability of the manufacturer or designer to also use the data, insofar it is in line with the applicable legislation and the agreement with the user. Furthermore, the manufacturer or designer will also benefit from the right to require compensation for enabling third party access. The access right is without prejudice to the existing access and portability rights for data subjects under the GDPR. Additional safeguards ensure a proportionate use of the data by the third party.

In Chapter IV, a fair and effective system of protection against unfair contractual terms in data sharing will contribute to micro, small or medium-sized enterprises’ ability to conduct a business. This provision restricts the contractual freedom of companies in the scope to a limited extent, as it only applies to unfair contractual terms related to data access and use unilaterally imposed by one contractual party on a micro, small or medium-sized enterprise. This is justified as SMEs are typically in a weaker bargaining position and often left with no other choice than to accept ‘take it or leave it’ contractual terms. The contractual freedom largely remains unaffected as only excessive and abusive terms are invalidated, and the concluded contract, if possible, remains valid without the unfair terms. Furthermore, the parties can still individually negotiate a specific contractual term 55 .

In Chapter V, the provisions related to business-to-government data sharing based on an exceptional need will enhance the capacity of public authorities to take action for the common good, such as to respond, prevent or assist in the recovery from a public emergency. The private sector also stands to benefit from the streamlining of data request procedures.

In Chapter VI, the provisions on switching of data processing providers enhances the position of the business customers and safeguards their choice to change provider. The limitation of the right to conduct a business for data processing providers is justified because the new rules address lock-in effects in the cloud and edge market and improve the choice for business users and individuals of data processing services.

In Chapter X, the intervention on the sui generis database right of the Database Directive does not limit the IP protection therein. It rather contributes to legal certainty in cases where the protection of the sui generis right was previously unclear.

4. BUDGETARY IMPLICATIONS

This proposal will not have any budgetary implications.

5. OTHER ELEMENTS

Implementation plans and monitoring, evaluation and reporting arrangements

On a sectoral and macroeconomic level, the ongoing Data Market Monitoring study will help track the economic impact of the current proposal on the growth of the data market in the Union.

The impact on SMEs, namely their perception of problems related to data access and use, will be assessed with an SME panel consultation five years after adoption of the Data Act.

Given the central role of the Common European Data Spaces in the implementation of the European strategy for data, many of the effects of this initiative will be monitored on the level of the sectoral data spaces, and the insights collected by the Data Spaces Support Centre to be funded under the Digital Europe Programme. The regular interaction between the Commission services, the Support Centre and the European Data Innovation Board (to be established following the entry into force of the Data Governance Act) should serve as a reliable source of information allowing in order to assess progress.

Finally, an evaluation will be launched four years after the adoption of the Data Act to evaluate the initiative and to prepare further action as required.

Detailed explanation of the specific provisions of the proposal

Chapter I defines the subject matter and scope of the regulation and sets out the definitions used throughout the instrument.

Chapter II increases legal certainty for consumers and businesses to access data generated by the products or related services they own, rent or lease. Manufacturers and designers have to design the products in a way that makes the data easily accessible by default, and they will have to be transparent on what data will be accessible and how to access them. Provisions in this Chapter shall not affect the possibility for manufacturers to access and use data from products or related services they offer, where agreed with the user. There is an obligation of the data holder to make such data available to third parties upon the request of the user. Users will be entitled to authorise the data holder to give access to the data to third party service providers, such as providers of aftermarket services. Micro and small enterprises will be exempt from these obligations.

Chapter III sets out general rules applicable to obligations to make data available. Where a data holder is obliged to make data available to a data recipient as in Chapter II or in other Union law or Member State legislation, the general framework addresses the conditions under which data is made available and the compensation for making data available. Any conditions will have to be fair and non-discriminatory, and any compensation will have to be reasonable, without precluding other Union law or national legislation implementing Union law from excluding compensation or providing for lower compensation for making data available. Any compensation set for SMEs cannot exceed the costs incurred for making the data available, unless otherwise specified in sectoral legislations. Dispute settlement bodies certified by the Member States may assist parties that disagree on the compensation or conditions to come to an agreement.

Chapter IV addresses unfairness of contractual terms in data sharing contracts between businesses, in situations where a contractual term is unilaterally imposed by one party on a micro, small or medium-sized enterprise. This Chapter guarantees that contractual agreements on data access and use do not take advantage of imbalances in negotiating power between the contractual parties. The instrument of an unfairness test includes a general provision defining unfairness of a data sharing-related contractual term complemented by a list of clauses that are either always unfair or presumed to be unfair. In situations of unequal bargaining power, that test protects the weaker contractual party in order to avoid unfair contracts. Such unfairness impedes the use of data by both contractual parties. With that, the provisions ensure a fairer allocation of value in the data economy 56 . Model contractual terms recommended by the Commission may assist commercial parties in concluding contracts based on fair terms.

Chapter V creates a harmonised framework for the use by public sector bodies and Union institutions, agencies and bodies of data held by enterprises in situations where there is an exceptional need for the data requested. The framework is based on an obligation to make data available and would only apply in the case of public emergencies or in situations where public sector bodies have an exceptional need to use certain data, but such data cannot be obtained on the market, in a timely manner through enacting new legislation, or by means of existing reporting obligations. In case of an exceptional need to respond to public emergency, such as public health emergencies, or major natural or human-induced disasters, data would be made available for free. In other cases of exceptional need, including to prevent or assist the recovery from a public emergency, the data holder making the data available should be entitled to compensation that include costs related to making the relevant data available plus a reasonable margin. To ensure that the right to request data is not abused and that the public sector remains accountable for its use, the requests for data would need to be proportionate, clearly indicate the purpose to be achieved, and respect the interests of the enterprise making the data available. Competent authorities would ensure the transparency and public availability of all requests. They would also handle any resulting complaints.

Chapter VI introduces minimum regulatory requirements of contractual, commercial and technical nature, imposed on providers of cloud, edge and other data processing services, to enable switching between such services. In particular, the proposal ensures that customers maintain functional equivalence (a minimum level of functionality) of the service after they have switched to another service provider. The proposal contains an exception for technical unfeasibility, but puts the burden of proof in this regard on the service provider. The proposal does not mandate specific technical standards or interfaces. However, it requires services to be compatible with European standards or open interoperability technical specifications where these exist.

Chapter VII addresses unlawful third party access to non-personal data held in the Union by data processing services offered on the Union market. The proposal does not affect the legal basis of data access requests made to data held by EU citizens or businesses and is without prejudice to the Union’s data protection and privacy framework. It offers specific safeguards, by way of providers having to take all reasonable technical, legal and organisational measures to prevent such access that conflicts with competing obligations to protect such data under Union law, unless strict conditions are met. The Regulation complies with the Union’s international commitments in the WTO and in bilateral trade agreements.

Chapter VIII provides for essential requirements to be complied with regarding interoperability for operators of data spaces and data processing service providers as well as for essential requirements for smart contracts. The Chapter also enables open interoperability specifications and European standards for the interoperability of data processing services to promote a seamless multi-vendor cloud environment.

Chapter IX lays down the implementation and enforcement framework with competent authorities in each Member State, including a complaints mechanism. The Commission shall recommend voluntary model contractual terms on access to and use of data. Penalties shall apply for infringements of this Regulation.

Chapter X contains a provision so that the sui generis right established in Directive 96/9/EC does not apply to databases containing data obtained from or generated by the use of a product or related service to hinder the effective exercise of the right of users to access and use data in accordance with Article 4 of this Regulation or of the right to share such data with third parties in accordance with Article 5 of this Regulation.

Chapter XI allows the Commission to adopt delegated acts to introduce a monitoring mechanism on switching charges imposed on providers of data processing services, to further specify the essential requirements regarding interoperability, and to publish the reference of open interoperability specifications and European standards for the interoperability of data processing services . It also provides for the committee procedure to adopt implementing acts to facilitate the adoption of common specifications for interoperability and smart contracts where harmonised standards do not exist or are insufficient to ensure the conformity with essential requirements. The proposal also clarifies the relation to other Union legal acts governing data sharing rights and obligations.