EU Data Act The Data Act (COM(2022) 68 final, also known as the "DA" or "Data Act") should not initially be confused with the Data Governance Act.

Contrary to what the name "Data Act" might suggest, the Data Act does not regulate the question of "ownership of data". In relationships between providers and customers, the question of data allocation therefore remains unresolved, for example in the relationship between the manufacturer, owner (keeper) and owner (driver) of a motor vehicle and in the relationship between the manufacturer and user of a medical device and the patient concerned. Intellectual property rights are also not regulated (apart from minor clarifications); the Data Act nevertheless addresses the relationship between such providers and customers, but by regulating individual rights and claims. The five main subjects of regulation of the Data Act according to the current draft are

Users' right to access and use user-generated data

This ultimately grants the user a right of access to the data generated by the use of a product by the user. Access should be made possible in real time. A variety of delimitation difficulties will already arise with the question of who exactly is the user. This becomes clear when, for example, the situation of the motor vehicle is considered: Is the owner-occupier (keeper), the owner (driver) or, for example, a lessor the "user" in the sense of the standard here.

In addition, manufacturers should ensure that users can exercise their rights as easily as possible when designing their products.

As is often the case with EU requirements, new information obligations must also be fulfilled.

Right to data access and use by public authorities

This new regulatory mechanism is intended to enable public bodies to access private data. In the draft, this access is limited to certain exceptional cases, e.g. in the event of natural disasters.

Prohibition of unfair contractual clauses in standardized data license agreements

These regulations will ultimately be supplementary regulations for prohibitions in general terms and conditions. The EU Commission intends to develop model contract terms.

There will also be special requirements for smart contracts.

Prevention of lock-in effects, interoperability

Similar to the regulation in the GDPR on data portability (data portability), a regulation is planned that will allow users to "move" their data from one provider to another as easily as possible. This is intended to avoid the so-called lock-in effect, whereby a user remains a customer of a provider simply because switching providers is "too inconvenient". In such situations, companies are no longer in competition with their actual offers, but instead there is a de facto customer lock-in, similar to an excessively long contract term. This effect is to be "broken up" by the regulation.

Part of the regulations to avoid the lock-in effect are new requirements for the interoperability of data processing. Among other things, new harmonized standards are to be created at a technical level.

Data transfers to third countries

Similar to the GDPR, requirements for data transfers to countries outside the European Union are also being created. In particular, it must be ensured that official access can only take place if such access is in accordance with the legal framework that also applies in the European Union.

In many respects, the Data Act is therefore a kind of "mini GDPR" that also applies to non-personal data.

This article is part of the overview of the current changes to the EU Data Strategy and the New Legislative Framework. Please note that the legislative project is currently a draft (although marked as "final"). It is therefore not yet applicable law and there may still be changes in the legislative process. However, due to the manageable "transitional periods", it is already necessary to "take a look" at the upcoming law.

Date: 2. Nov 2022