Technology | Political agreement between the European Parliament and the European Council on the Data Act

On 27 June 2023, the European Parliament and the European Council came to a provisional agreement regarding the provisions of the Data Act (the “Act”). Originally introduced by the European Commission in February 2022, the Act aims to foster innovation by increasing access to data and clarifying who can create value from data and under which conditions. The proposed legislation holds considerable importance and interconnection with the AI Act, compelling both businesses and individuals to closely monitor its progress and potential implications.

What is the Data Act?

The Data Act forms an integral part of the EU’s comprehensive data strategy alongside the Data Governance Act and the AI Act. Collectively these acts aim to amplify innovation, foster value creation, and safeguard fundamental EU rights and values. The Act provides a comprehensive definition of data as “any digital representation of acts, facts, or information, including compilations thereof, in various forms such as sound, visual, or audio-visual recordings”, and will therefore affect a large amount of business within different industries and fields. Furthermore, the Act aims to ensure fair access to data generated by devices and services, protect against unilateral imposition of unfair contractual terms, facilitate emergency access to private sector-held data by public sector bodies, and establish provisions allowing customers the freedom to seamlessly switch between cloud data-processing service providers.

What are the key provisions of the Data Act?

The Data Act sets out several key provisions that will have significant implications for companies that use or provide data directly or indirectly in the EU. Some of the key provisions include:

Article 3-7 in the Act contains rules that give users (or third parties designated by the user) the right to access user generated data directly.
Article 13 of the Act prohibits (unfair) contractual terms that are unilaterally imposed on a micro, small or medium-sized enterprise.
Article 14 gives public sector bodies rights to access data based on exceptional need.
Article 23-26 state that device and service providers must remove obstacles that prevent effective switching between providers of data processing services (lock-in).

What are the implications of the Data Act?

The implications of the Data Act are multifaceted and significant. By aiming to increase data accessibility, the Act can foster innovation across various sectors, enabling businesses and individuals to harness the potential of data more effectively. The Act’s emphasis on clarifying value creation from data and establishing conditions for its utilization can promote fair competition and facilitate the development of data-driven services and solutions.

Furthermore, the Act’s broad definition of data, encompassing different formats and compilations, ensures its applicability to a wide range of digital information, including sound, visual, and audio-visual recordings. This inclusive approach reflects the evolving nature of data and its diverse forms in today’s digital landscape.

The Act also introduces provisions to address specific challenges and concerns. For instance, it seeks to protect against unfair contractual terms imposed unilaterally by one party, promoting a more fair environment for data sharing and collaboration. Additionally, it establishes rules that grant customers the freedom to switch between cloud data-processing service providers, enhancing competition and empowering users with greater control over their data.

In terms of emergency situations, the Act allows public sector bodies to access data held by the private sector, ensuring effective responses during critical moments. This provision stems from the Act’s objective of balancing privacy and security concerns with the need for data utilization for public benefit.

Overall, the Data Act represents a significant step towards harmonizing data regulations within the EU, fostering innovation, protecting fundamental rights, and encouraging responsible and ethical data practices. Its implications extend to various stakeholders, including businesses, individuals, and public sector organizations, shaping the data ecosystem and driving digital transformation.

Timeline

The provisional agreement is subject to formal approval by the two co-legislators and will then be adopted by both institutions following legal-linguistic revision. Once the Act is officially adopted, it will come into effect, ultimately becoming applicable 20 months thereafter. The Act is deemed as relevant to the EEA, but it is premature to determine if it will be enacted in Norway and the other EEA countries.

BAHRs view

When passed, the Data Act may not only influence the sharing and use of data inside the EU, but also outside the borders of the EU/EEA, given the influence of the EU. Companies engaging in data sharing, utilizing AI systems within the EU, or providing data or AI systems or services to EU customers must meticulously evaluate the potential risks tied to their systems and diligently adhere to the obligations outlined in the regulation. Given the importance of data within almost all fields and sectors, we believe that the Act will have significant implications for both individuals and businesses globally. We believe this should motivate companies sharing or using data, or providing systems enabling data sharing, to assess the impact of the Act on their business even before it becomes applicable.