New obligations for entrepreneurs
The addressees of the new obligations will primarily be manufacturers of products and providers of related services (i.e. digital services, including software, that are included in or interconnected with a product in such a way that their absence would prevent the product from performing its functions) marketed in the EU (hereinafter "IOT manufacturers"). Specific issues that IOT manufacturers will have to take into account are:
- ensuring the default ease and security of user access to the data generated by the product;
- ensuring that the user has direct access to the data generated as a result of the user's use of the product or related service, or, if this is not possible, providing the user with the data free of charge upon request;
- providing the user with information in a clear and comprehensible format covering at least the information specified in the DA;
- limit the ability to store user access information beyond that necessary for the proper execution of the request and for the security and maintenance of the data infrastructure.
The entity receiving the data will be required to process it only for the purposes and under the conditions agreed with the user, and to delete it when it is no longer necessary for the agreed purpose. The DA regulations provide special rules for the disclosure of information that is a trade secret, indicating that such disclosure shall be made only on condition that all special measures necessary to keep it confidential are taken.
Unfair terms in business-to-business contracts
Implementing the EC's demands for transparency and fairness, the DA will introduce detailed solutions governing data access and use, liability and data protection measures, as well as termination of data obligations. Micro, small or medium-sized enterprises who are parties to data contracts will gain protection when provisions are imposed on them unilaterally and are unfair in nature. In a situation where such an enterprise is a party to the contract, the unfair provision will not be binding on it (a construction similar to the regulation of abusive clauses, which do not apply to consumers). The burden of proof of the one-sidedness of the imposition of the provisions will be on the party that supplied a contractual term - it should be expected that, for the most part, this will be the manufacturer of the IOT, which proposes the contract based on its own template (similar to entrepreneurs on the Internet who face abusiveness charges). The DA will include a catalog of provisions that are considered unfair, taking into account their purpose or effect.
The data indicate that
42%of entrepreneurs in the EU used cloud services in 2021.
Making data available based on exceptional need
The DA will regulate the possibility for public sector bodies and Union institutions, agencies or bodies to use the data in an exceptional need, which the DA understands will occur in the following circumstances:
- when the requested data is necessary to respond to a public emergency;
- when the request for data is limited in time and scope and necessary to prevent a public danger or to help restore the baseline after such danger has occurred;
- when the lack of available data prevents the entity from performing a specific task in the public interest and expressly indicated in the law, but only in situations where the entity has been unable to obtain such data by alternative means or where obtaining the data in accordance with the procedure provided for in the DA would significantly reduce the administrative burden on data holders or other companies.
The data holder will be obliged to make the data available to the requesting authority without undue delay. In cases of exceptional need, as a rule, data will be made available free of charge. The DA will also introduce restrictions on the use by public sector bodies of data obtained in this way, indicating that the data can be used only in accordance with the purpose indicated in the request for data, and that it must be destroyed immediately after the purpose for which it was obtained has ceased.
Change of processing service provider
Aiming to enable customers to make a smooth transition between services of the same type, processing service providers (i.e. cloud service providers) will be required to remove commercial, technical, contractual and organizational obstacles that make it particularly difficult for customers to switch providers. Consequently, the DA will require that the customer's rights and the provider's obligations with regard to switching be clearly defined in a written contract, with the inclusion in such a contract of at least:
- clauses allowing the customer to switch to a data processing service offered by another provider or to transfer all data directly or indirectly to a local system (in particular, clauses allowing the establishment of a mandatory maximum transition period of 30 calendar days, during which the data processing provider assists in the switching process and ensures full continuity of service provision);
- a detailed specification of all categories of data and applications that can be exported during the switching process;
- a minimum period during which data can be recovered (at least 30 calendar days, beginning after the end of the transition period).
The DA will also introduce a process for phasing out switching fees. Ultimately, customers should not incur any fees in such a process.
Data interoperability
The DA aims to ensure interoperability, that is, the ability of two or more data spaces, communication networks, systems, products, applications or components to exchange and use data to perform their functions. To do so, data space operators will be required to meet the act's requirements, which include sufficiently describing the content of the data set or technical means of accessing the data (such as application programming interfaces), as well as the obligation to ensure the interoperability of smart contracts in the services and activities they perform. The DA elaborates much more about smart contracts, pointing out the essential requirements for such contracts in terms of data sharing. The provider of an application using smart contracts (or, in its absence, the entity running the activity that provides smart contract implementation services in the context of a data contract) will have to meet requirements for resilience, secure termination and interruption, data archiving and continuity, and access control.
Implementation and enforcement of the data act
Each member state will be responsible for selecting or establishing a competent authority responsible for the implementation and application of the DA. Among the authority's tasks, there will be duties to promote awareness of the rights and obligations under the DA, but also to conduct investigations with regard to the application of the DA and to impose fines when violations are found. Individuals and legal entities will gain the right to file a complaint with the relevant competent authority in a member state if they find that their rights under the DA have been violated.
Summary
While the legislative process for the Data Act is still underway, there is already a fair amount of criticism from both business and the public sector. In May 2022, the EDPB[1] and the EDPS[2] issued a joint opinion on the published draft, in which they expressed their concerns about the insufficient clarification of the relationship between the DA and the GDPR[3], paying particular attention to the references in the DA to both non-personal data and personal data. The creators of the act are still to face many challenges, not only in the area of privacy, so it is still uncertain when the DA will be adopted. The Data Act is intended to be a sector-neutral act, so its provisions will affect a wide range of entities - it is worth following its developments in order to prepare the business for the new rules in due time.