Recent Developments
On 23 February 2022, the European Commission (“Commission“) publicized the draft Data Act as part of the European Data Strategy. Following these developments, the European Council (“Council“) adopted the Data Act on 27 November 2023. The Data Act aims to increase access to data and ensure a fair environment for its use, while regulating who can benefit from data and under what conditions.
You can access the press release on the Data Act here and the Data Act adopted by the Council here.
What’s new?
The Data Act is expected to provide both individuals and businesses with more space to take control over their data. The Data Act primarily regulates much easier and faster access to data for consumers, businesses and public authorities.
Accordingly, the regulations envisaged by the Data Act are as follows:
- Access to Internet of Things (IoT) data is prioritized in the Data Act and users of these devices, including smart home appliances and industrial smart machines, have access to the data generated by their usage, provided that it is relevant and appropriate.
- The Data Act, which aims to encourage data sharing, also regulates the adequate protection of trade secrets and the relevant safeguards against possible misconduct. Accordingly, trade secrets may only be disclosed insofar as they relate to third parties, and provided that the necessary measures are taken to protect the confidentiality of trade secrets. In addition, the data subject will be able to prevent users from accessing the data in cases where it is able to demonstrate the likelihood of a serious and irreparable economic loss.
- The Data Act also introduces a number of measures to address the imbalances in data sharing agreements caused by the terms imposed by the party with the stronger bargaining position, to provide a bargaining advantage, especially to small and medium-sized enterprises, and to create a more fair agreement environment.
- On the other hand, the Commission, the European Central Bank and the institutions of the European Union are allowed access to data held by the private sector, only in urgent and exceptional circumstances, such as natural disasters or public order emergencies, and these public authorities are also provided with various tools for the use of such data. However, their access to private sector data is limited to cases where (i) the collection of personal data is necessary to respond to an emergency and (ii) it is not possible for public authorities to obtain data promptly and effectively through other means under similar circumstances.
- Another noteworthy aspect of the Data Act adopted by the Council is the introduction of measures against illegal data transfers of cloud service providers and regulations aimed at developing interoperability standards for data to be reused across sectors.
- The Data Act also sets out obligations for smart contracts and imposes obligations on smart contract providers, such as data archiving and providing audit options.
- Moreover, the Data Act introduces safeguards against unauthorized data transfers, and increases the reliability of data processing by preventing consumers from being tied to a single provider.
Conclusion
The Data Act aims to regulate the transfer of data between individuals and the private sector, the use of data by certain public authorities under specific circumstances, and fundamental rights in relation to data. The new regulation is expected to be published in the Official Journal of the European Union in the coming weeks. The Data Act will enter into force within 20 days of its publication in the Official Journal of the European Union and will start to be implemented 20 months after its entry into force. While the European Union takes a step further, with the Data Act, towards its 2030 target as part of its digital transformation strategy, it aims to promote a competitive data market and make data accessible to everyone.