The EU Data Act: “GDPR light” for factual data

With their Draft regulation for a data law (E‑DG), the EU Commission has presented the final building block of its European data strategy. The E‑DG is intended to regulate who may use and have access to data generated in the EEA (including factual data). The EU Commission hopes that this will result in a more competitive, fairer and more innovative data market.

Extraterritorial scope of application of the E‑DG

As the General Data Protection Regulation (GDPR), the E‑DG has extraterritorial effect. Unlike the GDPR, however, the E‑DG also applies to factual data. The obligations it contains are particularly relevant for Swiss manufacturers who offer networked products (“Internet of Things”) on the EEA market. As examples, the E‑DSG mentions networked vehicles, consumer goods or industrial machines. Products that primarily aim to display or transmit content (e.g. tablets or cameras), on the other hand, are not covered by the scope. The E‑DG is also relevant for Swiss providers with customers in the EEA of (i) cloud services or (ii) digital services (including software) required for the use of networked products.

The E‑DG regulates the handling of data generated during the use of the aforementioned products or services (e.g., data generated by user actions, diagnostic data), regardless of whether the user is a natural person or a legal entity. Excluded from the scope of application, however, is data that the manufacturer or provider calculates or creates itself or derives in any other way from user actions or events (recital 14).

Right of access to data of networked devices

Among other things, the e‑DSG includes

the principle of “Factual data access by design”. Manufacturers of networked devices or providers of services integrally connected to these devices must design them in such a way that users have access to usage data that is generated (Art. 3 (1) E‑DG). To achieve this goal, the E‑DSG introduces pre-contractual information duties (Art. 3 (2) E‑DG). Among other things, information must be provided in advance about the purpose and disclosure of data generated when the device is used. However, small and medium-sized enterprises (SMEs, Art. 7 E‑DG) are not covered by these obligations; and
the Right of the user to data portability (Art. 4 E‑DG) of the data generated in the course of use, under certain circumstances even continuously and in real time (“real-time”). As under the GDPR, the user may also request that the data be made available directly to a third party (Art. 5(1) E‑DG). “Gatekeepers” within the meaning of the Digital Markets Act do not qualify as such third parties. With the right to data portability, the EU Commission wants to ensure, among other things, that users can have their networked devices repaired and maintained more cost-effectively by third parties (recital 19).

SMEs also benefit from an exception here (Art. 7 E‑DG). “Larger” companies facing a data portability claim can restrict or refuse porting on the basis of trade secrets or (their own or third party) intellectual property rights if necessary. It should be noted, however, that the E‑DG revises the EU Database Directive in such a way that databases containing data from devices and objects of the Internet of Things do not (no longer) enjoy copyright-like protection.

Prohibition of unfair contract terms vis-à-vis SMEs

Furthermore, the EU Commission has set itself the goal of creating balanced negotiating power for SMEs – this by introducing a Clause control in the B2B area in favor of SMEs. This proves to be a sweeping encroachment on contractual freedom – especially since SMEs are often, but not always, in the weaker negotiating position in negotiations with major players.

The EU Commission considers clauses which, for example, exclude or limit the liability of the user of the GTC for intent or gross negligence to be per se inadmissible. This will hardly cause a stir on the Swiss market (cf. Art. 100 para. 1 CO) as well as in other European legal systems (cf. Sec. 309 No. 7 BGB).

However, the catalog of presumed inadmissible clauses is in part far too generic to be manageable in the application of the law (“significantly detrimental to the legitimate interests of the other contracting party”). Here it is to be hoped that the Model contract conditions provide clarity, which the EU Commission plans to develop to help SMEs “draft and negotiate fair data-sharing contracts.”

Access rights of public authorities to data held by private parties

In addition, the E‑DG includes funding for agencies to access and use data held by the private sector that is needed in special circumstances (e.g., floods, forest fires) if data is not otherwise available (Art. 14 E‑DG).

Change cloud provider

The E‑DG also introduces new regulations to enable EEA customers to effectively switch between cloud service providers and introduces “protective measures against unlawful data transfers”. In particular, cloud providers must in future

Reduce economic, technical, contractual and organizational hurdlesthat make switching more difficult. For example, customers should be able to terminate their contract after a thirty-day notice period (Art. 23 Par. 1 lit. a E‑DG);
a contractual provision provide the customer with the Provider change expressly permitted and specifies the associated obligations of the cloud provider (e.g., transfer of existing data, applications, and digital assets);
under certain circumstances set by the EU Commission. technical interoperability standards comply; and
appropriate measures meet to discuss the cross-border disclosure of data, in particular to foreign authorities, where such disclosure would be contrary to Union law or the law of a Member State.

Conclusion

The regulations contained in the e‑DSG are by and large neither necessary nor purposeful. Many provisions, such as those on “access to factual data by design”, information obligations, data portability or “legal access requests” are strongly based on the GDPR. Since, in contrast to personal data, the (in any case unclear) protective purpose of “informational self-determination” is missing in the case of factual data, one can rightly ask what considerations justify the broad and cross-sectoral obligations. The concern to break a technically induced lock-in effect is not new, but data portability is hardly suitable for its enforcement. Even under the GDPR, the claim has a shadowy existence. The encroachment on contractual freedom must also be critically evaluated.

The draft regulation is likely to undergo changes in all of the aforementioned points anyway. The same applies to the introduction of technical interoperability standards, about which many industry associations have already expressed their displeasure.