2022-04-05 | Adatvédelem

Introduction

Partly due to data protection concerns, the European Commission's 2020 work program has set a number of strategic objectives in this area, the purpose of which is to “create a true single data market and make Europe the leader of the global leader in an agile data market.” The first step of this program was the creation of the Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the European Union (Data Governance Act), aimed at making electronic data freely accessible throughout the EU, and we have now reached a new station in the form of the “Data Act”.

It is important to note here that for the time being the Data Act is still merely a proposal that was adopted by the European Commission in February 2022 and that is currently in its first reading before the European Council. Our current series of articles is aimed at discovering what we can expect from the Data Act in the future.

What exactly is the Data Act?

The Commission believes that business-to-business contracts do not necessarily grant access to data for small and medium-sized enterprises, and that conditions for harmonious cooperation between businesses and government bodies need to be created.

This goal is to be realized in a five-step process:

1.         Staying in line with existing policy provisions

Although the Data Act expands the concept of data compared to the GDPR, (i.e. it includes all data generated in addition to personal data), the provisions of the GDPR continue to take precedence with regard to personal data. So strictly speaking, there is no significant change in the way personal data is handled.

Which data are governed by the Data Act?

The Data Act applies to all data – including personal data as well, however the latter are primarily covered by the GDPR.

The easiest way to understand the difference between the two types of data is that personal data are those that are capable of identifying the user or are directly linked to the person (for example: name, address, credit card details, fingerprint, etc.)

The category of non-personal data includes everything else that is generated by the user but is not directly linked to them or, in the event that such data is linked to the data subject, the date is anonymized in such a way that it is not possible to identify the user (even if the user could otherwise be identified based on browsing history, content usage patterns, statistics in phone games etc.)

2.         Facilitating access to- and use of data for users and businesses

An important future change under the Data Act is that the user will have the right to access not only his personal data but also his non-personal data that is generated while using the product or service and will be entitled to use it. This can be done directly in the product (e.g. on a smartphone with a few clicks) or indirectly at the request of the user.

The companies will immediately have to ensure that users can exercise this right, and they will have to act in accordance with this principle when designing their products. Companies will also have to provide accurate information to their users about their rights and how to use their data.

3.         Data sharing between businesses and public bodies

Public authorities may, in exceptional circumstances, have access to data (i.e. a combination of personal and non-personal data) held by service providers. Such circumstances include emergency responses and the performance of legal obligations, but requests for data sharing must always be proportionate and not to the detriment of the service providers.

4.         Facilitating the transition between cloud and peripheral services

Cloud services have become a part of everyday life for the average user, and are much preferred to the now almost archaic solutions of traditional data storage media (e.g. flash drive, hard drive, phone internal memory, etc.). Moreover, companies and public bodies are also commonly using them for work and data storage purposes.

In essence, cloud services and perimeter services (i.e., devices that provide an entry point to corporate or service provider core networks, such as routers or router switches), are what our data economy is built on. However, if we wish to switch to cloud providers, we will have an unpleasant experience with the current possibilities, as neither side has an explicit obligation to transfer the data themselves. Therefore, either we move our data from one cloud to another manually or, for a fee, a service provider or a third party may do it for us. To remedy this, the Data Act imposes obligations on cloud providers both in terms of their contractual obligations and new standards that will make the transfer of data between providers easier and, in principle, free of charge. The specific technical details are not yet defined in the text of the proposal for the regulation, only that they must be compatible with European standards, so there are still many questions regarding the actual implementation.

5.         Developing interoperability standards for reusing cross-sectoral data

Developing interoperability standards means that cooperation between different systems needs to be made simpler, and data sharing between different economic sectors needs to be made easier. As with cloud providers, the regulation does not prescribe specific technical standards in this regard, but only stipulates that the services must be compatible with European standards and interfaces.

* * *

Our office is committed to providing up-to-date information and helping clients make their decisions. That is why, in a rapidly changing legal environment, we are constantly updating our articles so that you are the first to know about important legal changes. We will be back shortly with the continuation of our article.