Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The Data Act Proposal aims to provide fairness to data access and proposes new rules on who can use and access data generated in the EU across all economic sectors. It creates the obligation for manufacturers and designers to share data with their users and other businesses, defines and forbids unfair terms in data sharing agreements, creates the obligation for companies to share data with public sector bodies in cases of emergency and regulates the right of users to switch between cloud data-processing services.
In this second post of Data Act series we will focus on the contractual conditions for the data sharing agreements between data holders and users / third parties. The general rule is that parties have freedom to agree the contractual terms. However, as the power of negotiation could be unbalanced, the Data Act Proposal includes certain prohibitions in order to protect the “weak” party: the data user or the third party receiving the data.
The Data Act Proposal (available here) is a fundamental necessary step towards the digital transformation journey of the EU Member States. Together with the Data Governance Act (available here), both regulations establish the framework of a standardised set of European rules on fair access and use of data.
The proposed Data Act aims to guarantee that a certain level of fairness is reached throughout data legislation in the EU by setting rules regarding the use of technological devices and the data originated therefrom. It is a reality that rights in that matter are often imprecise, even being sometimes impossible for users or companies to realise and exploit the full potential of the devices or digital gadgets they use and the data they collect. The Data Act Proposal tries to solve this situation and provides a stronger and more consistent right to share data (personal and non-personal). The list of cases where this happens is endless: from virtual assistants, health devices, industrial equipment, vehicles, home equipment, consumer goods, telephone networks, television cable networks, satellite-based networks and near-field communication networks. The Data Act will be transversal to all business sectors in the EU economy.
In the first post of the Data Act series (available here), we addressed the right to data sharing that is created in the Data Act Proposal. The scope of this sharing right includes the obtention of the data generated by the use of products or related services by any user (individual or company) from the manufacturer; or designer of a product or related service; or the relevant rightsholder of the service (broadly, the data holder).
The Data Act Proposal has the aim of making data available to all users of services that produce data, in particular micro, small or medium-sized enterprises (as an exception, gatekeepers under the Digital Markets Act (DMA) cannot exercise their data sharing right under the Data Act). From this perspective, the European Union further reinforces the vision of a cohesive and strong Europe in its willingness to establish a European data space. A first step in this direction had already been taken under Regulation 2019/1150 (P2B Regulation), which mandated online intermediation services to include in their terms and conditions a description of the technical and contractual business users' right, or absence thereof, to access data processed in the context of the service.
As a guiding principle for the purposes of the Data Act, the parties should remain free to negotiate the precise conditions for making data available in their contracts, within the framework of the sharing right. However, when drafting the data sharing contract, the following shall be taken into account:
(a) the nature and volume of the data likely to be generated by the use of the product or related service (e.g. data that measures user´s engagement with the product – the most frequently accessed features, the average time spent taking a specific action or a map of user´s journey through the product);
(b) whether the data is likely to be generated continuously and in real-time (e.g. data generated by wearable devices in healthcare sector);
(c) how the user may access those data (e.g. by contacting the data holder or through the product´s settings);
(d) whether the manufacturer/service provider intends to use the data itself or allow a third party to use the data and, if so, the purposes for which those data will be used;
(e) whether the seller, renter or lessor is the data holder and, if not, the identity of the data holder.
Very often data holders have a strong negotiation position, which is usually the case with major tech companies, and may want to reduce as much as possible the sharing rights or include favourable contractual terms in data sharing agreements. Therefore, the Data Act Proposal addresses the unfairness of contractual terms in data sharing contracts between businesses in situations where a contractual term is unilaterally imposed by one party on a micro, small or medium-sized enterprise. That could be regarded as a paradigm shift in European contract law. So far European law on controlling not individually negotiated contractual terms was limited to B2C agreements, while some EU-Member States applied the rules to control the fairness of B2B agreements.
The Data Act Proposal guarantees that contractual agreements on data access and use do not take advantage of imbalances in negotiating power between the contractual parties. In situations of unequal bargaining power, the fairness test protects the weaker contractual party in order to avoid unfair contracts. Data Act Proposal refers to two requirements to identify clauses to which the fairness test should apply. On the one hand, the Data Act Proposal demands that the relevant clauses is "unilaterally imposed" by one party. The other party must not have been able to influence the clause despite an attempt to negotiate it. Therefore, if a party simply accept the relevant contract term without any opposition, it will not benefit from the fairness test. On the other hand, the fairness test only applies to micro, small or medium-sized enterprises (SME).
The rules on the contractual terms level the fairness test should only apply to those elements of a contract that are related to the sharing right, that is contractual terms concerning the access to and use of data as well as liability or remedies for breach and termination of data related obligations. Other parts of the same contract, unrelated to making data available, should not be subject to the fairness test.
A clause will be considered unfair if:
A clause will be presumed unfair if (among others):
The limitation of the manufacturer’s or designer’s freedom to contract and conduct a business is mitigated by its unaffected ability to also use the data, insofar it is in line with the applicable legislation and the agreement with the user. Furthermore, the manufacturer or designer will also benefit from the right to require compensation for enabling third party access.
In any case, the Commission will publish a non-binding data sharing agreement that could be useful as a benchmark of what is considered to be “balanced” in terms of the right to data access for the purposes of the Data Act.
Data holders have the right to obtain “reasonable” compensation from third party recipients (i.e. not the own user) for making data available. They shall provide the data recipient with information setting out the basis for the calculation of the compensation in sufficient detail so that the data recipient can check it out.
In case of large companies, or when the data holder is a small or medium-sized enterprise and the data recipient a large company, the parties are considered capable of negotiating any compensation if it is reasonable.
However, when the data recipient is a micro, small or medium enterprise, any compensation agreed shall not exceed the costs directly related to making the data available to the data recipient and which are attributable to the request (i.e. the operational cost of handling the query). Direct costs for making data available should be limited to the share attributable to the individual requests, taking into account that the necessary technical interfaces or related software and connectivity will have to be set up permanently by the data holder.
When the data to be shared between companies qualifies as “personal data” under the GDPR, the contractual terms shall also address this situation and contain the necessary clauses:
If the user is a data subject, data holders should be obliged to provide them access to their data and to make the data available to third parties of the user’s choice. The Data Act Proposal complements the portability right under the GDPR to the extent that it covers (i) not only personal data, but also non-personal data; (ii) data that is actively provided and passively observed data; and (iii) any data regardless of the legal basis of processing by which personal data was collected and processed.
In addition, access to any data stored and accessed from terminal equipment is subject to the E-Privacy Directive and requires the consent of the subscriber or user within the meaning of that Directive.
Authored by Juan Ramón Robles, Joanna Rozanska, Valerio Natale and Jasper Siems