Legal framework for data economy » THE OPERATION

On February 23, 2022, the EU Commission presented a proposal for a regulation on uniform rules for fair data access and data use (Data Act). According to the previous legal situation, the economic allocation of data – in the absence of data ownership – can only take place through contractual regulations. A legal framework for the data economy is now to be created. Attorney Francois Heynike, partner at KPMG Law Rechtsanwaltsgesellschaft mbH in Frankfurt, explains which rules this includes and what this means for companies.

DB: Mr. Heynike, can you briefly explain the key points of the proposed Data Act?

Heynike: Gladly! With the Data Act, the European legislator is trying to create the basis for interest-based access to industrial data for all players in the data economy. The legislator has expressly made it his goal to open up the supremacy of large companies with extensive databases to the benefit of users as well as small and medium-sized companies. The provisions of the Data Act therefore have in common that they impose obligations on product manufacturers and service providers who collect usage data as part of their service provision, so-called data holders, in particular with regard to sharing this data with users and third parties.

Furthermore, the Data Act expressly assigns the decision-making authority over the use of non-personally identifiable user-generated data to users. The draft regulation does not make a specific statement on data ownership. However, data holders may only process user-generated data on the basis of a contract.

DB: For whom is this regulation relevant?

Heynike: In fact, the regulation is relevant for all market participants who participate in data-driven business models. In the age of the Internet-of-Things there is virtually no economic sector left out. In addition to the manufacturers of smart products, the obligations of the Data Act also apply to providers of related services.

Last but not least, the regulations also affect users themselves, which also includes companies. The European Commission repeatedly cites the technological farm as an example of this. The draft grants users a right to access the data they generate and rights with regard to the transmission of data to themselves and third parties. The Data Act also offers some other quality-of-life improvements for users, such as making it easier to switch providers.

However, those companies that have already built up a functioning infrastructure with regard to the collection and processing of industrial data, such as numerous car manufacturers, will be particularly affected by the new regulation. The rules of the current draft of the Data Act have the potential to have a lasting impact on proven business models and force companies to rethink.

DB: And what are the obligations of the addressed companies?

Heynike: First and foremost, manufacturers and service providers will be obliged in the future to design their products and services in such a way that users can directly access the data they have generated. If the data cannot be read directly within the product, providers must make the data available immediately, free of charge and, in individual cases, continuously and in real time.

With regard to the details of data use, providers will have to fulfill pre-contractual information obligations in the future, which are not dissimilar to those of the GDPR. If personal data is also processed in the context of product use, the information obligations of the GDPR must of course also be fulfilled.

Furthermore, all providers are obliged to refrain from technical, contractual and organizational measures that could prevent the user from changing providers.

In addition to the obligations with regard to the exchange of data in the B2B and B2C areas, the Data Act also contains regulations relating to the relationship with public authorities. For example, companies must make the data available to public authorities that are necessary for the fulfillment of tasks in the public interest if there is an extraordinary need.

DB: What needs to be considered when drafting a contract within the scope of the Data Act?

Heynike: The Data Act will have a significant impact on contract design for manufacturers and providers, both in the end customer business and in the B2B area. In the future, the use of user-generated data should only be permitted on the basis of a contract with the user. However, it should be sufficient if the regulations on data use are reflected in the underlying main contract. A separate contract for data use does not have to be concluded. However, as part of the contract, the user must be informed in a transparent manner about the intended use of their data. When drafting contracts, providers will have to take care to anticipate and include as much as possible all conceivable processing and necessary data transmissions. According to the current wording of the regulation, a different use of the data would probably require an adjustment of the existing contract. An analogous provision for permissible further processing, such as that in Article 6 paragraph 4 of the GDPR – change of purpose – cannot currently be found in the draft regulation.

In addition, when drafting the contract, contrary to all business intuition, care must be taken to avoid lock-in effects for users. For example, contracts with users may not provide for any notice periods that go beyond thirty days.

In the B2B area, changes will mainly occur in business relationships with small and medium-sized companies. Relative to these, the Data Act introduces a prohibition on the use of unfair contractual clauses in standard data use and licensing contracts. The regulations are strongly reminiscent of German general terms and conditions law and provide for a catalog-like enumeration of contract contents, the agreement of which can lead to the ineffectiveness of individual clauses or, in extreme cases, the entire contract.

DB: Are there sanction risks?

Heynike: However. The notorious fine rules of the GDPR are directly referred to here. Violations of the Data Act can also be subject to fines of up to EUR 20,000,000 or up to 4% of the company’s total worldwide annual turnover for the previous financial year, whichever is greater. Since the specifications of the Data Act will entail time-consuming and costly adjustments to existing processes and products for those addressed, companies should closely monitor developments with regard to the further legislative process and prepare early for the implementation of necessary technical, organizational and contractual adjustments.

DB: Thank you for the insightful interview!

The interview was conducted by Viola C. Didier, RES JURA editorial office.

To person: Francois Heynike is a partner at KPMG Law and heads the IT and data protection law department. He specializes in providing legal support to national and international companies on complex IT and digitization projects. In addition to advising on all data protection issues, one focus of Mr. Heynike’s work is legal advice on digital transformation, the use of new technologies and the introduction of innovative business models.


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.