On September 13, 2024, the European Commission published extensive FAQs on the Data Act ("DA"). The FAQs were developed in consultation with the various relevant interest groups. They are intended to clarify key questions relating to the Data Act in order to support the application and understanding of the law.
The DA already came into force on January 11, 2024 (see Updates Data Protection No. 148 and No. 158). However, many provisions remain unclear for users of the law. The DA's objective of regulating access to and use of data in the EU cannot be optimally implemented.
We summarize the key points of the FAQs for you and examine the extent to which they contribute to the concretization of the DA. It should be emphasized that the FAQs are not an official statement by the Commission, but can nevertheless provide helpful points of reference for understanding the concept.
I. Objective and scope of application
The Commission emphasizes that the DA does not regulate the protection of personal data. The DA is therefore not intended to replace the General Data Protection Regulation ("GDPR"). Nevertheless, the DA specifies in parts the overriding provisions of the GDPR: Art. 4 and 5 DA supplement the access and portability rights of Art. 15 and 20 GDPR in this respect by also providing for data access and data transfer to third parties for non-personal data. In this respect, the Commission emphasizes that the central objective of the DA is to improve the sharing of data, promoting close cooperation between authorities while respecting the responsibilities of data protection authorities. This intention is already apparent from the interplay between recitals 1, 2, 4 and 7 of the DPA.
In future, manufacturers of connected products and providers of digital services should place a particular focus on the fulfillment of access and portability rights, as these are a core concern of the DA. Due to their prominent placement in the Commission's FAQs, it is to be expected that the supervisory authorities will also be particularly active in prosecuting these cases.
The Commission has also clarified the material scope of the DA: On the one hand, only data generated or collected after the entry into force of the DA fall within the scope of the DA. It does not matter whether the data was generated inside or outside the EU. On the other hand, purely descriptive data (e.g. operating instructions) do not fall within this scope. The same applies to enriched data such as data analyzed using AI or algorithms.
For the first time, the Commission provides concrete examples of the scope of application of the DA in the FAQs - in contrast to the recitals of the DA: smartphones and televisions are now explicitly highlighted as connected products. The Commission also states that mobile connected products such as ships, airplanes and cars should be treated in the same way as immobile connected products. The only thing that matters is that a connected product has been placed on the market in the EU.
In this respect, manufacturers of connected smartphones and televisions in particular, as well as the providers of associated services, should be among the "first movers" of DA compliance. The same applies to manufacturers of cars and providers of connected services, as cars were repeatedly used as a prime example of a DA application scenario during the legislative process.
According to the Commission, devices that are primarily used for the storage, processing or transmission of data are expressly excluded from the scope of the DA. This includes servers and routers, for example, unless they are owned, rented or leased by the user. This has significant relevance for cloud services where servers are rented or server-like functions are offered. This is already laid out in recital 16 sentence 4 DA.
II. The main actors of the DA
The Data Act standardizes several key players in the data access network. In the FAQs, the EU Commission also consistently refers to the three core actors of the DA - namely the user, the data controller and the third party.
1. user
The term "user" is legally defined in Art. 2 No. 12 DA and is a key term of the DA. According to Art. 1 para. 3 lit. b DA, the user must be established in the EU. The Commission notes that it is quite possible that several people are users of one and the same networked product. This is hardly surprising and should have no effect on the internal relationship between users, as a variety of scenarios are conceivable in which several users use a connected product such as a car or a smartphone.
Meanwhile, at several points in the FAQ, the Commission emphasizes the discretion of manufacturers and providers with regard to granting users direct or indirect access to their data. In the case of direct access, the user has the technical means to access the data, whereas in the case of indirect access, the user must first ask the data owner for access. The manufacturer has a certain amount of leeway as to how it organizes data access. In any case, the data must be passed on to third parties at the user's request, regardless of whether the user has direct or indirect access to the data.
If the right to access and use data is not properly fulfilled, users have the right to lodge a complaint in accordance with Art. 38 DA and the right to a judicial remedy in accordance with Art. 39 DA.
2. data owner
Another definition with significant relevance in the context of the DA is that of the data controller. The FAQs concretize the legal definition of Art. 2 No. 13 DA to the effect that a manufacturer does not always necessarily have to be the data controller. The determination of the data holder therefore does not depend on who produced the hardware or software, but on who controls access to the readily available data (see FAQ No. 18: "Determining who the data holder is does not depend on who produced the hardware or software, but on who controls access to the readily available data"). With this statement, the Commission opens up a wide range of options for manufacturers of networked products to "outsource" DA compliance. Whether a data controller is based inside or outside the EU is irrelevant.
In contrast to the term "user", the Commission states that a company cannot be both a user and a data holder of the same data in the context of the same service (see FAQ No. 31: "a company cannot be a user and a data holder for the same data"). This statement contradicts recital 34 p. 11 DA, which does not have the character of law, but nevertheless has a certain weight in the interpretation. Recital 34 p. 11 DA provides that a user can become a data controller as soon as data is made available to him. In this respect, this statement by the Commission opens up scope for argumentation for users and data controllers with regard to the question of whether they are subject to the regulations of the DA. This is particularly relevant in constellations in which users have been provided with data by the data controller and subsequent users have an interest in this data, e.g. when selling a networked product.
In any case, it should be possible for several data owners to exist for one and the same networked product. The necessary consequence of this is that several actors can control access to user data. As a rule, this will also depend equally on the technical and legal design and is reminiscent of the data protection constellation of "joint controllership" in accordance with Art. 26 GDPR. Analogous to the provisions of the GDPR, there is also a wide scope for contractual mapping of the respective roles and obligations under the DPA, in particular with regard to who fulfills the user rights to data access and data portability.
Finally, situations are also possible in which there is no data controller at all. This is the case, for example, if in fact no actor or only the user has the possibility to access the data of a networked product or a connected service.
3. third parties
The Commission confirms that data controllers are only obliged to disclose the data to a third party at the request of a user if the third party is located in the Union. This means that no data access can be granted to actors who are not based in the EU. This statement has not yet been included in the legal text with the desired clarity.
However, regardless of where it is based, a data controller is legally obliged to disclose data to a person based in the EU at the request of an EU user. The location of a data controller therefore plays a relevant role compared to that of a third party.
The Commission also states that in the context of B2G data exchange, the Member States themselves can implement the concept of a "public emergency" in national law. The most important actor in this context is the public authority, which has the right to request data from the data controller if the requested data is necessary to deal with a public emergency and cannot be obtained in any other way under equivalent conditions.
At this point, the FAQs explicitly refer to recital 64 DA as an aid to assessing an equivalent condition. At this point, it is important to note that the Commission states that the data requested in the context of B2G data exchange does not become public sector information and is therefore openly reusable. In this respect, reference should be made to the provisions of the Data Governance Act, the second chapter of which regulates the reuse of certain categories of protected data held by public bodies.
2. enforcement
With regard to the enforcement of the DA, the Commission clarifies that the European Data Innovation Board ("EDIB") is to be used as a platform for the assessment and determination of sanctions in the event of breaches of the DA. Overall, this will ensure mutual coordination between the national supervisory authorities. The sanctions will thus be successively harmonized across the EU, even though they lie within the legislative competence of the Member States.
In this context, the Commission also points out that companies based outside the EU that offer connected services or connected products on the EU market must appoint a legal EU representative. The role of this representative is comparable to that of the representative of controllers or processors not established in the Union pursuant to Art. 27 GDPR. In this respect, the representative is appointed by a company to serve as a point of contact in addition to or in place of the representative, in particular for supervisory authorities and users in all matters relating to processing to ensure compliance with the DA.
IV. Outlook
In the FAQ, the Commission concludes with a broad outlook for the future:
The further development of the DA and its practical application remains to be seen. Overall, the FAQs provide good initial assistance for users who have questions regarding the application and understanding of the DA. The Commission intends to revise the FAQs on an ongoing basis. However, the FAQs are not yet able to resolve complex legal issues in depth. In most places, they essentially only confirm the existing legal text. The final authority to interpret the DA thus remains with the national supervisory authorities and ultimately with the European Court of Justice.