Professional Documents
Culture Documents
SSRN Id4111120
SSRN Id4111120
by
Agnė Smagurauskaitė
Pratheep Balu Anbalagan
Vilnius, 2022
The Regulation on harmonised rules on fair access and use of Data (Data Act) proposed by
the European Union initiated the evaluation of its application in the internal market among
lawyers, academicians, manufacturers, data accessing service providers and users too. The
European Commission is also receiving comments from various interested parties and public
in support of the Regulation.
The authors of this report are Agnė Smagurauskaitė, a final year Finance and Tax law student
and Pratheep Balu Anbalagan LLM, a recent graduate of International and European
(Business) law from Faculty of Law at Vilnius University, Lithuania. Out of academic
enthusiasm, the authors considering different perspective of stakeholders drafted the enclosed
comments highlighting the some of the major issues regarding application of the Regulation
in the internal market. The idea of preparing comments for the Regulation originated from
Mr. dr. Paulius Jurgis, PhD, co-founder, Prifina, an IP and data privacy lawyer at San
Fransico and visiting lecturer at Faculty of Law, Vilnius University.
The proposed Regulation consists of 90 recitals, 11 Chapters and 42 Articles. The report has
11 sections comprising comments on the crucial ten chapters except for the final provisions
of the Regulation. In each section, the authors attempt to present the key purpose of the
Chapter, practical issues on the applicability and required possible improvement in the
Regulation.
The report does not have any conclusion since the Regulation is in the draft stage and
consultations are going on to address the major concerns of the interested parties. The
comments are not exclusive since still there is a possibility for the amendment of the
Regulation. The authors made these comments expecting clarity to achieve the objective and
add value for the improvement of the Regulation while enforcing it in the internal market.
contact at pratheepbalu@gmail.com
1.1 The Regulation on harmonised rules on fair access and use of Data (Data Act)
proposed by the European Union focusing on regulating the data generated on the use
of products and services by the natural and legal persons in the Union. The Act will
majorly regulate the transfer of non-personal data and when it comes to personal data
it refers to the General Data Protection Regulation (hereinafter ‘GDPR’).
1.2 The main goal of the regulation is to open user-generated data aiming to build a
genuine single market for data and make Europe a global leader in the data-agile
economy and create new use cases of the and tolls that are generating value through
data.
1.3 The Regulation exempts the micro, medium and small enterprises (MSME) from the
application because it aims to deteriorate the congestion of data in the hands of large
enterprises and reduce the dependence on acquiring data from them.
1.4 The Regulation focuses on implementing the principles of fairness and transparency
in the internal market for the access and transfer of personal and non-personal data
generated by the use of the products or related services in the Union.
1.5 The sui generis right provided to the developers of the database is not applicable for
the transfer and access of data under this Regulation.
1.6 The users of the products or related services will come to know the actual data
generated through their use because under this Regulation the smart contract method
is stressed for effective implementation and application.
1.7 The Regulation provides access to the data free of charge for the users and the data
holders can recover the direct costs involved in making the data available to the data
recipients who are the manufacturers or producers of the products or related services
in the Union. Even though the regulation states that such compensation should not
exceed the technical and organisational costs incurred to comply with the request, the
Regulation does not specify that the data holder should provide proof that the cost is
really incurred, and data holder can interpret the accrued cost very broadly.
1.8 The interoperability of data from one data accessing service to another plays a key
role under this Regulation since the transferring service provider shall ensure the
entire data is transferred to a similar type of data accessing service with equivalent
infrastructure.
2. General Provisions
2.1 The Regulation provides access to the data generated by the use of the product or
service to the user and from data holders to data recipients. The public sector bodies,
Union institutions, agencies, or bodies will have access to the generated data only
when there is an exceptional need for it.
2.2 The regulation applies to manufacturers, data holders, data recipients, public sector
bodies, union institutions, agencies or bodies, and data processing service providers.
2.3 Any personal data generated under this regulation shall be processed as per Article 20
of the General Data Protection Regulation. The idea of informing the users about the
data generated from the usage of the products or services has been taken from the
GDPR. The exception of technical feasibility is also applied in this Act as seen in
Article 20 of the GDPR. The users can claim under GDPR as well as in this Act if
they find the right is infringed by the data holders or data recipients. However, there
are no provisions to limit the claim either under GDPR or Data Act, when it comes to
personal data. The data holder can use GDPR's vague definition of personal data as an
excuse to not provide user-generated data, because the data can be used to identify
data subjects indirectly, especially, when a request is asking for user-generated data of
a specific location, and demography. The regulator should explain more in detail the
relationship between GDPR and Data Act, especially when the event when user-
generated data can be used to identify data subjects.
2.4 The sharing and accessing of data for prevention, investigation, detection, or
prosecution of criminal offences will not be affected by this Regulation adopted by
the Union and the Member States.
2.5 The definition of data and processing are wide and there is no limitation regarding
volume or form the data holders and data recipients need to share the data in a similar
form as it is collected. This may lead to sharing of voluminous data and the users may
find it difficult to segregate the data required from the generation. The data holders
3.1 The Regulation specifies the products that need to be designed and manufactured with
compatibility for the user to securely access the data generated. The Regulation has
not taken into consideration the products in production and the manufacturers may
lose their approved designs for any non-compliance with Article 3.1 of this
Regulation. The Regulation does not specify the backup of data if anything is lost due
to technical errors and the period of storage. So, the user needs to take care of the
storage and backup. If there is any dispute at a later date, then the data holders and
data recipients may not have any data originally with them.
3.2 The Regulation stipulates providing information on data to be generated to the user
before concluding a contract. If the user wants to resell the products will this be
extended to the buyer? Whether the new user needs to re-register his/her details to
access the data generated from the use of the products or services. There is no
provision for the user to inform the further sale of the product or services and
restriction of the data access to the new user.
3.3 The provision encourages the disclosure of trade secrets to users. When there is a
practical situation where the request is from multiple users and the trade secret may be
widespread outside of the disclosure. The confidentiality breach may be difficult to be
identified and make the single user responsible for it.
3.4 The Regulation gives access to the non-user if the non-user falls under any of the
categories specified in Article 6(1) and Article 9 of GDPR. However, there is no
clarity on whether the non-user can become a user due to the execution of sale,
purchase, lease, or rental agreements. There is also an issue with the short-term rental
for a commercial where the user will be different from time to time and want to access
their data.
4.1 The data holders shall enter into an agreement with the data recipients for making the
data available to them. The contract must be fair, reasonable, transparent, and non-
discriminatory in nature. The contract subject cannot be exclusive since the data
holders are restricted to share the data on an exclusive basis with the data recipients.
The regulator should specify that terms and conditions are considered a contract as
well, for data sharing, because that alleviates some administrative burden from the
data holders and will give an opportunity to automate the request-response, especially
the problem that arises with the huge number of requests, that are similar in nature.
4.2 The trade secrets need not be disclosed to the data recipients unless otherwise
required under Article 6 of the Regulation or any other legislation of the Member
States or Union Law. It is required for a clarification that the contract between the
data holder and data recipient can be known by the users since they have the right to
know what data will generate, processed, and shared with the third parties as per
Article 3.2 of this Regulation
4.3 The data holder and data recipient can agree on compensation for making the data
available. The compensation shall not be beyond the actual cost of making the data
available if the data recipient is an SME. It needs to be clarified what kind of costs
can be included by the data holders since the data shall be made available free of
charge to the users.
4.4 Any data obtained by the data recipient using coercive steps and unauthorised use
enables the data holders to delete or destroy the data. The data holders may end the
production of the products or services offering the market.
4.5 The data holders and data recipients must select the notified dispute resolution bodies
for resolving any disputes arising out of the making of data available under this
Regulation.
4.6 The relationship between the data holders and data recipients is governed by the
contractual terms, the Regulation may make it possible to approach alternate dispute
resolution mechanisms like arbitration.
5.1 The Regulation ensures that any contractual terms shall not be unfair against the
micro, small and medium enterprises. The contractual term is unfair when it limits the
liability of the proposing party, excludes remedies on non-performance of contract
and gives exclusive right to determine whether the data is in conformity with the
contract.
5.2 The contractual terms will be unfair if they inappropriately limit the remedies on non-
performance or liability on the breach, unilateral access of data or termination of the
contract on unreasonable short notice. The contract is unilaterally imposing when a
party attempts to negotiate but is not able to do so because it is influenced by the other
party. The remedies available to the party suffered by the unfair contractual terms
imposed are not available in the Regulation other than dispute resolution.
6.1 The data can be made available to the public sector bodies and union institutions,
agencies, or bodies when there is an exceptional need for the data. There should be a
public emergency without which the public sector bodies and union institutions,
agencies or bodies may not be able to complete a specific task. The data cannot be
obtained from the market and obtaining data through this Regulation will reduce the
administrative burden for the data holders.
6.2 The public sector bodies and union institutions, agencies or bodies need to raise a
request to the data holders by specifying the data, the exceptional need, legal basis,
purpose and deadline for modifying or withdrawing the request. The public sector
bodies and union institutions, agencies or bodies shall not reuse the data obtained
through the request and can transfer it to any other public sector bodies and union
institutions, agencies, or bodies.
6.3 The data holders shall comply with the request of the public sector bodies and union
institutions, agencies, or bodies within 5 days in case of public emergency and within
15 days from the date of request.
6.4 The public sector bodies and union institutions, agencies or bodies shall not use the
data other than the purpose requested for, protect the rights and freedoms of the
subject, and destroy it when the purpose is over.
7.1 The data processing services shall facilitate the users to switch to other data
processing services. The data processing services shall remove commercial, technical,
contractual, and organisational obstacles for the users from switching to another
provider, concluding a new contract, porting the data to another service provider and
maintaining the functional equivalence with similar data processing service providers.
The user getting a data processing service from one service provider may differ from
another. The minimum equivalence can be interpreted differently when there are no
specific requirements stipulated in the Regulation.
7.2 The Regulation stipulates that a contract needs to be entered consisting of the
customer's rights and obligations of the service provider relating to switching of data
protection services. The contract shall bind the service provider to support switching
by providing technical assistance and ensuring continuity. The service provider shall
transfer all data to the new provider of data processing services within a minimum
retrieval period of 30 days after the termination of the contract.
7.3 If there is a technical infeasibility in switching the data within 30 days the service
provider needs to explain the same within 7 days of the request and can seek
additional time which shall not exceed 6 months.
7.4 The data processing services shall ensure that the customers once switched to a
different data processing service shall enjoy functional equivalence like the
infrastructural elements of the earlier one. The Regulation provides the right to the
customers to switch on their own choice if the present data processing services found
the functions are not equal, it will be difficult for the service provider to interfere in
the choice of the customers. Does regulation need to clarify whether the list of similar
8.1 The transferring of non-personal data is dealt with in the Regulation since the
adequacy protection is determined under GDPR for transferring personal data. The
providers of data processing services can send the non-personal data to third countries
if the transfer will not create any conflict with the Union or Member States' national
law.
8.2 The data can be transferred based on any decision or judgement of a court or
administrative body in the third country where an international treaty is in place with
the Union or the Member state. The exception to transfer the non-personal data for
countries with no such international treaty is the decision or judgement should have
the specific reason and proportionality for the requirement of the non-personal data.
8.3 Even the service provider can provide only minimal data specifically required by the
court or administrative body from the third country. As provided in the GDPR the
adequacy protection can be devised in this Regulation to share data with third
countries. The delay in processing such requests and the additional burden to assess
the request may be reduced by the measures.
9. Interoperability
9.1 Data interoperability cannot be achieved if the operators of data spaces do not provide
adequate information and technical support to facilitate the interoperability. The
Regulation describes the set of information to be shared by the data space operators
for interoperability but still, the Commission feels there is a need for harmonised
standards and guidelines for interoperability. The standardisation and guidelines may
give more clarity and additional value to compliance with this Regulation by the data
space operators.
9.2 The Regulation aims at achieving interoperability between different processing
services and covers the same service type, portability of digital assets, technical
feasibility, and functional equivalence.
10.1 The Member States shall designate one or more Competent Authorities for receiving
complaints about alleged violations, investigating based on the complaints, imposing
penalties, and monitoring technological development under this Regulation. Again,
regarding the personal data, the enforcement procedures provided in GDPR shall be
applicable and the supervising authorities' powers will be exercised in terms of
personal data.
10.2 Any persons who found their rights violated under this Regulation may complain to
the designated competent authorities. The penalties shall be notified through rules by
the Member States which shall be effective, proportionate and dissuasive.
10.3 In the future, if there are inequalities in penalties among the Member States may
make it difficult for uniform application and effective implementation of the
Regulation across the internal market.
10.4 Regarding the fine for infringement of personal data, the rules for penalties in GDPR
shall be taken into consideration. The connection between the Data Act and GDPR is
well established in this chapter.
10.5 The Member States have the freedom to decide on the competent authorities and
penalties. However, it will be easier to designate the competent authority designated
under GDPR since any infringement on personal data shall rely on GDPR for
enforcement.
11.1 For the purpose of effective implementation of Articles 4 and 5 of this Regulation,
the sui generis of the databases enshrined under the Directive 1996/9/EC will not be
applicable. The databases shall allow extraction or transfer of data either permanently
or temporarily when it is requested under this Regulation. The right of the developer
of the database, even qualitatively and quantitatively invested to develop, will not be
applicable under this Regulation. The databases will be considered open source while
applying this regulation which may hamper the subsequent development of such
databases. The Regulation focuses on the products or related services in the Union
and whether the developer of the databases should be in the Union or the databases
outside the Union will be considered as a transfer outside the Union, which needs to
be clarified in the regulation.
10