Comments on the Regulation on harmonised rules

on fair access and use of Data

(Data Act)

by
Agnė Smagurauskaitė
Pratheep Balu Anbalagan

Vilnius, 2022

Electronic copy available at: https://ssrn.com/abstract=4111120

About the work

The Regulation on harmonised rules on fair access and use of Data (Data Act) proposed by
the European Union initiated the evaluation of its application in the internal market among
lawyers, academicians, manufacturers, data accessing service providers and users too. The
European Commission is also receiving comments from various interested parties and public
in support of the Regulation.

The authors of this report are Agnė Smagurauskaitė, a final year Finance and Tax law student
and Pratheep Balu Anbalagan LLM, a recent graduate of International and European
(Business) law from Faculty of Law at Vilnius University, Lithuania. Out of academic
enthusiasm, the authors considering different perspective of stakeholders drafted the enclosed
comments highlighting the some of the major issues regarding application of the Regulation
in the internal market. The idea of preparing comments for the Regulation originated from
Mr. dr. Paulius Jurgis, PhD, co-founder, Prifina, an IP and data privacy lawyer at San
Fransico and visiting lecturer at Faculty of Law, Vilnius University.

The proposed Regulation consists of 90 recitals, 11 Chapters and 42 Articles. The report has
11 sections comprising comments on the crucial ten chapters except for the final provisions
of the Regulation. In each section, the authors attempt to present the key purpose of the
Chapter, practical issues on the applicability and required possible improvement in the
Regulation.

The report does not have any conclusion since the Regulation is in the draft stage and
consultations are going on to address the major concerns of the interested parties. The
comments are not exclusive since still there is a possibility for the amendment of the
Regulation. The authors made these comments expecting clarity to achieve the objective and
add value for the improvement of the Regulation while enforcing it in the internal market.

Agnė Smagurauskaitė and Pratheep Balu Anbalagan

contact at pratheepbalu@gmail.com

Electronic copy available at: https://ssrn.com/abstract=4111120

Table of contents
1. Introduction…………………………………………………………………………1
2. General Provisions………………………………………………………….……….2
3. B2B and B2C Data Sharing…………………………………………………………3
4. Making Data Available……………………………………………………………...5
5. Unfair Terms………………………………………………………………………...6
6. Making Data Available to Public Sector Bodies………………………………….…6
7. Switching Between Data Processing Services………………………………….……7
8. International Context of Non-Personal Data Sharing…………………………….…..8
9. Interoperability……………………………………………………………………….8
10. Implementation and Enforcement…………………………………………………….9
11. Sui Generis Right…………………………………………………………………….10

Electronic copy available at: https://ssrn.com/abstract=4111120

1. Introduction

1.1 The Regulation on harmonised rules on fair access and use of Data (Data Act)
proposed by the European Union focusing on regulating the data generated on the use
of products and services by the natural and legal persons in the Union. The Act will
majorly regulate the transfer of non-personal data and when it comes to personal data
it refers to the General Data Protection Regulation (hereinafter ‘GDPR’).
1.2 The main goal of the regulation is to open user-generated data aiming to build a
genuine single market for data and make Europe a global leader in the data-agile
economy and create new use cases of the and tolls that are generating value through
data.
1.3 The Regulation exempts the micro, medium and small enterprises (MSME) from the
application because it aims to deteriorate the congestion of data in the hands of large
enterprises and reduce the dependence on acquiring data from them.
1.4 The Regulation focuses on implementing the principles of fairness and transparency
in the internal market for the access and transfer of personal and non-personal data
generated by the use of the products or related services in the Union.
1.5 The sui generis right provided to the developers of the database is not applicable for
the transfer and access of data under this Regulation.
1.6 The users of the products or related services will come to know the actual data
generated through their use because under this Regulation the smart contract method
is stressed for effective implementation and application.
1.7 The Regulation provides access to the data free of charge for the users and the data
holders can recover the direct costs involved in making the data available to the data
recipients who are the manufacturers or producers of the products or related services
in the Union. Even though the regulation states that such compensation should not
exceed the technical and organisational costs incurred to comply with the request, the
Regulation does not specify that the data holder should provide proof that the cost is
really incurred, and data holder can interpret the accrued cost very broadly.
1.8 The interoperability of data from one data accessing service to another plays a key
role under this Regulation since the transferring service provider shall ensure the
entire data is transferred to a similar type of data accessing service with equivalent
infrastructure.

Electronic copy available at: https://ssrn.com/abstract=4111120

 1.9 The application of the Regulation needs certain clarifications and developments such
as the volume of the data to be unveiled after the enforcement, the difference in the
use of data, requirements of the data for users, costs involved in making the data
available, and the possibility of targeted interoperability.

2. General Provisions

2.1 The Regulation provides access to the data generated by the use of the product or
service to the user and from data holders to data recipients. The public sector bodies,
Union institutions, agencies, or bodies will have access to the generated data only
when there is an exceptional need for it.
2.2 The regulation applies to manufacturers, data holders, data recipients, public sector
bodies, union institutions, agencies or bodies, and data processing service providers.
2.3 Any personal data generated under this regulation shall be processed as per Article 20
of the General Data Protection Regulation. The idea of informing the users about the
data generated from the usage of the products or services has been taken from the
GDPR. The exception of technical feasibility is also applied in this Act as seen in
Article 20 of the GDPR. The users can claim under GDPR as well as in this Act if
they find the right is infringed by the data holders or data recipients. However, there
are no provisions to limit the claim either under GDPR or Data Act, when it comes to
personal data. The data holder can use GDPR's vague definition of personal data as an
excuse to not provide user-generated data, because the data can be used to identify
data subjects indirectly, especially, when a request is asking for user-generated data of
a specific location, and demography. The regulator should explain more in detail the
relationship between GDPR and Data Act, especially when the event when user-
generated data can be used to identify data subjects.
2.4 The sharing and accessing of data for prevention, investigation, detection, or
prosecution of criminal offences will not be affected by this Regulation adopted by
the Union and the Member States.
2.5 The definition of data and processing are wide and there is no limitation regarding
volume or form the data holders and data recipients need to share the data in a similar
form as it is collected. This may lead to sharing of voluminous data and the users may
find it difficult to segregate the data required from the generation. The data holders

Electronic copy available at: https://ssrn.com/abstract=4111120

 and data recipients must provide the users with more information such as technical
requirements needed to access the data.
2.6 The users are the owners of the data and through their use, the organisations get
information and use it for future product development. The Regulation wants that data
to be transparently available to the users and easily transferable. The Regulation has
not considered the user or owner’s right not to collect data.

3. B2B and B2C Data Sharing

3.1 The Regulation specifies the products that need to be designed and manufactured with
compatibility for the user to securely access the data generated. The Regulation has
not taken into consideration the products in production and the manufacturers may
lose their approved designs for any non-compliance with Article 3.1 of this
Regulation. The Regulation does not specify the backup of data if anything is lost due
to technical errors and the period of storage. So, the user needs to take care of the
storage and backup. If there is any dispute at a later date, then the data holders and
data recipients may not have any data originally with them.
3.2 The Regulation stipulates providing information on data to be generated to the user
before concluding a contract. If the user wants to resell the products will this be
extended to the buyer? Whether the new user needs to re-register his/her details to
access the data generated from the use of the products or services. There is no
provision for the user to inform the further sale of the product or services and
restriction of the data access to the new user.
3.3 The provision encourages the disclosure of trade secrets to users. When there is a
practical situation where the request is from multiple users and the trade secret may be
widespread outside of the disclosure. The confidentiality breach may be difficult to be
identified and make the single user responsible for it.
3.4 The Regulation gives access to the non-user if the non-user falls under any of the
categories specified in Article 6(1) and Article 9 of GDPR. However, there is no
clarity on whether the non-user can become a user due to the execution of sale,
purchase, lease, or rental agreements. There is also an issue with the short-term rental
for a commercial where the user will be different from time to time and want to access
their data.

Electronic copy available at: https://ssrn.com/abstract=4111120

3.5 The generation of personal data needs application of the GDPR as seen above and the
non-personal data can be generated by entering a contract with the user under this
Regulation. However, the data undermining the commercial position of the user in the
markets in which the user is active is restricted by this Regulation.
3.6 Third parties can have access upon request from the user without any undue delay and
free of charge. There is no clarification on how often the request can be made and the
time gap between one request to another from the same user. As well, the term
without any undue delay is not specified. So, within what time the data holder must
respond to the data request? Differently than GDPR which mentions the specific term,
the Data Act has taken another approach and chose the term undue delay which can
be interpreted broadly. What time would be appropriate to respond to the data holder?
What kind of delay could be considered undue? This kind of definition will create
diverging rules in the EU member states because different supervisory authorities can
interpret it differently.
3.7 The Regulation says there should not be any coercive steps to be taken by third parties
using the technical gap of the data holders to obtain the data of the users. However,
there are no specific penalties for third parties using such coercive steps to obtain the
data
3.8 The collection of personal data of a third party who is not a data subject under this
Regulation. It can be done as per Article 6(1) and Article 9 of GDPR. Technically
whoever may be the user either the owner or third party, the personal data can be
collected applying the GDPR.
3.9 The data generation under the Regulation shall be on contractual terms. The third
party to a contract has similar rights to the users upon the authorization or request of
the user. Later this may lead to the non-identification of the real user of the products
or services. There may be different requirements for different users and making all the
data available to the user may create congestion of data.
3.10 The third-party cannot use the data it received for profiling within the meaning of
Article 4(4) of GDPR with an exception to provide the service requested by the user.
The Regulation applies only to the definition of profiling from GDPR and not any
other provisions for profiling specified in the GDPR.
3.11 The Regulation excludes the products or services delivered by the small and medium
enterprises provided that they should not be partnership enterprises or linked
enterprises as per Article 3 of the Annex to Recommendation 2003/361/EC.

Electronic copy available at: https://ssrn.com/abstract=4111120

4. Making Data Available

4.1 The data holders shall enter into an agreement with the data recipients for making the
data available to them. The contract must be fair, reasonable, transparent, and non-
discriminatory in nature. The contract subject cannot be exclusive since the data
holders are restricted to share the data on an exclusive basis with the data recipients.
The regulator should specify that terms and conditions are considered a contract as
well, for data sharing, because that alleviates some administrative burden from the
data holders and will give an opportunity to automate the request-response, especially
the problem that arises with the huge number of requests, that are similar in nature.
4.2 The trade secrets need not be disclosed to the data recipients unless otherwise
required under Article 6 of the Regulation or any other legislation of the Member
States or Union Law. It is required for a clarification that the contract between the
data holder and data recipient can be known by the users since they have the right to
know what data will generate, processed, and shared with the third parties as per
Article 3.2 of this Regulation
4.3 The data holder and data recipient can agree on compensation for making the data
available. The compensation shall not be beyond the actual cost of making the data
available if the data recipient is an SME. It needs to be clarified what kind of costs
can be included by the data holders since the data shall be made available free of
charge to the users.
4.4 Any data obtained by the data recipient using coercive steps and unauthorised use
enables the data holders to delete or destroy the data. The data holders may end the
production of the products or services offering the market.
4.5 The data holders and data recipients must select the notified dispute resolution bodies
for resolving any disputes arising out of the making of data available under this
Regulation.
4.6 The relationship between the data holders and data recipients is governed by the
contractual terms, the Regulation may make it possible to approach alternate dispute
resolution mechanisms like arbitration.

Electronic copy available at: https://ssrn.com/abstract=4111120

5. Unfair Terms

5.1 The Regulation ensures that any contractual terms shall not be unfair against the
micro, small and medium enterprises. The contractual term is unfair when it limits the
liability of the proposing party, excludes remedies on non-performance of contract
and gives exclusive right to determine whether the data is in conformity with the
contract.
5.2 The contractual terms will be unfair if they inappropriately limit the remedies on non-
performance or liability on the breach, unilateral access of data or termination of the
contract on unreasonable short notice. The contract is unilaterally imposing when a
party attempts to negotiate but is not able to do so because it is influenced by the other
party. The remedies available to the party suffered by the unfair contractual terms
imposed are not available in the Regulation other than dispute resolution.

6. Making Data Available to Public Sector Bodies

6.1 The data can be made available to the public sector bodies and union institutions,
agencies, or bodies when there is an exceptional need for the data. There should be a
public emergency without which the public sector bodies and union institutions,
agencies or bodies may not be able to complete a specific task. The data cannot be
obtained from the market and obtaining data through this Regulation will reduce the
administrative burden for the data holders.
6.2 The public sector bodies and union institutions, agencies or bodies need to raise a
request to the data holders by specifying the data, the exceptional need, legal basis,
purpose and deadline for modifying or withdrawing the request. The public sector
bodies and union institutions, agencies or bodies shall not reuse the data obtained
through the request and can transfer it to any other public sector bodies and union
institutions, agencies, or bodies.
6.3 The data holders shall comply with the request of the public sector bodies and union
institutions, agencies, or bodies within 5 days in case of public emergency and within
15 days from the date of request.
6.4 The public sector bodies and union institutions, agencies or bodies shall not use the
data other than the purpose requested for, protect the rights and freedoms of the
subject, and destroy it when the purpose is over.

Electronic copy available at: https://ssrn.com/abstract=4111120

 6.5 The public sector bodies and union institutions, agencies or bodies can share the data
for scientific research or analytics compatible with the purpose of the data request.
The data obtained through the request shall be used on a non-profit basis and shall not
be used for any commercial purpose.
6.6 The data can be exchanged between the Member States after notifying the Competent
Authorities in the other Member State and the same shall not apply to the Union
institutions, agencies, or bodies.

7. Switching Between Data Processing Services

7.1 The data processing services shall facilitate the users to switch to other data
processing services. The data processing services shall remove commercial, technical,
contractual, and organisational obstacles for the users from switching to another
provider, concluding a new contract, porting the data to another service provider and
maintaining the functional equivalence with similar data processing service providers.
The user getting a data processing service from one service provider may differ from
another. The minimum equivalence can be interpreted differently when there are no
specific requirements stipulated in the Regulation.
7.2 The Regulation stipulates that a contract needs to be entered consisting of the
customer's rights and obligations of the service provider relating to switching of data
protection services. The contract shall bind the service provider to support switching
by providing technical assistance and ensuring continuity. The service provider shall
transfer all data to the new provider of data processing services within a minimum
retrieval period of 30 days after the termination of the contract.
7.3 If there is a technical infeasibility in switching the data within 30 days the service
provider needs to explain the same within 7 days of the request and can seek
additional time which shall not exceed 6 months.
7.4 The data processing services shall ensure that the customers once switched to a
different data processing service shall enjoy functional equivalence like the
infrastructural elements of the earlier one. The Regulation provides the right to the
customers to switch on their own choice if the present data processing services found
the functions are not equal, it will be difficult for the service provider to interfere in
the choice of the customers. Does regulation need to clarify whether the list of similar

Electronic copy available at: https://ssrn.com/abstract=4111120

 data processing services will be informed to the customer earlier while entering the
contract itself?

8. International Context of Non-Personal Data Sharing

8.1 The transferring of non-personal data is dealt with in the Regulation since the
adequacy protection is determined under GDPR for transferring personal data. The
providers of data processing services can send the non-personal data to third countries
if the transfer will not create any conflict with the Union or Member States' national
law.
8.2 The data can be transferred based on any decision or judgement of a court or
administrative body in the third country where an international treaty is in place with
the Union or the Member state. The exception to transfer the non-personal data for
countries with no such international treaty is the decision or judgement should have
the specific reason and proportionality for the requirement of the non-personal data.
8.3 Even the service provider can provide only minimal data specifically required by the
court or administrative body from the third country. As provided in the GDPR the
adequacy protection can be devised in this Regulation to share data with third
countries. The delay in processing such requests and the additional burden to assess
the request may be reduced by the measures.

9. Interoperability

9.1 Data interoperability cannot be achieved if the operators of data spaces do not provide
adequate information and technical support to facilitate the interoperability. The
Regulation describes the set of information to be shared by the data space operators
for interoperability but still, the Commission feels there is a need for harmonised
standards and guidelines for interoperability. The standardisation and guidelines may
give more clarity and additional value to compliance with this Regulation by the data
space operators.
9.2 The Regulation aims at achieving interoperability between different processing
services and covers the same service type, portability of digital assets, technical
feasibility, and functional equivalence.

Electronic copy available at: https://ssrn.com/abstract=4111120

 9.3 The Regulation recommends data sharing through smart contracts. So that the data
sharing will be automatic, effective, and speedy. The Regulation recommends
standardisation and harmonised rules for the smart contract which is to be published
by the Organisation appointed for the purpose. The interoperability and data sharing
between providers of similar service types may be complex since the data collected
from products may have different data which may or may not be matched and the data
generation may vary from user to user. The data processing services, and data spaces
need to change their infrastructure or upgrade to the new standards proposed by the
European Union Institutions. Achieving uniformity may be time-consuming across
the entire data space and data processing service providers.

10. Implementation and Enforcement

10.1 The Member States shall designate one or more Competent Authorities for receiving
complaints about alleged violations, investigating based on the complaints, imposing
penalties, and monitoring technological development under this Regulation. Again,
regarding the personal data, the enforcement procedures provided in GDPR shall be
applicable and the supervising authorities' powers will be exercised in terms of
personal data.
10.2 Any persons who found their rights violated under this Regulation may complain to
the designated competent authorities. The penalties shall be notified through rules by
the Member States which shall be effective, proportionate and dissuasive.
10.3 In the future, if there are inequalities in penalties among the Member States may
make it difficult for uniform application and effective implementation of the
Regulation across the internal market.
10.4 Regarding the fine for infringement of personal data, the rules for penalties in GDPR
shall be taken into consideration. The connection between the Data Act and GDPR is
well established in this chapter.
10.5 The Member States have the freedom to decide on the competent authorities and
penalties. However, it will be easier to designate the competent authority designated
under GDPR since any infringement on personal data shall rely on GDPR for
enforcement.

Electronic copy available at: https://ssrn.com/abstract=4111120

11. Sui Generis Right

11.1 For the purpose of effective implementation of Articles 4 and 5 of this Regulation,
the sui generis of the databases enshrined under the Directive 1996/9/EC will not be
applicable. The databases shall allow extraction or transfer of data either permanently
or temporarily when it is requested under this Regulation. The right of the developer
of the database, even qualitatively and quantitatively invested to develop, will not be
applicable under this Regulation. The databases will be considered open source while
applying this regulation which may hamper the subsequent development of such
databases. The Regulation focuses on the products or related services in the Union
and whether the developer of the databases should be in the Union or the databases
outside the Union will be considered as a transfer outside the Union, which needs to
be clarified in the regulation.

10

Electronic copy available at: https://ssrn.com/abstract=4111120