09 September 2024

The Data Act: a new standard for data agreements

09 September 2024

The European Data Act comes into force with effect from 12 September 2025. This Regulation creates new rights and obligations that cover not just personal data, but data in general. The practical implications are huge.

The Data Act particularly affects parties offering connected or Internet of Things (IoT)) products and cloud services. What is not often mentioned is that the Regulation also contains rules on data sharing agreements. These rules apply to all businesses.

The first main topic in the Data Act concerns the rules on the sharing and use of usage data from connected products and related services. These include products and services such as smartwatches and smart speakers with a virtual assistant like Alexa, as well as agricultural machinery with internet access. Businesses must comply with new obligations regarding connected products and related services as a result of the Data Act. First, companies that produce connected products and provide related services should design the products and services so that users can easily access their data (data access by design). Moreover, the Data Act gives users an explicit right of access to usage data. This right of access means that users of connected products and related services can easily access their usage data where data access by design has not been provided for. In addition, enterprises should also allow users to easily share their usage data with another party. Finally, buyers of connected products and recipients of a related service from the seller and the provider, respectively, should also be given certain information about how the connected product collects data.

The data holder (usually the provider of the connected product or a related service) may now use non-personal data only if the agreement with the user of the connected product or related service allows it. The data holder must not use the data to derive insights about the economic situation, assets and production methods of the user, or the user’s use of the product or service, in a manner that could undermine the commercial position of the user on the markets in which the user is active. Data may be shared with third parties only when necessary to perform the agreement with the user.

From 12 September 2026, connected products sold and related services provided must comply with the data access by design obligation. The other rules on connected products and related services, including the explicit right of access, already apply from 12 September 2025.

Cloud service providers

The second main topic concerns the rules imposed on data processing services. The term data processing services refers to a wide range of cloud services. The preamble refers to infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS), storage as a service and database as a service. The term also covers what are known as edge services. The obligations imposed on data processing service providers relate to 1) facilitating switching, 2) facilitating interoperability between different data processing services and 3) preventing international governmental access. From 12 September 2025, data processing service providers will have to comply with these rules.

Sharing of data with governments

The third main topic concerns rules on mandatory data sharing with public sector bodies, the European Central Bank, the European Commission or any other European Union body. These bodies can request data on the basis of exceptional necessity. This can only be done if, in an emergency situation, the bodies cannot obtain the data in a proper and timely manner by other means. Bodies may also request non-personal data when such data is necessary for the performance of a specific task in the public interest, such as the compilation of official statistics. These rules will also apply from 12 September 2025.

Unfair contractual terms between enterprises

Perhaps the most surprising part of the Data Act is the provision on unfair contractual terms. It applies to data-sharing agreements made between enterprises (B2B). In short, the article provides that contractual terms on data are not binding on the other party if the terms have been unilaterally imposed by the provider and are labelled unfair. The article contains a list of provisions that are always unfair (a black list) and a list of provisions that are presumed to be unfair (a grey list). If an enterprise uses a grey list clause, this enterprise must prove that the clause is not unfair.

What is striking about the article is that it is set up as a black and grey list between enterprises. Black and grey lists have long existed for general terms and conditions imposed on consumers by enterprises (see, for example, Articles 6:236 and 6:237 of the Civil Code), protecting consumers from unfair general terms and conditions. So now there is a similar list for business-to-business agreements. This provision applies regardless of the size of the enterprises concerned.

The obligations in this article cover all contracts and clauses on data access and use concluded between enterprises. Any agreement or provision on data sharing and use will need to take this article into account. The article will often also apply when enterprises enter into contracts between themselves about personal data, such as a joint controller agreement under Article 26 of the General Data Protection Regulation (GDPR). The application of the article is mandatory law. This means that enterprises cannot agree that the article does not apply to their relationship and cannot deviate from it.

It is important that enterprises are aware of this article when entering into agreements on (personal) data. For buyers, though, it is important to always try to negotiate the unfair contract terms imposed on them. If no attempt has been made to negotiate the unfair terms, an enterprise cannot invoke the protection of the article.

The provision applies to all agreements concluded after 12 September 2025. For some agreements entered into before 13 September 2025, the provision applies from 12 September 2027. This applies to agreements entered into for an indefinite period and those expiring after 11 January 2034.

Monitoring and enforcement of the Data Act

The Data Act has direct effect in the Dutch legal order, leaving no or limited scope for divergent or additional national rules. For the matters to be regulated nationally, a national Implementation Act is pending. The Regulation gives Member States the freedom to decide themselves which supervisory authority is competent to enforce the Regulation’s provisions. In the Netherlands, the Lower House has yet to vote on the draft Dutch Implementation Act. The current draft Data Regulation Implementation Act designates the Data Protection Authority (AP) and the Consumer and Market Authority (ACM) as supervisors.

Conclusion

The Data Act will apply in the Netherlands from 12 September 2025. The Data Act creates new rights and obligations for enterprises in particular. In particular, all enterprises will have to be vigilant of the rules on unfair contractual terms when concluding agreements on (personal) data. The AP and the ACM are likely to be designated as supervisors for compliance with the Regulation.

The Data Act is not applicable at present. Nevertheless, enterprises are advised to take measures in advance. This will allow timely adaptation of operations to the obligations imposed by the Regulation.

Finally

More blogs on this topic will follow. Keep an eye on our website for the latest news. This blog originally appeared on Privacy Web.

If you have any questions about the Data Act, please contact Jan Baas, Jiahui Plomp or one of our other Data & Privacy specialists.

This article was co-authored by Jolijn Gijsen.

Author
J.A.N. (Jan) Baas

Attorney at Law & Partner

Author
Mr. J.H. (Jiahui) Plomp

Attorney at Law

Call: +31 172 530 250