Pursuant to the proposed Data Act (DA-Proposal) the data holder shall make available data to a third party upon the user's request. As part of the user's right to share data, the data holder must comply with a number of requirements.

Right to share data

Upon request by a user the data holder is required to make available data to a third

party without undue delay, free of charge to the user, of the same quality as is

available to the data holder and, where applicable, continuously and in real-time (Art. 5 Para. 1 DA-Proposal). We explained in Episode 3 why these requirements, such as without undue delay, are quite challenging from a company's point of view. Companies providing core platform services (gatekeepers) may not be given access to data (Art. 5 Para. 2 DA-Proposal).

Contract between data holder and third party

The sharing of data is based on a contract between the data holder and the third party. The principle of contractual freedom allows the parties to freely negotiate the precise conditions for making data available in their contracts. In doing so, however, they must stay within the framework of the general access rules for making data available. The provisions on the prohibition of unfair contractual terms vis-à-vis SMEs must also be observed (Art. 13 DA-Proposal). According to the Parliament's draft, the prohibition of unfair contractual terms shall even apply in relation to all companies (Art. 13 Para. 1 DA-Proposal of the Parliament).

Modalities of data sharing

When data is provided to third parties by the data holder, the so-called FRAND conditions must be complied with. This means that the data holder is obliged to make data available under fair, reasonable and non-discriminatory terms and in a transparent manner (Art. 8 DA-Proposal).

The right to access and share data complements the right to receive and port personal

data under Art. 20 GDPR with regard to non-personal data. In this respect, the right to share data from Art. 5 DA-Proposal is identical to Art. 20 GDPR in terms of the requirements for the form of data transfer. The latter provision already guarantees data subjects a right to portability of their personal data (e.g., between different cloud platforms). The data must therefore be provided in a structured, commonly used, machine-readable and interoperable format. The right to data portability pursuant to Art. 20 GDPR may not be impaired by the failure of the data holder or the third party to agree on arrangements for transmitting the data (Art. 5 Para. 7 DA-Proposal). In other words, companies cannot argue that they have not yet taken (sufficient) precautions for legally compliant data sharing. Rather, they must implement the necessary measures.

Personal data may only be made available if there is a legal basis pursuant to the GDPR (Art. 6 and 9 GDPR). Furthermore, the right to share data must not affect data protection rights of other persons (Art. 5 Para. 9 DA-Proposal).

Costs for providing the data

A compensation for making data available can be agreed upon. This compensation must be reasonable. If data are provided to SMEs, the compensation may not exceed the costs directly related to making the data available. Direct costs are the costs necessary for data reproduction, dissemination via electronic means and storage of data, but not the costs of data collection or production (Recital 45 Sen. 1 DA-Proposal). In the future, discussions will therefore presumably arise as to how precisely these aforementioned costs are to be quantified.

Protection of trade secrets

Trade secrets need only be disclosed to the third party to the extent that this is strictly necessary for the purpose agreed between the user and the third party. In addition, disclosure may be made subject to the third party's compliance with measures contractually agreed between the data holder and the third party to preserve the confidentiality of the trade secrets (Art. 5 Para. 8 DA-Proposal).

Provision of data to public bodies

Furthermore, the DA-Proposal regulates the sharing of data to public bodies. In certain cases, such as emergencies, the data holder must make data available to public bodies or Union bodies upon their request. This does not apply to small and micro enterprises. The public body requesting data by way of exception does not have to conclude a contract with either the data holder or the user, as shown by the requirements of Art. 17 Para. 1 and 2 DA-Proposal.

Recommendations

Since the fulfillment of the user's right to share data entails a number of requirements for companies, measures should be taken at an early stage to implement appropriate processes and functionalities. These may include modifications to products and the drafting and amendment of contracts with potential data recipients. When drafting contracts, stipulations should be made in particular regarding the modalities of data sharing, form, compensation, and protection of trade secrets. The prohibition of unfair contractual terms may also raise new issues under contract law.

The ongoing legislative procedure should be followed with regard to possible amendments to the obligations imposed on the data holder. As shown, the parliamentary draft provides for amendments and, in some cases, tightening of the data holder's obligations in the context of data sharing.

In our DA Update series, we regularly provide you with information on the proposed Data Act of the European Union and keep you informed about changes in the ongoing legislative process. In each of our articles, we give you a brief overview of a specific topic, presenting the most important aspects and practical implications.