The EU Data Act: Switching, interoperability and prevention of unauthorised access to non-personal data
The EU Data Act (the "Act"), which entered into force on 11 January 2024, is a comprehensive piece of legislation aimed at fostering a fair and competitive digital environment in the European Union. It focuses on ensuring that data is shared more effectively, while protecting the rights of individuals and businesses.
In this article, we look into the switching and interoperability provisions of the Act, as well as provisions designed to phase out egress fees and prevent unlawful international government access to non-personal data. These provisions are primarily relevant to Data Processing Services Providers and their customers, and will directly impact those entities' contracting commercial and technical arrangements over the coming years. The provisions also apply to other participants in the data economy, including participants in data spaces (which we explain below in further detail).
If you haven't already, we recommend you read our overview article for this series first, which is available here.
Part 1: Switching
The switching provisions in the Act are set out in Chapter VI, and apply to Data Processing Services Providers (being services that enable the storage, processing, or analysis of data, such as cloud computing and data analytics services providers). Chapter VI imposes a number of obligations on providers to facilitate switching and porting of data by customers. It is important to note that the term "customers" is not defined by reference to any consumer law legislation and encompasses any natural or legal person; as such, these obligations are likely to apply in both consumer and business to business arrangements.
Contractual requirements
One of the key obligations is the requirement to include specific contractual terms to support switching in the written contract between the provider and the customer. These include provisions giving the customer an express right to switch to a new provider of Data Processing Services Providers or to port data to an on-premises solution.
The contractual terms must also specify the data that the original provider is required to port to the new provider or to the customer, as well as the format and conditions for porting. Notably, this must include at a minimum "exportable data". The "exportable data" that the original provider is required to port includes all data that the customer has provided to, or generated by using, the original service, but explicitly excludes data that is protected by intellectual property rights or trade secrets.
This definition means that provisions governing ownership and licensing of the customer's data will have a strong influence over what data is required to be ported; for example, broad licences granted to a cloud services provider in respect of any customer data might mean that the relevant provider is able to legitimately exclude a significant amount of derivative data that it may have generated as a result of the customer's use of its services.
The original provider must complete the porting of data within a transitional period of 30 calendar days, and must terminate the contract with the customer within 10 calendar days after the completion of the porting, unless the customer requests otherwise. Whilst the effect of these arrangements is to give the customer a new termination right, the Recitals make clear that the Act would not prohibit the parties agreeing fixed-term arrangements or "proportionate early termination penalties" to cover early termination. As such, the original provider would (at a minimum) be entitled to levy early termination fees in the event that the customer exercised any switching right ahead of the expiry of any agreed minimum term.
Phasing out switching charges
To support more effective switching and prevent vendor lock-in, the Act mandates the gradual phasing out of switching charges. The Recitals to the Act explain that these include costs related to the transit of data from one Data Processing Services Provider to another, or the costs incurred for specific support actions during the switching process. From 11 January 2024 to 12 January 2027, these charges may only reflect the costs incurred by the Data Processing Services Provider which are "directly linked" to switching. From 12 January 2027, all such charges will be prohibited.
It is important to note that the Recitals clarify that standard service fees for the provision of data processing services are not switching charges, and the prohibition on switching charges does not prevent the levying of fees for services that go beyond the switching obligations (as described above). For example, charges may be levied for the transfer of data which does not constitute "exportable data" (see above).
Other requirements
The Act also sets out transparency and disclosure obligations that Data Processing Services Providers must comply with and make available on their website. These include informing the customer, before the conclusion of the contract, about the available procedures for switching and porting data, the data that can be ported and the format and conditions for porting.
Finally, the original provider must cooperate in good faith with the new provider and the customer in relation to the switch, and must provide technical support to facilitate the switching and porting of data. This includes, where technically feasible, ensuring interoperability and portability between services of the same type, using harmonized standards or common specifications, and avoiding any technical or contractual barriers that may hinder the switching and porting of data.
Part 2: Interoperability
Chapter VIII of the Act sets out obligations that are designed to enhance the interoperability of data and data sharing mechanisms and services. These contain mostly technical obligations, which participants in data spaces and Data Processing Services Providers will be required to follow. The aim of enhanced interoperability is to allow data to be used more broadly in a way that can facilitate the development of new products and services, scientific research or civil society initiatives. This is a key requirement for the effective development of common European data spaces, developed as part of the European Strategy for Data in 2020. The data spaces are purpose or sector-specific spaces whereby data is shared to support the development of new products and services. They are underpinned by common data infrastructure and governance frameworks. By harmonising rules on data interoperability, it is hoped that these data spaces will work more efficiently to enhance the value of data for participants in the data spaces.
The Act also imposes obligations and responsibilities on vendors of applications that are using smart contracts or persons deploying smart contracts to comply with essential technical requirements such as robustness, safe termination, data archiving, access control, and consistency, as laid down in the Act. They must also perform a conformity assessment and issue an EU declaration of conformity. This is designed to allow for more consistency in the technical standards followed when data is shared, enhancing interoperability.
Part 3: Unlawful international government access to non-personal data
Data Processing Services Providers will need to comply with new requirements in the Act that restrict the transfer of non-personal data to third country governments and agencies (including transfers made in response to subpoenas and other judgements from relevant third-country judicial authorities). These provisions complement existing restrictions on the transfer of personal data under the EU's General Data Protection Regulation. In addition to protecting the fundamental rights of the individual, the measures are designed to protect and restrict access to commercially sensitive materials.
Transfers to third country governments and agencies will be permitted when based on "an international agreement", such as a mutual legal assistance treaty. In all other cases, it will be necessary for the Data Processing Services Provider to undertake an assessment of the request and the relevant country's laws (including potential rights of appeal). This assessment is more focussed than the assessment to be carried out as part of a transfer risk assessment undertaken under data privacy requirements, and would need to be undertaken for each access request received by the Data Processing Services Provider. Regulatory guidance detailing the management of these types of requests is currently pending.
Next steps
The Act has significant implications for customers and Data Processing Services Providers, who need to adapt to the new rules and obligations regarding switching and interoperability. Some of the practical implications are:
- Customers of Data Processing Services Providers should review their existing contracts with their providers and assess whether they comply with the requirements of the Act. They should also inquire about the procedures, costs, and conditions for switching and porting data, and compare the offers and services of different providers. Customers should also be aware of their rights and obligations regarding the access and porting of data.
- Data Processing Services Providers should update their contracts and technical infrastructure to comply with the requirements of the Act, especially Chapter VI and Chapter VIII. Providers should also consider how they might approach interactions with other Data Processing Services Providers, including by establishing standard form contracts that facilitate switching.
- Data Processing Services Providers should also consider preparing play books and internal guidance for how to deal with third-country requests for accessing non-personal data; this should include guidance on how the Data Processing Services Provider will interact with applicable EU authorities who it may need to consult in respect of such requests.
Our recent publications
If you found this article interesting, please see our other recent publications on the topic: