The Czech Presidency of the EU Council circulated a new compromise on the first five chapters of the new data law.
The compromise text, seen by EURACTIV, was circulated last Friday and will be discussed at the Telecom Working Party meeting on Thursday (27 October). The compromise is a step toward the general approach the Czechs aim to reach by the end of their Presidency in December.
Scope
The text clarifies that the users of a connected device will enjoy access to the data they contributed to generating regardless of their place of establishment. Operators that use smart contracts within data spaces are also covered in the scope.
The wording has been changed to clarify that the regulation does not preclude voluntary agreements on data exchange between private and public entities. It also does not affect the EU’s directive on unfair terms in consumer contracts.
Non-medical wearables have been included as an example of physical products covered by the regulation. Excluded from the scope are products designed to display content, like smart TVs, and to process and store data, such as personal computers and smartphones.
The data generated includes the one recorded intentionally by the users and the one resulting as a by-product of users’ actions, such as diagnostics data, and without any interactions, including when the product is in standby mode or switched off.
The text clarifies that a renter or lessee must also be considered a user. The possibility of several people using the same account was added, which will have to be reflected in the account solutions.
Data-sharing
The concept of ‘readily available’ was added to define the data generated by the Internet of Things products that the product manufacturer “can obtain without disproportionate effort, going beyond a simple operation.”
The product manufacturer will be obligated to share such readily available data free of charge and maintain the same quality level. These access rights cannot be restricted through any agreement or contractual arrangement between the manufacturer and the user.
When purchasing the connected device, the user should have the right to know the access conditions, including the manufacturers’ storage and retention policy. More robust safeguards for trade secrets have been introduced.
The Presidency clarified that these costs could be the technical costs for making such data available, plus a margin that might depend on the organisation’s business model. Long-term arrangements, for instance, in the form of smart contracts, could help reduce their costs.
Public access
The scope of the provisions that empower public bodies to request access to privately-held data has been restricted for the EU institutions to the European Commission, the European Central Bank, and EU agencies.
The national authorities responsible for enforcing the Data Act have been excluded from the scope to avoid a conflict of interest.
These public institutions can request access to private data in exceptional circumstances, including when the lack of such data prevents them from carrying out a specific task in the public interest.
However, the Presidency added a specification that the public body must have exhausted all other means to obtain the relevant data, including buying them from economic operators at market rates. These specific requests can only concern personal data if there is a legal basis at the EU or national level.
These data-sharing provisions do not affect existing legal obligations to provide data for official statistics and cannot be used to investigate criminal or administrative offences.
When issuing the request, the public body will have to indicate the deadline and legal basis.
Supposing a public body asked to access data from a company established in another country, the request should be transmitted to the relevant national authority to examine whether it fulfils the requirements.
The national authority might return the request with duly justified reservations, in which case the public body will consult with its national regulator and consider the considerations when resubmitting the request.
Dispute resolution
If the product manufacturer and the user disagree on the data sharing terms, they could refer the matter to a certified dispute settlement body. This possibility was also extended to the SMEs that have been imposed unfair contractual terms.
The dispute settlement bodies need to have non-discriminatory rules of procedure and assess fair access conditions, including compensation for making the data available to a business that is not an SME.
Differentiate timeline
The obligation to design the interfaces of connected devices so that the data can be easily exported will apply one year after the entry into the application of the Data Act. The measures against unfair contractual terms are intended for contracts concluded after the data law enters into application.
[Edited by Nathalie Weatherald]
Source: euractiv.com
