European Data Act, Final Text

Preamble 101 to 110.

(101) Third countries may adopt laws, regulations and other legal acts that aim to directly transfer or provide governmental access to non-personal data located outside their borders, including in the Union.

Judgments of courts or tribunals or decisions of other judicial or administrative authorities, including law enforcement authorities in third countries requiring such transfer or access to non-personal data should be enforceable when based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State.

In other cases, situations may arise where a request to transfer or provide access to non-personal data arising from a third country law conflicts with an obligation to protect such data under Union law or under the national law of the relevant Member State, in particular regarding the protection of fundamental rights of the individual, such as the right to security and the right to an effective remedy, or the fundamental interests of a Member State related to national security or defence, as well as the protection of commercially sensitive data, including the protection of trade secrets, and the protection of intellectual property rights, including its contractual undertakings regarding confidentiality in accordance with such law.

In the absence of international agreements regulating such matters, transfer of or access to non-personal data should be allowed only if it has been verified that the third country’s legal system requires the reasons and proportionality of the decision to be set out, that the court order or the decision is specific in character, and that the reasoned objection of the addressee is subject to a review by a competent third-country court or tribunal which is empowered to take duly into account the relevant legal interests of the provider of such data.

Wherever possible under the terms of the data access request of the third country’s authority, the provider of data processing services should be able to inform the customer whose data are being requested before granting access to those data in order to verify the presence of a potential conflict of such access with Union or national law, such as that on the protection of commercially sensitive data, including the protection of trade secrets and intellectual property rights and the contractual undertakings regarding confidentiality.

(102) To foster further trust in data, it is important that safeguards to ensure control of their data by Union citizens, the public sector bodies and businesses are implemented to the extent possible. In addition, Union law, values and standards regarding, inter alia, security, data protection and privacy, and consumer protection should be upheld.

In order to prevent unlawful governmental access to non-personal data by third-country authorities, providers of data processing services subject to this Regulation, such as cloud and edge services, should take all reasonable measures to prevent access to systems on which non-personal data are stored, including, where relevant, through the encryption of data, frequent submission to audits, verified adherence to relevant security reassurance certification schemes, and by the modification of corporate policies.

(103) Standardisation and semantic interoperability should play a key role to provide technical solutions to ensure interoperability within and among common European data spaces which are purpose or sector specific or cross-sectoral interoperable frameworks for common standards and practices to share or jointly process data for, inter alia, the development of new products and services, scientific research or civil society initiatives.

This Regulation lays down certain essential requirements for interoperability. Participants in data spaces that offer data or data services to other participants, which are entities facilitating or engaging in data sharing within common European data spaces, including data holders, should comply with those requirements insofar as elements under their control are concerned.

Compliance with those rules can be ensured by adhering to the essential requirements laid down in this Regulation, or presumed by complying with harmonised standards or common specifications via a presumption of conformity. In order to facilitate conformity with the requirements for interoperability, it is necessary to provide for a presumption of conformity of interoperability solutions that meet harmonised standards or parts thereof in accordance with Regulation (EU) No 1025/2012, which represents the framework by default to elaborate standards that provide for such presumptions.

The Commission should assess barriers to interoperability and prioritise standardisation needs, on the basis of which it may request one or more European standardisation organisations, pursuant to Regulation (EU) No 1025/2012, to draft harmonised standards which satisfy the essential requirements laid down in this Regulation. Where such requests do not result in harmonised standards or such harmonised standards are insufficient to ensure conformity with the essential requirements of this Regulation, the Commission should be able to adopt common specifications in those areas provided that in so doing it duly respects the role and functions of standardisation organisations.

Common specification should be adopted only as an exceptional fall-back solution to facilitate compliance with the essential requirements of this Regulation, or when the standardisation process is blocked, or when there are delays in the establishment of appropriate harmonised standards. Where a delay is due to the technical complexity of the standard in question, this should be considered by the Commission before contemplating the establishment of common specifications.

Common specifications should be developed in an open and inclusive manner and take into account, where relevant, the advice of the European Data Innovation Board (EDIB) established by Regulation (EU) 2022/868. Additionally, common specifications in different sectors could be adopted, in accordance with Union or national law, on the basis of specific needs of those sectors. Furthermore, the Commission should be enabled to mandate the development of harmonised standards for the interoperability of data processing services.

(104) To promote the interoperability of tools for the automated execution of data sharing agreements, it is necessary to lay down essential requirements for smart contracts which professionals create for others or integrate in applications that support the implementation of agreements for data sharing.

In order to facilitate the conformity of such smart contracts with those essential requirements, it is necessary to provide for a presumption of conformity of smart contracts that meet harmonised standards or parts thereof in accordance with Regulation (EU) No 1025/2012. The notion of ‘smart contract’ in this Regulation is technologically neutral. Smart contracts can, for example, be connected to an electronic ledger.

The essential requirements should apply only to the vendors of smart contracts, although not where they develop smart contracts in-house exclusively for internal use. The essential requirement to ensure that smart contracts can be interrupted and terminated implies mutual consent by the parties to the data sharing agreement. The applicability of the relevant rules of civil, contractual and consumer protection law to data sharing agreements remains or should remain unaffected by the use of smart contracts for the automated execution of such agreements.

(105) To demonstrate fulfilment of the essential requirements of this Regulation, the vendor of a smart contract, or in the absence thereof, the person whose trade, business or profession involves the deployment of smart contracts for others in the context of executing an agreement or part of it, to make data available in the context of this Regulation, should perform a conformity assessment and issue an EU declaration of conformity.

Such a conformity assessment should be subject to the general principles set out in Regulation (EC) No 765/2008 of the European Parliament and of the Council and Decision No 768/2008/EC of the European Parliament and of the Council.

(106) Besides the obligation on professional developers of smart contracts to comply with essential requirements, it is also important to encourage those participants within data spaces that offer data or data-based services to other participants within and across common European data spaces to support interoperability of tools for data sharing including smart contracts.

(107) In order to ensure the application and enforcement of this Regulation, Member States should designate one or more competent authorities. If a Member State designates more than one competent authority, it should also designate from among them a data coordinator. Competent authorities should cooperate with each other.

Through the exercise of their powers of investigation in accordance with applicable national procedures, competent authorities should be able to search for and obtain information, in particular in relation to the activities of entities within their competence and, including in the context of joint investigations, with due regard to the fact that oversight and enforcement measures concerning an entity under the competence of another Member State should be adopted by the competent authority of that other Member State, where relevant, in accordance with the procedures relating to cross-border cooperation.

Competent authorities should assist each other in a timely manner, in particular when a competent authority in a Member State holds relevant information for an investigation carried out by the competent authorities in other Member States, or is able to gather such information to which the competent authorities in the Member State where the entity is established do not have access. Competent authorities and data coordinators should be identified in a public register maintained by the Commission.

The data coordinator could be an additional means for facilitating cooperation in cross-border situations, such as when a competent authority from a given Member State does not know which authority it should approach in the data coordinator’s Member State, for example where the case is related to more than one competent authority or sector.

The data coordinator should act, inter alia, as a single point of contact for all issues related to the application of this Regulation. Where no data coordinator has been designated, the competent authority should assume the tasks assigned to the data coordinator under this Regulation.

The authorities responsible for the supervision of compliance with data protection law and competent authorities designated under Union or national law should be responsible for the application of this Regulation in their areas of competence. In order to avoid conflicts of interest, the competent authorities responsible for the application and enforcement of this Regulation in the area of making data available following a request on the basis of an exceptional need should not benefit from the right to submit such a request.

(108) In order to enforce their rights under this Regulation, natural and legal persons should be entitled to seek redress for infringements of their rights under this Regulation by lodging complaints. The data coordinator should, upon request, provide all the necessary information to natural and legal persons for the lodging of their complaints with the appropriate competent authority.

Those authorities should be obliged to cooperate to ensure a complaint is appropriately handled and resolved effectively and in a timely manner. In order to make use of the consumer protection cooperation network mechanism and to enable representative actions, this Regulation amends the Annexes to Regulation (EU) 2017/2394 of the European Parliament and of the Council and Directive (EU) 2020/1828 of the European Parliament and of the Council.

(109) Competent authorities should ensure that infringements of the obligations laid down in this Regulation are subject to penalties. Such penalties could include financial penalties, warnings, reprimands or orders to bring business practices into compliance with the obligations imposed by this Regulation.

Penalties established by the Member States should be effective, proportionate and dissuasive, and should take into account the recommendations of the EDIB, thus contributing to achieving the greatest possible level of consistency in the establishment and application of penalties. Where appropriate, competent authorities should make use of interim measures to limit the effects of an alleged infringement while the investigation of that infringement is ongoing.

In so doing, they should take into account, inter alia the nature, gravity, scale and duration of the infringement in view of the public interest at stake, the scope and kind of activities carried out, and the economic capacity of the infringing party. They should also take into account whether the infringing party systematically or recurrently fails to comply with its obligations under this Regulation.

In order to ensure that the principle of ne bis in idem is respected, and in particular to avoid that the same infringement of the obligations laid down in this Regulation is penalised more than once, a Member State that intends to exercise its competence in relation to an infringing party that is not established and has not designated a legal representative in the Union should, without undue delay, inform all data coordinators as well as the Commission.

(110) The EDIB should advise and assist the Commission in coordinating national practices and policies on the topics covered by this Regulation as well as in delivering on its objectives in relation to technical standardisation to enhance interoperability. It should also play a key role in facilitating comprehensive discussions between competent authorities concerning the application and enforcement of this Regulation. That exchange of information is designed to increase effective access to justice as well as enforcement and judicial cooperation across the Union.

Among other functions, the competent authorities should make use of the EDIB as a platform to evaluate, coordinate and adopt recommendations on the setting of penalties for infringements of this Regulation. It should allow for competent authorities, with the assistance of the Commission, to coordinate the optimal approach to determining and imposing such penalties. That approach prevents fragmentation while allowing for Member State’s flexibility and should lead to effective recommendations that support the consistent application of this Regulation.

The EDIB should also have an advisory role in the standardisation processes and the adoption of common specifications by means of implementing acts, in the adoption of delegated acts to establish a monitoring mechanism for switching charges, imposed by providers of data processing services and to further specify the essential requirements for the interoperability of data, of data sharing mechanisms and services, as well as of the common European data spaces. It should also advise and assist the Commission in the adoption of the guidelines laying down interoperability specifications for the functioning of the common European data spaces.