European Data Act, Final Text



Preamble 1 to 10.


THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Central Bank,

Having regard to the opinion of the European Economic and Social Committee,

Having regard to the opinion of the Committee of the Regions,

Acting in accordance with the ordinary legislative procedure,

Whereas:


(1) In recent years, data-driven technologies have had transformative effects on all sectors of the economy. The proliferation of products connected to the internet in particular has increased the volume and potential value of data for consumers, businesses and society. High-quality and interoperable data from different domains increase competitiveness and innovation and ensure sustainable economic growth. The same data may be used and reused for a variety of purposes and to an unlimited degree, without any loss of quality or quantity.


(2) Barriers to data sharing prevent an optimal allocation of data for the benefit of society. Those barriers include a lack of incentives for data holders to enter voluntarily into data sharing agreements, uncertainty about rights and obligations in relation to data, the costs of contracting and implementing technical interfaces, the high level of fragmentation of information in data silos, poor metadata management, the absence of standards for semantic and technical interoperability, bottlenecks impeding data access, a lack of common data sharing practices and the abuse of contractual imbalances with regard to data access and use.


(3) In sectors characterised by the presence of microenterprises, small enterprises and medium-sized enterprises as defined in Article 2 of the Annex to Commission Recommendation 2003/361/EC (SMEs), there is often a lack of digital capacities and skills to collect, analyse and use data, and access is frequently restricted where one actor holds them in the system or due to a lack of interoperability between data, between data services or across borders.


(4) In order to respond to the needs of the digital economy and to remove barriers to a well-functioning internal market for data, it is necessary to lay down a harmonised framework specifying who is entitled to use product data or related service data, under which conditions and on what basis. Accordingly, Member States should not adopt or maintain additional national requirements regarding matters falling within the scope of this Regulation, unless explicitly provided for herein, since this would affect its direct and uniform application. Moreover, action at Union level should be without prejudice to obligations and commitments in the international trade agreements concluded by the Union.


(5) This Regulation ensures that users of a connected product or related service in the Union can access, in a timely manner, the data generated by the use of that connected product or related service and that those users can use the data, including by sharing them with third parties of their choice. It imposes the obligation on data holders to make data available to users and third parties of the user’s choice in certain circumstances. It also ensures that data holders make data available to data recipients in the Union under fair, reasonable and non-discriminatory terms and conditions and in a transparent manner.

Private law rules are key in the overall framework for data sharing. Therefore, this Regulation adapts rules of contract law and prevents the exploitation of contractual imbalances that hinder fair access to and use of data. This Regulation also ensures that data holders make available to public sector bodies, the Commission, the European Central Bank or Union bodies, where there is an exceptional need, the data that are necessary for the performance of a specific task carried out in the public interest. In addition, this Regulation seeks to facilitate switching between data processing services and to enhance the interoperability of data and of data sharing mechanisms and services in the Union. This Regulation should not be interpreted as recognising or conferring any new right on data holders to use data generated by the use of a connected product or related service.


(6) Data generation is the result of the actions of at least two actors, in particular the designer or manufacturer of a connected product, who may in many cases also be a provider of related services, and the user of the connected product or related service. It gives rise to questions of fairness in the digital economy as the data recorded by connected products or related services are an important input for aftermarket, ancillary and other services.

In order to realise the important economic benefits of data, including by way of data sharing on the basis of voluntary agreements and the development of data-driven value creation by Union enterprises, a general approach to assigning rights regarding access to and the use of data is preferable to awarding exclusive rights of access and use. This Regulation provides for horizontal rules which could be followed by Union or national law that addresses the specific situations of the relevant sectors.


(7) The fundamental right to the protection of personal data is safeguarded, in particular, by Regulations (EU) 2016/679 and (EU) 2018/1725 of the European Parliament and of the Council. Directive 2002/58/EC of the European Parliament and of the Council additionally protects private life and the confidentiality of communications, including by way of conditions on any personal and non-personal data storing in, and access from, terminal equipment.

Those Union legislative acts provide the basis for sustainable and responsible data processing, including where datasets include a mix of personal and non-personal data. This Regulation complements and is without prejudice to Union law on the protection of personal data and privacy, in particular Regulations (EU) 2016/679 and (EU) 2018/1725 and Directive 2002/58/EC.

No provision of this Regulation should be applied or interpreted in such a way as to diminish or limit the right to the protection of personal data or the right to privacy and confidentiality of communications. Any processing of personal data pursuant to this Regulation should comply with Union data protection law, including the requirement of a valid legal basis for processing under Article 6 of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of that Regulation and of Article 5(3) of Directive 2002/58/EC.

This Regulation does not constitute a legal basis for the collection or generation of personal data by the data holder. This Regulation imposes an obligation on data holders to make personal data available to users or third parties of a user’s choice upon that user’s request. Such access should be provided to personal data that are processed by the data holder on the basis of any of the legal bases referred to in Article 6 of Regulation (EU) 2016/679.

Where the user is not the data subject, this Regulation does not create a legal basis for providing access to personal data or for making personal data available to a third party and should not be understood as conferring any new right on the data holder to use personal data generated by the use of a connected product or related service. In those cases, it could be in the interest of the user to facilitate meeting the requirements of Article 6 of Regulation (EU) 2016/679. As this Regulation should not adversely affect the data protection rights of data subjects, the data holder can comply with requests in those cases, inter alia, by anonymising personal data or, where the readily available data contains personal data of several data subjects, transmitting only personal data relating to the user.


(8) The principles of data minimisation and data protection by design and by default are essential when processing involves significant risks to the fundamental rights of individuals. Taking into account the state of the art, all parties to data sharing, including data sharing falling within scope of this Regulation, should implement technical and organisational measures to protect those rights. Such measures include not only pseudonymisation and encryption, but also the use of increasingly available technology that permits algorithms to be brought to the data and allow valuable insights to be derived without the transmission between parties or unnecessary copying of the raw or structured data themselves.


(9) Unless otherwise provided for in this Regulation, it does not affect national contract law, including rules on the formation, validity or effect of contracts, or the consequences of the termination of a contract. This Regulation complements and is without prejudice to Union law which aims to promote the interests of consumers and ensure a high level of consumer protection, and to protect their health, safety and economic interests, in particular Council Directive 93/13/EEC and Directives 2005/29/EC and 2011/83/EU of the European Parliament and of the Council.


(10) This Regulation is without prejudice to Union and national legal acts providing for the sharing of, access to and the use of data for the purpose of the prevention, investigation, detection or prosecution of criminal offences or for the execution of criminal penalties, or for customs and taxation purposes, irrespective of the legal basis under the Treaty on the Functioning of the European Union (TFEU) on which such Union legal acts were adopted, as well as to international cooperation in that area, in particular on the basis of the Council of Europe Convention on Cybercrime, (ETS No 185), done at Budapest on 23 November 2001.

Such acts include Regulations (EU) 2021/784, (EU) 2022/2065 and (EU) 2023/1543 of the European Parliament and of the Council and Directive (EU) 2023/1544 of the European Parliament and of the Council. This Regulation does not apply to the collection or sharing of, access to or the use of data under Regulation (EU) 2015/847 of the European Parliament and of the Council and Directive (EU) 2015/849 of the European Parliament and of the Council.

This Regulation does not apply to areas that fall outside the scope of Union law and in any event does not affect the competences of the Member States concerning public security, defence or national security, customs and tax administration or the health and safety of citizens, regardless of the type of entity entrusted by the Member States to carry out tasks in relation to those competences.