Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains. 

This is the second article in a five-part series on the EU Data Act. This first article, "EU Data Act operational impacts: Introducing the Data Act," explores the creation of the Data Act, its objectives, the negotiation backdrop, and how it fits within the EU's digital rulebook. 

The scope of the Data Act covers data access and sharing between businesses, consumers, and governments. It operates alongside other key regulations, including the Digital Services Act, Digital Market Act, Artificial Intelligence Act and EU General Data Protection Regulation. The DSA regulates online intermediaries and platforms to ensure user safety and transparency; the DMA targets large gatekeeper platforms with specific obligations to promote fairness and contestability in digital markets; and the AI Act governs artificial intelligence.   

These acts set the scene for digital service providers but look at them from different angles. They need to be read in conjunction with the Data Act not only to understand the scope of obligations of service providers but also the scope of service user rights.

Classification of data 

The GDPR covers personal data that is understood as information relating to an identified or identifiable natural person. Under the Data Act and DMA, data means any digital representation of acts, facts or information and any compilation of such acts, facts or information. 

ADVERTISEMENT

PLI, Earn privacy CPE and CLE credits: Watch anytime online or on our mobile app, topics include AI, privacy, cybersecurity, and data law

On one hand, the data under the Data Act and DMA cover personal data under the GDPR. On the other hand, the data under these acts does not include non-digital personal data. The personal data covered by the AI Act includes all data as understood under the GDPR, including non-digital. 

What is more, under the Data Act, personal and non-personal data that are inextricably linked in a dataset are subject to the rules of the GDPR. Data holders who fall under the Data Act, AI Act and GDPR need to take these discrepancies into account. 

Roles and responsibilities

Another challenge relates to roles under these acts and responsibilities related thereto. It’s possible that a data holder under the Data Act will also have the role of service provider under the DSA, gatekeeper under the DMA, deployer under the AI Act and controller under the GDPR. However, it’s also possible the data holder under the Data Act will meet prerequisites of other actors under the other acts — for example, a data processor under the GDPR or a provider under the AI Act.

A data holder under the Data Act is a natural or legal person that has the right or obligation, in accordance with applicable law, to use and make available data, including, where contractually agreed, product data or related service data that it has retrieved or generated during the provision of a related service. The data holder is responsible for making data accessible or available to users of connected products or related services, providing the users with information on the data, and making the data available to third parties at the request of the user. 

The obligations under the DSA, DMA, AI Act and GDPR can further extend, or supplement obligations provided in the Data Act by additional requirements such as information used to determine an advertisement's recipients, as specified by the DSA, or details on interactions with AI systems as provided in the AI Act. This information may include data in the meaning of the Data Act which, again, may influence the scope of obligations of a data holder.

Data recipients

Another interesting interplay relates to the notion of recipients under the Data Act, DSA and GDPR. A “data recipient" under the Data Act means a natural or legal person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a connected product or related service. A data holder can make data available to this recipient or a third party, following a request by the user to the data holder or in accordance with applicable law. 

A "recipient" under the GDPR is understood more widely — as any natural or legal person to which the personal data are disclosed, no matter whether this is related to that person’s trade, business, craft or profession or whether this person needs it for their own purposes. 

A "recipient" of the service under the DSA means any natural or legal person who uses an intermediary service. Because recipients have varying obligations and rights under these acts and a service provider or controller may have an obligation to disclose who they are, it’s important for an entity to carefully consider which recipient it has. 

Moreover, the possibility of disclosing personal data to a data recipient under the Data Act is subject to securing legal basis for such data processing under the GDPR. Provisions of the Data Act do not provide for such legal basis even though they constitute an obligation for a service provider. 

Access rights

Connected products and related services under the Data Act shall be designed and provided in such a manner that the "data" within the meaning of this act is accessible to the user — by default, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format, and, where relevant and technically feasible, directly. 

When the user cannot directly access data from the connected product or related service, data holders must provide access without delay, easily, securely and free of charge. It should be accessible in a comprehensive, structured, commonly used and machine-readable format and, when possible, continuously and in real-time. This right may be contractually limited in case the processing could undermine security requirements of the connected product. Moreover, this right may be limited by trade secrets of a data holder or a trade secret holder.

Under the DMA, a gatekeeper must provide end users with effective portability for all data provided by the end user or generated through their activity on the relevant core platform service, which includes providing continuous and real-time access to that data. This access right meets the requirements of the GDPR.

Additionally, under the AI Act, a person affected by a deployer's decision, based on the output from a high-risk AI system, has the right to an explanation. This right applies when the decision produces legal effects or similarly significantly affects that person in a way that they consider to have an adverse impact on their health, safety or fundamental rights. It includes the right to obtain clear and meaningful explanations of the AI system's role and the main elements of the decision.

All these accessibility rights supplement the right to access personal data under the GDPR. The application of accessibility rights should not adversely affect the rights of a data subject under the GDPR, even where such rights limit the right to access personal data. A service provider faces a challenge in providing requested information, specifically when balancing the need to protect its trade secrets against the risk of qualifying a majority of data about a user as personal data. 

Data portability

The Data Act requires service providers to take measures that enable customers to switch to a data processing service offered by a different provider — or to use several providers of data processing services at the same time. For this reason, service providers shall enable customers to port their exportable data and digital assets to a different provider. This right to data portability may be limited due to a risk of breach of trade secrets. 

Similarly, under the DMA, a gatekeeper shall not restrict, technically or otherwise, the ability of end users to switch between and subscribe to different software applications and services. This includes applications and services that are accessed using the gatekeeper's core platform services, as well as the end user's choice of internet access services. The gatekeeper shall provide effective data portability for end-user data — both for the data the end user provides and data generated from their activity on the core platform service. This includes providing, free of charge, tools to facilitate the effective exercise of this right.

Again, these portability rights supplement the right to data portability under the GDPR. However, these acts have differences that enable a broader scope of data transfer than that permitted in the GDPR. The right to data portability in the GDPR is related to processing personal data on basis of consent or where it is necessary to exercise a contract. Other above-mentioned acts do not provide for such limitations. As a result, data may also be ported in cases where processing is based on other legal basis, such as legitimate interest. 

Summary

The Data Act clarifies the rules for creating value from data. It complements the GDPR but does not override it; when personal data is concerned, the GDPR prevails. Cross-references with other acts in the EU digital rulebook are not so easy to decipher. When multiple factors apply, a service provider needs to account for all exemptions and specific rules to accurately assess its complete obligations and users’ rights. 

Anna Kobylańska is a partner at Kobylańska Lewoszewski Mednis Law Firm focusing on privacy, intellectual property and new technologies.