For most privacy professionals, the new EU Data Act might be equally, if not even more, relevant than the EU's Artificial Intelligence Act. Yet, so far, the Data Act largely flies under the radar of public attention.
It is, therefore, hardly surprising that the most recent event of the Munich, Germany IAPP KnowledgeNet Chapter — in cooperation with Germany's leading data law publication, ZD — dedicated to the Data Act saw a packed room and even a waiting list. Four speakers from academia, industry, supervisory authorities and law firms offered a 360-degree look at the Data Act and what it means in practice.
Here are some takeaways:
Sebastian Schlosser, head of public policy at BMW — a company in the crosshairs of the Data Act, given that cars or components thereof qualify as "connected products" or "related services" targeted by the regulation — kicked off the event. It was extremely interesting to hear first-hand how a major car manufacturer has implemented the act's requirements into its technology. In a nutshell, BMW started developing a concept for access to car data years ago, anticipating data access under the Data Act, but also under the data portability requirements of the EU General Data Protection Regulation. The concept allows customers — via an interface in the car — to access certain data generated by their cars and to authorize the secure sharing of such data with third parties.
Sebastian Schwamberger, who holds the junior professorship for Civil Law, Business Law and Digitalization Law at the University of Rostock and is a leading scholar regarding the Data Act, explored its contractual requirements and the possible private enforcement of contractual obligations. Schwamberger illustrated the complex relationships between various stakeholders under the act — in addition to the data holder, the user and the data recipient he also looked at manufacturers or sellers/distributors of connected products. To make the act work in practice, contracts between these stakeholders will be key. The act sets forth complex requirements regarding such contracts, thereby creating a novel "data law of obligations" presenting options for private enforcement.
Michael Will, president of the Bavarian State Office for Data Protection Supervision, provided insights on what the Data Act means for supervisory authorities. While it states that the same supervisory authorities which are competent to enforce the GDPR shall also enforce the Data Act to the extent personal data is processed, some questions remain. Will pointed out that it is still unclear which authorities will enforce Data Act requirements not related to personal data and how their cooperation with data protection supervisory authorities will play out in practice. Finally, and most notably, according to Will, it remains unclear which rights and duties under the Data Act the data protection supervisory authorities should, in fact, enforce. A lot will depend on upcoming national legislation specifying the rather vague stipulations of the Data Act in that regard.
I had the pleasure of looking at the relationship between the Data Act and the GDPR. While the basic principles seem clear — the Data Act is "without prejudice" to the GDPR and, thus, the GDPR applies in parallel to any processing of personal data under the Data Act — the details of what this means in practice seem far from clear. Complex questions arise if the user, requesting access to personal data under the Data Act, is not at the same time the data subject — think of a truck manufacturer as the data holder and a freight forwarding company as their customer and "user" in Data Act parlance. To exchange personal data in such cases, as required under the EU Data Act, both the data holder and the user need to demonstrate a GDPR legal basis for the disclosure or the collection of personal data, respectively. In practice, such legal basis will often be hard to establish, leaving the data holder with the only remaining option to anonymize the personal data before complying with a data access request. However, anonymization is generally difficult and sometimes impossible to achieve in practice given the rather unrealistic, and unclear, requirements defined by EU regulators. Consequently, data holders facing a data access request based on the EU Data Act will often face a dilemma of having to decide whether to comply with the Data Act or the GDPR.
A discussion with the audience concluding the event showed most participants struggle with these open questions around the Data Act. However, there were positive vibes as well, with many companies seeing the new law as an opportunity.
One thing seems clear to me: We at the IAPP have an important role to play in helping our members operationalize the Data Act.