EU Council adopts negotiating mandate for the Data Act

The Council of the European Union agreed its negotiating position on the Data Act on 24 February 2023, establishing the co-legislator's mandate for trilogue discussions with the European Parliament. The Council position balances data access rights with intellectual property protections and addresses concerns about governmental access to European data held by cloud providers.

User Data Access Framework

Access by design requirements obligate manufacturers to design connected products enabling users to access their generated data directly and easily. Products must provide technical interfaces allowing data retrieval in commonly used, machine-readable formats without undue technical barriers.

Third-party sharing rights enable users to authorize data transmission to service providers of their choice, supporting competitive aftermarket services, data-driven innovations, and multi-vendor ecosystems. Data holders cannot impose unreasonable conditions on third-party access when authorized by users.

Compensation mechanisms permit data holders to charge reasonable compensation for making data available to third parties, reflecting costs of data provision rather than creating barriers to access. The Council position specifies that compensation must be transparent, non-discriminatory, and not exceed direct costs plus reasonable margin.

Business-to-Business Data Sharing

Contract fairness provisions establish protections against unfair terms in data sharing agreements, prohibiting clauses that create significant imbalances between parties' rights and obligations. These provisions protect smaller businesses from exploitative terms imposed by larger data holders.

Trade secret safeguards preserve intellectual property rights when complying with data access obligations. Data holders may implement technical measures protecting confidential business information and require recipients to maintain confidentiality, with speed up dispute resolution for trade secret claims.

SME protections provide improved safeguards for small and medium enterprises, including limits on compensation that can be charged and prohibitions on terms requiring SMEs to share derived insights beyond what is necessary for the original purpose.

Cloud Switching Provisions

Interoperability requirements require cloud service providers enable customers to switch between providers and port data to alternative services without technical barriers. Providers must implement standardized interfaces and support commonly used data formats.

Switching fee limitations progressively reduce fees that cloud providers may charge for data migration services, with full elimination of switching fees after three-year transition periods. This addresses vendor lock-in concerns that have constrained cloud market competition.

Functional equivalence requirements ensure that exported data maintains functionality when transferred to alternative providers, preventing degradation that would effectively prevent switching even when data portability is technically possible.

Government Data Access

Public sector access provisions establish frameworks for government access to private sector data during emergencies and for statistical purposes. Access requests must show exceptional need, proportionality, and inability to obtain data through other means.

Third-country access restrictions prohibit compliance with foreign government data requests that would violate EU law, addressing concerns about extraterritorial reach of foreign surveillance laws. These provisions complement GDPR protections against unauthorized international disclosures.

Notification requirements obligate cloud providers to inform EU authorities of third-country government access requests and seek judicial review where possible before compliance. These mechanisms provide visibility into foreign government access patterns.

Trilogue Positioning

Key differences between Council and Parliament positions that must be resolved in trilogue include cloud switching timeline length, trade secret protection scope, and public sector access compensation requirements. If you are affected, monitor negotiations for final text provisions affecting their data strategies.

Teams should begin assessing connected product portfolios for data access obligations, reviewing cloud contracts for switching provisions, and developing data governance frameworks addressing both B2B sharing and user access rights anticipated under the final regulation.