Expect DPAs to Engage Early With EU Data Act, Lawyer Says
The EU Data Act, which takes effect Sept. 12, is awash with uncertainties that will likely spark challenges from consumer and plaintiff lawyers and impel data protection authorities (DPAs) to "become active very early on," Latham & Watkins data, cyber and tech lawyer Tim Wybitul told Privacy Daily this week.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The legislation is part of a package of rules that the EU adopted to facilitate the reuse and sharing of data to boost Europe's economy, noted Isabelle Roccia, IAPP's managing director for Europe, in an Aug. 21 opinion piece.
The Data Act creates rules about who can access and use industrial data generated by connected products in the EU across all economic sectors, she said.
Among other provisions, the law introduces new service-switching requirements on providers of data processing services, Wybitul and colleagues wrote in a law firm blog post last week. The definition of data processing services encompasses infrastructure-as-a-service, platform-as-a-service and software-as-a-service, they added.
The lawyers also noted that, as with other EU digital laws, the Data Act is extraterritorial and covers providers of data processing services, wherever they are, if they provide services to customers in the EU or place products on the EU market.
The main provisions on data processing services take effect Sept. 12, and they relate to removing obstacles to effective switching by customers, the firm wrote. Providers may not impose, and must remove, barriers that keep customers from terminating contracts and porting data and digital assets, among other requirements.
There are likely to be significant fines for violating the act, but they will be set at the national level and are expected to be published by Sept. 12, the Latham & Watkins lawyers said. "As with the EU GDPR [General Data Protection Regulation], these fines must be effective, proportionate and dissuasive."
The Data Act's complex interaction with other laws, such as the GDPR, "presents a compliance challenge even for large-scale providers," the firm added.
Against this backdrop, "we expect that consumer lawyers, plaintiff attorneys, and associations in particular will make use of these new uncertainties," Wybitul told us in an email Monday.
DPAs will likely become engaged quickly, since they already have extensive experience in monitoring data processing, and will play a key role under the Data Act, said the attorney: The biggest challenges currently lie in implementing individual obligations and determining the scope of the law.
The definition of connected products and related services is "extremely vague," leaving many companies unsure of which of their products and offerings actually fall under the new rules, he said. While there's general agreement that smartwatches, smartphones and probably tablets are covered, "it is completely unclear how to deal with traditional computers or websites." The uncertainty makes preparing to comply more difficult, he said.
In addition, the distinction between personal and nonpersonal data "is hardly workable in practice," Wybitul said. Datasets generated when using connected products are nearly always a mixture of both, and technical separation is rarely possible.
The legal distinction is also difficult, since the GDPR's requirements determining when data is truly anonymous "are very vague and depend on the individual case," he said. "These issues will certainly keep us and the affected companies busy for quite some time."