Third-Party Data Sharing: A Matter of Empathy (Pt 1) - Examining the Permission to Transfer Data to External Entities

Third-Party Data Sharing: A Matter of Empathy (Pt 1) - Examining the Permission to Transfer Data to External Entities

In a significant move towards data transparency and control, the European Union has introduced the EU Data Act, a comprehensive regulation aimed at revolutionising data sharing between users, data holders, and third parties. The Act establishes key obligations and rights, ensuring data is easily and seamlessly available while maintaining privacy and security.

## Regulation of Data Sharing

Under the EU Data Act, users are granted the right to access their data free of charge, in a format that is machine-readable and readily available in real-time where technically feasible (Article 4). Users can also instruct data holders to share their data with third parties, without incurring any charges (Article 5). Data holders, on the other hand, are obliged to make the data available upon request, subject to fair compensation from the third-party recipients for the costs incurred in making the data available (Article 5).

## Obligations for Data Recipients

Data recipients, including third parties, are bound by several obligations. They must use the data in accordance with the terms agreed upon with the user or data holder, respect privacy and data protection laws, and handle the shared data securely and in compliance with relevant regulations (Article 6). Additionally, data recipients must respect trade secrets, as the Data Act provides robust protections for legitimate trade secrets under specific conditions (Article 7).

## Transparency and Contractual Obligations

The EU Data Act also emphasises transparency. Before concluding a purchase, rental, or leasing contract for connected products, manufacturers must provide users with clear information about data collection, access, and use practices (Article 8). The Act also changes what is permissible in data-related contracts by identifying unfair terms, such as those preventing access to generated data or limiting remedies for breach (Article 9).

As the next edition of our article-series unfolds, we will delve deeper into how the Data Act balances data sharing and access rights with the protection of trade secrets. In the meantime, every business that collects or receives data should carefully consider the Data Act's obligations in preparation.

The EU Data Act sets clear obligations for data recipients, including limiting use to a purpose-bound scope and not retaining data longer than necessary to fulfil the agreed purpose. When data is shared in business-to-business relations, the data holder is entitled to receive compensation reflecting real, verifiable expenses, but unjustified or excessive pricing is prohibited.

It is crucial to ensure that contracts are fully aligned with the obligations set by the Data Act. If a data holder refuses to transfer data, users can challenge such refusals before competent authorities or designated dispute resolution bodies. However, it is worth noting that the right to data sharing is not without limits; designated gatekeepers under the Digital Markets Act may never act as data recipients.

Safeguards should be implemented to ensure data is shared only with authorised data recipients. If you require assistance regarding the Data Act, you can contact dataact-vienna@our website. The EU Data Act is a significant step towards empowering users, fostering competition, and promoting a digital economy that is open, fair, and prosperous.

1. Under the EU Data Act, data recipients, whether they are third parties or businesses, are required to use the shared data only for the agreed purpose and not retain it beyond what is necessary to fulfill that purpose. Unjustified or excessive pricing in such transactions is prohibited.
2. In business-to-business data sharing, the data holder is entitled to receive fair compensation from the recipients for the costs incurred in making the data available. However, users have the right to challenge any refusal by the data holder to transfer data before competent authorities or designated dispute resolution bodies.

Read also: