As is well known, the purpose of the Data Act – specified in Recital (4) thereof – is to “to lay down a harmonised framework specifying who is entitled to use product data or related service data, under which conditions and on what basis.”
Recital (5) below indicates how the European legislator intended to achieve this goal: through the approval of this regulation that “ensures that users of a connected product or related service in the Union can access, in a timely manner, the data generated by the use of that connected product or related service and that those users can use the data, including by sharing them with third parties of their choice. It imposes the obligation on data holders to make data available to users and third parties of the user’s choice in certain circumstances. It also ensures that data holders make data available to data recipients in the Union under fair, reasonable and non-discriminatory terms and conditions and in a transparent manner.”
We resume our analysis of the Data act regulation [Regulation (EU) 2023/2854] from the perspective of its points of contact and interactions with the regulation on the protection of personal data and privacy in electronic communications (e-Privacy).
The previous bulletin on the topic is that of January 11, 2024.
Primacy of GDPR and e-Privacy
The primacy of GDPR and e-Privacy over other acts of EU law dealing with data is first and foremost ensured by the treaties themselves, in particular, the Treaty on the Functioning of the European Union (Art. 16, TFEU) and the EU Charter of Fundamental Rights (Art. 8, Charter).
The same is explicitly confirmed within the Data Act.
When the referenced information is personal data or even promiscuous data – that is, inextricably linked personal and non-personal data – or it is information involving electronic communications, its use is regulated by the Data Protection Regulations (GDPR as well as 2018/1725 or EUDPR) and the ePrivacy Directive (2002/58/EC), respectively. In case of conflict, the rules of GDPR, EUDPR and ePrivacy as well as those implementing or adapting national law (such as the Italian Privacy Code) take precedence over the provisions of the Data Act [Recital (7) and Art. 1(5), Data Act]. When one is within the scope of the Data Act and personal data are present, the requirements of the Data Act, as a special law, will apply to supplement rather than replace those on data protection.
In this regard, when users are the data subjects, the access and portability rights regulated by the Data Act complement the similar rights regulated by Articles 15 and 20 of the GDPR.
Lawfulness of use of personal data
Given the primacy of the applicable data protection law (GDPR, EUDPR, ePrivacy), the use of personal data under the Data Act framework is legitimate only if both the data holder and the data user (if the latter is not the data subject) can rely on one of the legal bases exhaustively provided for in Article 6 of the GDPR and, possibly, if the circumstances satisfy one of the derogations listed in Article 9, if the information belongs to particular categories of personal data. This implies that the data holder must be able to base its processing on these legal bases and one of the recalled derogations, both for carrying out the processing and for communicating the data to the user; likewise, the data user will have to be able to substantiate the legal basis of its processing, if the user is a party other than the data subject.
It is only by giving proper emphasis to these assumptions that the Data Act’s obligation on data controllers “at the request of a user, to make personal data available to users and to third parties chosen by the user” is properly interpreted.