The Data Act is a key measure for making more data available for use in line with EU rules and values and is a key pillar of the European strategy for data. It will make an important contribution to the digital transformation objective of the Digital Decade. The new measures complement the Data Governance Regulation proposed in November 2020, the first deliverable of the European strategy for data. While the Data Governance Regulation creates the processes and structures to facilitate data, the Data Act clarifies who can create value from data and under which conditions.
The Data Act will ensure fairness by setting up rules regarding the use of data generated by Internet of Things (IoT) devices. It is also meant to provide some interesting changes to the digital realm, with the introduction of novel provisions on :
It’s also interesting to note that the Data Act will be providing for the development of interoperability standards for data to be reused between sectors, whilst supporting the setting of standards for 'smart contracts’ and regulating smart contracts. The latter is defined in Article 2 of the same proposed Act as ‘a computer program stored in an electronic ledger system wherein the outcome of the execution of the program is recorded on the electronic ledger (which in turn is defined under Regulation (EU) No 910/2014 (Eidas1) and which definition, might be deleted and removed from the final text of Eidas2).
Chapter VIII provides for essential requirements to be complied with regarding interoperability for operators of data spaces and data processing service providers as well as for essential requirements for smart contracts. The aim of the Data Act in this instance is to promote smart contracts interoperability by laying down essential requirements for professionals who create smart contracts for others or integrate them in applications that support the implementation of agreements for sharing data. There will be a presumption of conformity with the essential requirements for smart contracts that meet harmonised standards or relevant parts of the Standardisation Regulation (No 1025/2012). Where harmonised standards do not exist, the Commission may take steps to develop and adopt them.
The requirements are laid out in Article 30. According to this Article the vendor of an application using smart contracts or, in the absence thereof, the person whose trade, business, or profession involves the deployment of smart contracts for others in the context of an agreement to make data available shall comply with five essential requirements:
(a) robustness: ensure that the smart contract has been designed to offer a very high degree of robustness to avoid functional errors and to withstand manipulation by third parties;
(b) safe termination and interruption: ensure that a mechanism exists to terminate the continued execution of transactions: the smart contract shall include internal functions which can reset or instruct the contract to stop or interrupt the operation to avoid future (accidental) executions;
(c) data archiving and continuity: foresee, if a smart contract must be terminated or deactivated, a possibility to archive transactional data, the smart contract logic, and code to keep the record of the operations performed on the data in the past (auditability); and
(d) access control: a smart contract shall be protected through rigorous access control mechanisms at the governance and smart contract layers.
(e ) Under the same Article the vendor of a smart contract or, in the absence thereof, the person whose trade, business, or profession involves the deployment of smart contracts for others in the context of an agreement to make data available shall perform a conformity assessment with a view to fulfilling the essential requirements under paragraph 1 and, on the fulfillment of the requirements, issue an EU declaration of conformity. A smart contract that meets the harmonised standards or the relevant parts thereof drawn up and published in the Official Journal of the European Union shall be presumed to be in conformity with the essential requirements under paragraph 1 of Article 30 to the extent those standards cover those requirements.
Where harmonised standards referred to in paragraph 4 of this Article do not exist or where the Commission considers that the relevant harmonised standards are insufficient to ensure conformity with the essential requirements in paragraph 1 of this Article in a cross-border context, the Commission may, by way of implementing acts, adopt common specifications in respect of the essential requirements set out in paragraph 1 of Article 30. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2) of the same Act.
Conformity with the essential requirements will be assessed by the vendor or provider of the smart contract who will then have to issue an EU declaration of conformity and becomes responsible for compliance with the essential requirements. It is unclear what “responsible” means in this context and whether there is any potential civil liability for users of the smart contract.
If a supplier does not provide a compliant smart contract the consequences will be determined by applicable Member State law. This means the customers and possibly even third parties would be able to claim breach of contract and damages for non-compliance with the essential requirements.
The European Parliament adopted the text of the Act and this will now go to trialogue. When the Act is eventually approved, there will only be a 12-month national implementation period.