The European Commission has set up an expert group to develop model contractual terms for data access and use and standard contractual clauses for cloud computing under the EU’s Data Act, and is now inviting stakeholders to discuss the drafts.
The Data Act came into force on 11 January 2024. “Interestingly, it did not have the anticipated massive impact that a new area of law – the data law – with obligations as far-reaching as the GDPR, would have suggested. Instead, it was introduced rather quietly and discreetly,” said Maximilian Gärtner, a data law expert at Pinsent Masons.
The Data Act is designed to enhance the EU’s data economy by making data, particularly data generated by internet-of-things devices, more accessible and usable. Its primary goals are to foster a competitive data market, encourage data-driven innovation, and increase data availability. The Data Act strives to ensure fairness in the allocation of data value among all actors in the data economy, clarify who can use what data and under which conditions, and establishes general conditions for data sharing between businesses and public sector bodies. Additionally, it aims to protect companies from unfair contractual terms related to data sharing and includes measures to increase fairness and competition in the European cloud market.
With the Data Act nearing its first anniversary and key provisions taking effect on 12 September 2025, many companies are engaging their business units in comprehensive data mapping exercises. Those data mapping exercises are conducted to identify on the one hand data subject to the Data Act and, on the other hand, trade secrets, to ensure those retain maximum protection. Businesses are also redesigning their IT infrastructure to meet new data access and interoperability obligations and to comply with extensive new information and transparency requirements.
“Businesses that monetise user data are even further ahead and have developed data license agreements to ensure the legality and usability of product data and related services data collected,” said Florian von Baum, technology law expert at Pinsent Masons.
Additional comprehensive contractual guidance, albeit non-binding, will soon be provided by the Commission as article 41 of the Data Act obliges the Commission to develop and recommend non-binding model contractual terms (MCTs) on data access and use – including terms on reasonable compensation and the protection of trade secrets – and non-binding standard contractual clauses (SCCs) for cloud computing contracts to assist parties in drafting and negotiating contracts with fair, reasonable and non-discriminatory contractual rights and obligations by 12 September 2025.
Throughout November and December 2024, the Commission will be hosting a series of six webinars with businesses, policymakers, lawyers and experts to discuss the draft SCCs and MCTs.
The webinars on SCCs will cover topics such as switching and exit, termination, security and business continuity, liability, and the non-amendment clause.
The webinars on MCTs are intended to clarify the various contractual relationships among data holders, user and data recipients, including contracts between data holders and data users, as well as the data use by the data holder, arrangements for access to data by the user and transfer of the connected product to successors, contracts between data holders and data recipients but also the link with the user's request, the contract between the data recipient and the user, as well as the ways in which data can be accessed by the data recipient and reasonable compensation for making data available agreed between data holders and data recipients under the Data Act, as well as possible compensation for the user in exchange of access and use of the data by the data holder in certain circumstances - for example when the user agrees not to share the data with other entities.
“The model SCCs and MCTs are primarily intended to provide a framework for small and medium-sized enterprises that lack the resources to draft and negotiate new contracts for cloud computing or data sharing independently”, Gärtner said. “Additionally, these SCCs and MCTs will offer further insight into the Commission’s interpretation of the Data Act, complementing the recently published FAQs. It will be intriguing to observe how receptive the Commission is to suggestions from webinar participants, and to identify instances where it may be advisable to diverge from the Commission's non-binding guidance. We will monitor these developments closely and keep our clients updated.”