European Commission presents draft model contractual terms for access to data

At the end of last year the European Commission organised a series of seminars on the EU’s Data Act, which is due to start applying in the course of 2025.  The Act establishes harmonised rules for fair access to and use of data within the EU, aiming to remove barriers to data sharing. It ensures that users of connected products can access and share data generated by these products, while imposing obligations on data holders to provide data under fair, reasonable, and non-discriminatory terms. The Data Act also includes provisions on switching data processing services.

Before most provisions of the Act become applicable in September 2025, the Commission is tasked with developing and recommending non-binding model contractual terms (MCTs) on data access and use. These terms include provisions on reasonable compensation and the protection of trade secrets. Additionally, the Act mentions non-binding standard contractual clauses (SCCs) for cloud computing contracts to assist parties in drafting and negotiating contracts with fair, reasonable, and non-discriminatory rights and obligations.

Data access and use for data holders and users of connected products

In this section, we highlight the draft model contractual terms on data access and use for data holders and users of connected products and related services, as well as the model contractual terms on data access and use between data holders and recipients. These draft terms were discussed in online seminars organised by the Commission at the end of 2024, as part of a six-part series on the Data Act. It became clear that the Commission was primarily interested in collecting feedback from the audience on these Model Contractual Terms rather than providing guidance beyond the already published FAQ on the Data Act.

Several polls were included to stimulate discussion, such as how data holders could appropriately identify users and whether users might want to restrict their use and sharing of data with third parties. While some questions were in a yes/no format, most were open-ended. The draft model contractual terms shared by the Commission were somewhere between brainstorming notes and a first draft, indicating that much work remains to be done.

An interesting aspect of the model contractual terms is the inclusion of a "Trade Secrets Appendix," where data holders are required to identify and describe their trade secrets. This idea was challenged from some participants, especially in the case of mass products, as disclosing confidential information to an undetermined number of recipients might mean that the trade secret ceases to exist. It will be interesting to see how this issue is addressed in the next draft.

Data access and use between data holders and recipients

One seminar focused on data access and use between data holders and recipients. Similar to the discussion on sharing between data holders and users, this session was based on a discussion paper and draft model contractual terms presented by the Commission. Participants discussed the legal basis for sharing personal data. The legislator decided not to create a new legal basis for sharing, which is currently interpreted to mean that a data holder sharing personal data at the request of a user may not rely on the provision in Article 6(1)(c) GDPR, i.e., "for compliance with a legal obligation."

Most likely, legitimate interests will be the most appropriate basis, which causes practical problems for data holders as legitimate interest balancing tests will need to be conducted. This discussion shows that many aspects of the access and sharing rights of data users are not yet fully understood. In parallel to other access requests under the GDPR and freedom of information acts, the question remains open in the data act whether and in how far the recipient would have to explain its motivation and further use of the data.

While the draft model terms were general at this stage and mostly reiterated the law, there was one point that went beyond what the Data Act required: the model terms suggested that the data holder was obliged to support the data recipient in accessing the data. In a poll, 76% of participants thought that this obligation went too far.