While the EU Directive on Unfair Terms in Consumer Contracts prohibits certain clauses in standard (i.e., unilaterally imposed) contracts between businesses and consumers, some recently enacted EU laws restrict the use of certain clauses in standard contracts between businesses (“B2B”).  The Data Act is the latest example of such a law, as it prohibits certain “unfair contractual terms” (“Unfair Clauses”) in standard contracts between businesses relating to the access and use of data.  As such, it has a potentially very wide scope.  Businesses entering into such a contract should therefore ensure that they do not include any clause that could be considered “unfair” because such a clause would not be binding on the other party to the contract. This blog post focuses specifically on the Data Act’s provision on Unfair Clauses.  For more information on the Data Act, see our previous blog post.

Unfair Contractual Clauses in B2B Contracts

The recently adopted Data Act provides that where one of the parties unilaterally impose on the other a contract relating to the access and use of covered data (e.g., data sharing), then such a contract may not include Unfair Clauses.  These are clauses that “grossly deviate[] from good commercial practice in data access and use, contrary to good faith and fair dealing.”  Such Unfair Clauses are void and not binding on the other party.

The purpose of these provisions in the Data Act is to prevent a party with a stronger bargaining position from taking advantage of that bargaining position to the detriment of the other party when negotiating access to data, thereby making access to data less commercially viable and potentially economically prohibitive.  These provisions apply to all contracts for access to and use of data.  “Data” is defined broadly as “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording.”

The Data Act establishes (i) a list of clauses that are always considered unfair and (ii) a list of clauses that are presumed to be unfair.  An example of a clause that is always unfair is that which excludes or limits liability for intentional acts or gross negligence of the party that imposes the clause.  A clause is presumed to be unfair where it inadequately limits the party upon whom the term has been unilaterally imposed from using the data provided or generated by that party during the period of the contract.

However, the list of Unfair Clauses in the Data Act is not exhaustive.  As mentioned above, a court or regulator could decide that another term (not listed in the Data Act) is unfair because, for example, it is contrary to “good faith and fair dealing”.  Courts and regulators have discretion to assess the (un)fairness of a term, which is similar to, but less than, the discretion they have to assess the fairness of contracts between businesses and consumers under the Directive on Unfair Terms in Consumer Contracts.  These rules on Unfair Clauses do not apply to terms defining the main subject matter of the contract or the adequacy of the price for the data.

The European Commission will publish non-binding model clauses for B2B data sharing contracts.  These may also be helpful to commercial parties when negotiating contracts, as they may give a good indication of what types of clauses would be considered “fair”.

Other EU Laws Restricting Freedom of Contract in B2B Contracts

Another piece of EU legislation that regulates B2B contracts is the Platform-to-Business (“P2B”) Regulation, which has been in force since July 12, 2020.  The P2B Regulation is directly applicable in all EU Member States and specifically regulates B2B contractual arrangements between platform providers (such as online marketplaces, app stores, etc.) and traders (or business users) who use them to market their products and services to consumers.  It provides general rules to ensure that contractual relationships between these parties are based on “good faith and fair dealing”.  For example, providers of online intermediation services must ensure that their terms and conditions include: (i) information on the conditions under which business users can terminate the contractual relationship with the provider in a clear and intelligible manner; and (ii) a description of the technical and contractual means by which a business user can access data (including personal and non-personal data) provided by business users (or consumers) or generated in connection with the provision of online intermediation services.

Member State Laws Restricting Freedom of Contract in B2B Contracts

Some EU Member States implemented laws that provide for the invalidity of Unfair Clauses in unilaterally imposed in B2B contracts.  That’s the case, for example, of Belgium, Estonia, Germany, and Portugal, where courts or regulators have the discretionary power to determine whether a clause is unfair or not.  These restrictions apply to contracts more generally and not only to contracts relating to the sharing of product data.  Similarly, in the UK, the Unfair Contracts Terms Act 1977 restricts the imposition of “unfair terms” in standard B2B contracts.

*                      *                      *

The Covington team regularly advises on structuring commercial contracts (including standard terms and conditions for online and digital services) in compliance with EU and UK rules, such as the Data Act and consumer law.  This is an ever-evolving area, and we will continue to monitor developments in this area (such as the UK’s proposed Digital Markets, Competition and Consumer Act which would introduce new rules prohibiting unfair commercial practices with substantial penalties for non-compliance).  We are happy to answer any questions you may have on this topic.

(This blog post was prepared with the written contributions of Diane Valat.)

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Joshua Gray Joshua Gray

Joshua Gray is a commercial, privacy and technology lawyer focusing on digital health, technology and data-driven transactions and regulation.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.