International governmental access to data

Chapter VII of the Data Act establishes rules to protect data held in the European Union from unlawful access by third-country governmental bodies. The rules do not cover data not held in the European Union. Customer are still free to choose a data processing service provider and decide where their data should be held.

Providers of data processing services can be requested by administrative authorities and courts or tribunals in third countries to transfer or give access to non-personal data held in the European Union to a third-country governmental body. These requests can be made in decisions from authorities or decisions or judgments from courts or tribunals. The Data Act does not prohibit the cross-border transfer of non-personal data held in the European Union as such. Legitimate international cooperation in relation to law enforcement should not be hindered. However, access to non-personal data held in the European Union must not be given if it would conflict with European law or could impinge on fundamental rights of individuals, national security or defence interests of the Union or its Member States.

Providers of data processing services must therefore check before giving access to data held in the European Union whether access to data by third-country administrative authorities, courts or tribunals or the transfer of data to a third country is legitimate. The conditions to be met are laid down in Article 32 of the Data Act.

The Bundesnetzagentur will act as the single point of act for all matters relating to the Digital Act, subject to a relevant decision by the legislature. Providers of data processing services will then also be able to contact the Bundesnetzagentur in the event that they receive data access requests from a third-country authority. The Bundesnetzagentur will support providers of data processing services in obtaining any necessary opinions from the relevant national governmental bodies with respect to the conditions laid down in the first subparagraph of Article 32(3) of the Data Act.

Which data are covered?

The Data Act establishes rules on access to data from data processing services held in the European Union. The rules only cover access to non-personal data. Access to personal data is covered by the rules in the General Data Protection Regulation (GDPR).

Do the rules affect data access by and data transfer to private individuals or enterprises?

No. The rules in the Data Act on unlawful third-country access to data from data processing services held in the European Union do not restrict the exchange of data between enterprises. The rules only cover access to data by third-country governmental bodies on the basis of, for example, decisions from administrative authorities or decisions or judgments from courts or tribunals.

When can third countries be given access to data held in the European Union?

Access to non-personal data held in the European Union by providers of data processing services is always legitimate if there is a relevant mutual legal assistance treaty with the third country that allows data access.

If there is no such agreement with the third country, providers of data processing services can only share non-personal data with a third-country governmental body if it would not conflict with Union law or with the national law of the relevant Member State and if the third country’s legal system has certain standards safeguarding the rights of the data processing services and the customers. Sharing data might conflict with the protection of intellectual property rights or trade and business secrets or with data protection regulations, if re-identification of personal data is possible.

When does a customer of a data processing service have to be informed about a request for data from a third-country authority, court or tribunal?

Providers of data processing services must generally inform their customers about a data access request from a third-country authority with sufficient notice before they make the data available. The only exception is if the data are requested for law enforcement purposes and law enforcement activities would otherwise be jeopardised.

Contact

E-Mail: DataAct@BNetzA.de

Service

Data Act Glossary