DaaS Contracts: legal aspects and concerns

What is Data as a Service (DaaS)?

Data as a Service (DaaS) is a cloud-based service model where data is offered as a service over the Internet. Unlike traditional data management models, in which organizations must build and maintain their own data infrastructure, DaaS provides users with direct access to high-quality, structured data via APIs (Application Programming Interfaces) or other access mechanisms, without having to manage the underlying infrastructure themselves.

In DaaS, the service provider collects, processes, manages and distributes data from various sources, then makes that data available to customers based on subscription models or pay-per-use structures. This enables organizations to make data-driven decisions faster, without the investments required to develop proprietary data collection and processing infrastructure.

The importance of DaaS in today's economy

In our current data economy, data is increasingly recognized as a valuable business asset. The amount of data available is growing exponentially, as is the need to extract insights from this data. DaaS responds to this by:

• Provide access to large amounts of relevant data that would otherwise be inaccessible to smaller organizations
• Reduce data collection, storage and processing costs
• Accelerate time-to-market for data-driven products and services
• Provide scalability in data needs without large capital investments

Thanks to these advantages, the DaaS market is growing rapidly, leading to an increasing need for sound legal support in drafting and evaluating DaaS contracts.

European data legislation: Data Act and Data Governance Act

The European Union has launched an ambitious data strategy to create a true single market for data. Central to this strategy are two key regulations: the Data Governance Act (DGA). and the Data Act (DA). Together, these form the new legal framework for the data economy.

The Data Governance Act (DGA).

The Data Governance Act has been in effect since Sept. 24, 2023. The DGA provides a framework to build trust in voluntary data sharing for the benefit of businesses and citizens. This regulation focuses on:

1. Reuse of government information - The DGA facilitates the reuse of protected data held by government agencies.
2. Data intermediaries - The regulation introduces a new regulatory regime for data intermediaries, which act as neutral intermediaries in data sharing.
3. Data altruism - The DGA encourages voluntary sharing of data for the public good by providing a legal framework for "recognized data altruism organizations."
4. International data management - The regulation contains safeguards for the transfer of non-personal data to countries outside the EU.

The Data Act

The Data Act becomes applicable as of Sept. 12, 2025. Where the DGA focuses on facilitating voluntary data sharing, the Data Act goes further and:

1. Creates new data usage rights - The Data Act imposes obligations on manufacturers of connected products and service providers to give users access to generated data.
2. Regulates conditions - It stipulates the conditions under which data must be shared and prohibits unfair contractual practices.
3. Simplifies cloud migration - The Data Act contains specific provisions to facilitate switching between cloud providers and counter vendor lock-in.
4. Standardizes data sharing - It commits to interoperability and standardization for efficient data sharing.

Complementarity of DGA and Data Act.

These regulations complement each other within European data policy:

• The DGA creates processes and structures to facilitate voluntary data sharing
• The Data Act defines who can create value from data and under what conditions
• Together, they are promoting the creation of "European data spaces" in various sectors
• Both regulations apply in addition to the GDPR, which has priority in personal data

For DaaS providers and users, this means a new legal landscape in which data sharing is encouraged, but under stricter conditions.

Impact of European data legislation on DaaS contracts

European data legislation, particularly the Data Governance Act and the Data Act, has far-reaching implications for DaaS contracts. These contracts must be modified in various ways to be compliant with the new rules:

1. New roles and parties

The legislation introduces new concepts and roles that must be addressed in DaaS contracts:

• Data intermediaries (under the DGA) - Organizations acting as neutral intermediaries in data sharing
• Data holders (under the Data Act) - Parties that have technical control over data
• Data receivers - Third parties accessing data at the request of users
• Recognized organizations for data altruism - Organizations collecting data for public interest purposes

DaaS contracts should clearly define these roles and establish the rights and obligations of each party.

2. New contractual provisions

To comply with both regulations, DaaS contracts must include new provisions on:

• Voluntary data sharing (DGA) - Conditions for public interest data sharing.
• Mandatory data sharing (Data Act) - Provisions for sharing data at the request of users
• Reuse of government information (DGA) - Rules for use of protected government information.
• User access rights (Data Act) - Mechanisms by which users can access their data
• Interoperability requirements (both) - Technical and contractual conditions for interoperable data sharing.

3. Data portability and switching

The Data Act includes specific provisions on data portability and switching between service providers that directly impact DaaS contracts:

• Migration Rights - Users have the right to take their data with them to other providers
• Prohibition of technical barriers - Contracts should not contain provisions that technically impede switching
• Prohibition of commercial barriers - Contracts may not charge disproportionate fees for switching
• Transition Support - Provider obligations to facilitate switching

4. Protection against unfair terms

The Data Act contains lists of prohibited and suspect contractual provisions that may no longer be included in DaaS contracts:

• Prohibited provisions ("blacklist") - Clauses that are unlawful in all cases
• Suspicious provisions ("gray list") - Clauses presumed to be unlawful unless justification exists
• Balanced conditions - Commitment to "fair, reasonable and non-discriminatory" terms and conditions
• Transparency requirements - Obligation to provide clear and understandable information about data use

5. International data transfer

Both regulations contain provisions on international data transfers that must be addressed in DaaS contracts:

• Transfer to third countries - Conditions under which data may be transferred to non-EU countries
• Access by foreign authorities - Safeguards against unauthorized access by foreign governments
• Adequacy Decisions - References to EU decisions on adequate data protection in third countries
• Model contract provisions - Use of contract provisions approved by the European Commission

DaaS providers operating in the European market must integrate all these elements into their contractual documentation to be compliant with this groundbreaking legislation.

The EU data environment and DaaS in practice: core components for DaaS contracts

With the enactment of the Data Governance Act (DGA) and the upcoming implementation of the Data Act (DA), DaaS contracts must be reviewed. Following are the key areas of focus for each core component of DaaS contracts in light of the new legislation:

1. Data specification and service description.

The basis of a DaaS contract is a clear description of the data being made available. This should now be expanded to include:

• Clear categorization of whether it is "protected data" within the meaning of the DGA
• Specification of whether the data is from "connected products" under the Data Act
• Distinction between "raw data" and "enriched data" according to the definitions in the Data Act
• Information on origin of data and legal basis for collection
• Transparent description of how the DaaS service provider acts as a "data intermediary"

2. Data quality and service levels.

Service level agreements (SLAs) for DaaS services should be updated:

• Inclusion of objective quality criteria in accordance with "fair, reasonable and non-discriminatory conditions"
• Specification of response times for making data available to users and authorized third parties
• Data portability guarantees and supported data transfer formats
• Availability guarantees that take into account user rights under the Data Act
• Reporting on compliance under the DGA and Data Act

3. Data security, privacy and AVG/GDPR compliance.

In terms of security and privacy, DaaS contracts must provide:

• Explicit reference to the relationship between the DGA/DA and the AVG/GDPR
• Description of technical and organizational measures to protect data
• Clarity of roles (controller/processor) in personal data
• Procedures for data breaches and other security incidents
• Safeguards against unauthorized access by authorities outside the EU

4. User rights and third party use

The new legislation significantly strengthens the position of users, which should be reflected in DaaS contracts:

• Explicit recognition of users' right to access their data
• Procedures for requesting data access or data transfer
• Terms under which the DaaS provider makes data available to third parties
• Restrictions on use of data for competing products
• Provisions on "data altruism" and voluntary data sharing for the public interest

5. Liability and risk allocation.

Liability provisions should be revised in light of the new obligations:

• Clear division of responsibility between data holder, user and third parties
• Balanced liability limitations that take into account the "prohibited list" of the Data Act
• Indemnification provisions for third-party claims
• Specific liability for incorrect or incomplete data provision
• Insurance requirements covering new risks under EU data legislation

6. Exit strategy and data portability

The exit provisions should be aligned with the strong emphasis on portability in the legislation:

• Clear procedures for data migration upon termination of service
• Formats and mechanisms for data portability.
• Free access to data after termination
• Transition period and migration support
• Disposal procedures for data after termination

7. Contract terms and prohibited practices

Finally, the entire contract should be checked for prohibited or suspicious clauses:

• Removal of Data Act "blacklisted" provisions
• Review and justification of "gray list" provisions
• Avoidance of exclusivity provisions that are not justified
• Fair and transparent pricing
• Clear dispute resolution mechanisms

4. Intellectual property and rights of use under the Data Act.

The legal nature of data and the associated intellectual property rights are complex and require careful contractual provisions, especially in light of the EU Data Act:

• Property rights to the raw data and how they relate to user rights under the Data Act
• License structure for use of the data, taking into account mandatory access rights
• Rights to derivative works and analyses, with the Data Act distinguishing between "raw data" and "enriched data"
• Rights to combinations with proprietary data
• Database Rights (sui generis rights) and their limitation under the Data Act
• Protection of trade secrets, where the Data Act does allow exceptions for trade secrets
• Non-compete agreements and exclusivity provisions, taking into account the "gray list" and "prohibited list" of the Data Act
• Liability for third-party IP infringements.

Note that in many jurisdictions data by itself does not software is protected by copyright is, but its selection, structuring and presentation is. The Data Act brings an important nuance to this by explicitly granting certain rights to users, regardless of the intellectual property rights vested in the data.

5. Compliance and regulation

DaaS services must comply with various laws and regulations, depending on the nature of the data and the industry in which it is used:

• Sector-specific regulations (financial services, health care)
• Privacy laws (AVG/GDPR, e-Privacy, national legislation)
• Export restrictions on certain data types
• National security considerations
• Compliance reporting and certifications
• Audit and inspection rights
• Changes in legislation during the contract period

The contract should clearly define which party is responsible for which compliance aspects, including support for audits by regulators.

6. Liability and risk allocation.

Liability issues with DaaS are particularly complex, given the potential damages that can arise from inaccurate or incomplete data:

• Liability limits and exclusions.
• Indirect and consequential damages
• Specific damages from inaccurate data or analysis
• Indemnities for third-party claims
• Proportionality between contract value and risk
• Insurance requirements
• Force majeure provisions for data loss

Standard liability limitations in cloud contracts are often inadequate for the specific risks of DaaS services and require customization.

7. Exit strategy and data portability under the Data Act

A robust exit strategy is crucial in DaaS contracts to avoid vendor lock-in, and the EU Data Act contains specific provisions aimed at this:

• Notice periods and terms, with the Data Act introducing certain maximum time limits
• Data retention after termination
• Export of data in usable and interoperable formats, which is an explicit obligation under the Data Act
• Support for migration to other providers, including mandatory transition periods under the Data Act
• Removal of data after termination, subject to audit and compliance retention periods
• Transition support and the prohibition of technical, commercial or contractual barriers that impede switching
• Continuity guarantees for critical processes.

The Data Act contains specific provisions to strengthen data portability and reduce or prohibit barriers to switching between service providers. These include prohibiting charging for switching and mandating functional equivalence during switching. The exit strategy should therefore explicitly take into account these new obligations.

Specific challenges with DaaS contracts under the Data Act

Data quality and liability

A fundamental challenge in DaaS contracts is establishing liability for data quality. Unlike software, where bugs and defects can be relatively clearly defined, with data, "quality" is a multidimensional concept that includes accuracy, completeness, timeliness, relevance and usability.

The contract must therefore:

• Defining objective quality criteria
• Establish test methods and acceptance procedures
• Specifying remedies for quality problems
• Set limits on liability commensurate with risk, taking into account the Data Act's requirements for "fair, reasonable and non-discriminatory terms"

Property rights and user rights under the Data Act

The question of ownership of data is legally complex and further complicated by the Data Act, which grants explicit rights to users (regardless of ownership). While factual information is not copyrighted, collections of data may be subject to database rights. DaaS contracts should clarify:

• The legal basis for offering the data
• Users' new rights under the Data Act
• Rights to enrich and transform the data, distinguishing between "raw data" and "enriched data" as defined in the Data Act
• Territorial restrictions and jurisdictional provisions
• Property rights to metadata and usage data
• Conditions and restrictions for sharing data with third parties, taking into account the new rules of the Data Act

Privacy challenges with anonymized datasets

Many DaaS providers offer anonymized or aggregated datasets to circumvent privacy laws. However, recent studies show that re-identification is possible in many cases by combining datasets. The contract should therefore:

• Contain safeguards about the quality of anonymization
• Specify the allowed combinations with other datasets
• Contain prohibition on re-identification attempts
• Record measures in case of unintentional re-identification
• Settle liability for privacy violations
• Clarifying the relationship between the Data Act and the AVG/GDPR, with the AVG/GDPR taking precedence over personal data

Multi-jurisdictional compliance and the Data Act

DaaS services often operate globally, which means that multiple jurisdictions and legal systems may apply. The Data Act adds to this by introducing specific rules for data transfers outside the EU. The contract must:

• Clearly define applicable law and choice of forum
• Specify compliance requirements by jurisdiction
• Include mechanisms for dealing with conflicting legislation
• Provide adaptability in the face of changing regulations
• Comply with Data Act provisions that protect against unauthorized access by non-EU governments

Fair terms and prohibited practices

The Data Act introduces new standards for fair contractual terms and includes lists of prohibited practices. DaaS contracts must therefore:

• Not using conditions that are on the "prohibited list"
• Carefully evaluate and justify conditions that are on the "gray list"
• Provide transparent and balanced terms, especially for smaller buyers
• Contain explicit justification for exclusivity or non-compete agreements
• Include clear mechanisms for dispute resolution

Our approach to DaaS contracts.

As a specialized law firm, we offer comprehensive support in all aspects of DaaS contracts:

Due diligence and preliminary investigation

Before entering into a DaaS contract, we conduct a thorough preliminary investigation of:

• The legal status and origin of the datasets offered
• Data quality and reliability
• Potential privacy and compliance risks.
• The reputation and financial stability of the provider
• Comparison with market standards and best practices

Contract review and negotiation

Our specialists analyze, review and negotiate DaaS contracts with an eye for:

• Complete and clear specification of services
• Balanced liability arrangements
• Adequate security and privacy measures.
• Market-based pricing structures and SLAs
• Flexibility for future needs

Compliance and risk management

We guide the implementation of DaaS services with advice on:

• Compliance with relevant laws and regulations
• Privacy impact analyses (DPIAs) for DaaS implementations
• Embedding in existing governance structures
• Employee training and awareness
• Ongoing monitoring of compliance risks

Dispute resolution and escalation management

When problems arise, we offer strategic advice and support on:

• Interpretation of contractual provisions
• Damage control for data quality problems
• Negotiation of remedial measures
• Formal dispute resolution
• Exit process support

Conclusion: DaaS contracts in the era of European data legislation

European data legislation, consisting of the Data Governance Act and the Data Act, marks a new era for data contracts in general and DaaS contracts in particular. This legislation brings fundamental changes to how data is shared, used and managed within the EU.

For DaaS providers, this means revising their services and contractual models to comply with:

1. New commitments - Including transparency, data portability and fair terms and conditions
2. New user rights - Such as the right to access data and share with third parties
3. New roles and responsibilities - Including specific rules for data intermediaries
4. New restrictions - Such as prohibited contractual practices and barriers to data portability

For DaaS users, the new legislation offers opportunities and protections:

1. Stronger negotiating position - Thanks to legal protection against unfair terms
2. Better control over data - Through the new access and portability rights
3. More transparency - On data use, origin and quality
4. Better protection - Against lock-in and disproportionate dependence on providers

Successfully navigating this new legal landscape requires a thorough understanding of both the technical and legal aspects of DaaS. By seeking legal advice early, both providers and users can take full advantage of DaaS opportunities while mitigating risks and remaining compliant with the law.

Our law firm combines in-depth knowledge of European data law with practical experience in data-focused contracts. We assist both DaaS providers and users in reviewing existing contracts and drafting new agreements that fully comply with the DGA and the Data Act.

Please contact us for a free consultation in which we can discuss the specific challenges and opportunities for your organization in light of the new legislation.