European Union: European Data Protection Board released statement on European Commission’s Recommendation on draft non-binding model contractual terms on data sharing under Data Act

On 8 July 2025, the European Data Protection Board (EDPB) released a statement on the European Commission’s Recommendation on draft non-binding model contractual terms on data sharing under the Data Act. The EDPB made six recommendations regarding the report. First, the EDPB stated that the model contractual terms (MCTs) seem to have primarily been written for contracting parties who are businesses rather than individuals. The EDPB noted that the Data Act covers both legal and natural persons, the latter of which may or may not be data subjects under the Data Act. Given this, the MCTs don't always clearly address protections for individuals. Additionally, the EDPB highlighted that there may be circumstances in which other natural persons' data becomes involved, which could further complicate the matter. The EDPB suggested clarifying the terms of the MCTs and possibly developing different MCTs for natural persons if the working group finds it necessary. Second, the EDPB pointed out that some but not all terms distinguished between personal and non-personal data. The EDPB suggested reviewing whether the distinction would be helpful, and notes in particular the terms on compensation in Annexes II and III, which it is concerned may be phrased too generally and may lead to scoping questions. Regarding Annexes II and III, the EDPB strongly recommended restricting compensation mechanisms to non-personal data. Third, the EDPB suggested changes to support coherence, including a list of definitions and cross-referencing to specific provisions within the Data Act. Fourth, the EDPB recommended making it more explicit that in the event of a conflict between the Data Act and Union or national law, Union law or national law will prevail. Fifth, the EDPB recommended that the report be revised to clarify that compliance with the MCTs does not necessarily constitute compliance with the GDPR. Sixth, the EDPB considered that the MCTs could better consider consumer vulnerability and power asymmetries which emerge in the digital economy. In particular, it noted that contractual penalties should be proportionate and must not infringe on the rights of data subjects.