Data Act

The Regulation on Harmonized Rules on Fair Access and Use of Data, i.e., the EU Data Act (“DA”), aims to regulate ‘data’.

What does this mean?

The DA creates new substantive rights and obligations with respect to sharing and access to data across sectors. The DA applies to the data generated by use of connected products or related services. This could mean, for example, vehicles, home appliances, medical devices and similar. The DA applies to both personal and non-personal data, however, in case of personal data, the GDPR applies and takes precedence.

By opening the data reserves of the data holders, the DA is likely to bring new operators to the data economy as well as allow for opportunities for existing operators to extend their range of services and potentially access new industry sectors.

The DA applies in B2B, B2C and B2G relations and defines who may use the privately held data and under what circumstances:

  • Users of the connected products or related services shall have access to and right to use the data free of charge which must be facilitated by the data holder.
    • User may either be a natural or legal person, including a public sector body, that owns, rents or leases product, or receives service.
    • Primarily, products and services must be designed in such a manner that the data is directly accessible to the user. Secondarily, the data holder has an obligation to provide the data at the user’s request.
  • Data holders must give access to the data (readily available data and relevant metadata) for third parties (data recipients) upon request of the user or if a legal obligation exists. The DA contains rules on the conditions, compensation and terms for such data access.
    • In principle, data holders cannot refuse to grant access to data. However, certain safeguards as well as limitations and prohibitions for the use of data by the data recipient exist, e.g., for the purpose of protecting trade secrets.
    • The data must be made available under fair, reasonable and non-discriminatory terms and conditions and well as in a transparent manner. The compensation may depend on the costs related to making the data available, investments in the collection and production of the data as well as the volume, format and nature of the data.
  • Data holders need to make the data available to public sector bodies upon request when there is an exceptional need, e.g., in case of a public emergency.
    • An exceptional need to use certain data is limited in time and scope. The requesting party will have to, e.g., specify the data required, demonstrate the need, explain the purpose of the request and how the data are expected to be erased.
  • The user, data recipient or public sector body may not use the data for developing a competing connected product or related service or share it with other third parties for such purpose.

In addition to data sharing obligations and access rights, the DA introducesi.a., rules for switching between providers of cloud services and other data processing services by removing pre-commercial, commercial, technical and organizational obstacles:

  • These rules concern scenarios where the customer wishes to switch i.) to a data processing service, covering same service type, provided by a different service provider; ii.) to on-premises ICT infrastructure; or iii.) to use several providers of data processing services at the same time.
  • Contractual terms concerning switching must be made available to the customer prior to signing the contract on a durable medium. The contract must include a clause allowing a customer to switch to a new data processing service, obligation to support the customer throughout the switching process and specification of data and digital assets which are exportable. In addition, the provider must provide information on switching charges.

Lastly, the DA provides rules on safeguards against unlawful international governmental access and transfer of non-personal data and on the development of interoperability standards for data to be accessed, transferred and used.

Who?

The actors falling within the scope of the DA cover a broad spectrum, including in particular:

  • Data holders that need to make data available, typically, manufacturers of connected products or suppliers of related services
  • Users which can be either individuals or legal entities (including public sector bodies) owning, renting or leasing a product or a service
  • Data recipients to whom data is made available by the data holder, for example, an after-market service provider or other third party
  • Providers of cloud and other data processing services and their customers
  • Public sector bodies, the Commission, the European Central Bank and EU bodies requesting data holders to make data available in exceptional circumstances
  • Participants in data spaces

Timeline

The Data Act was published in the Official Journal of the European union in December 2023, and it entered into force on 11 January 2024. The Regulation is applied from 12 September 2025, except for the obligation for data to be accessible by default which will be applied to connected products and the services related to them placed on the market after 12 September 2026.

Related news

  • Insights| January 2, 2024
    EU flag

    The new EU Data Act enters into force in January 2024

  • Insights| June 27, 2023
    EU flag

    The new rules on data – is the EU Data Act a threat or an opportunity?

  • Insights| April 5, 2023
    EU flag

    Introduction to the European Union Digital Decade Strategy

Visit our newsroom