EU flag

Insights | January 2, 2024

The new EU Data Act enters into force in January 2024

The EU regulation on harmonized rules on fair access to and use of data, i.e., the Data Act was published in the EU's official journal on 22 December 2023, and will enter into force on 11 January 2024. The regulation will become applicable from 12 September 2025.

As promised in our article on the European Union’s Digital Decade Strategy (available here), we will provide a series of Roschier Insights Articles on the coming avalanche of EU legislation regulating digitalization and data. In this article, we provide a brief overview of the final version of the Data Act. For more details on the background of the Data Act, please see Roschier insights article on the new rules on data.

The main objectives and scope of the Data Act

The Data Act regulates who can access and use data generated in the European Union and it aims to ease the switching between data processing service providers. The regulation applies to both personal and non-personal data, but in case of the latter, the General Data Protection Regulation (GDPR) applies and takes precedence. In addition, the Data Act provides rules on safeguards against unlawful international governmental access and transfer of non-personal data on the development of interoperability standards for data to be accessed, transferred and used.

The regulation focuses, in particular, on the functionalities of the data collected by connected products and distinguishes product data and related service data from which readily available data can be shared.

Obligations

The Data Act obliges manufacturers and service providers to allow their users to access, reuse and share the data collected through their products and related services. Such access and right to use must be free of charge.

Primarily, the products and related services must be designed in such a manner that the user can access the data without obstacles. Secondarily, the data holder must provide the data to the user at the user’s request.

In addition, data holders must give access to the data for third parties upon request of the user or if a legal obligation exists. This data includes readily available data and relevant metadata. Except for certain safeguards, limitations and prohibitions for the use of data by the data recipients (such as for the purpose of protecting trade secrets), data holders may not refuse to grant access to data.

The data must be made available to third parties under fair, reasonable and non-discriminatory terms and conditions, and in a transparent manner. The regulation provides guidance on reasonable compensation of businesses for making the data available. The compensation may depend on the costs related to making the data available, investments in the collection and production of the data as well as the volume, format and nature of the data.

As mentioned, the Data Act also introduces rules for switching between providers of cloud services and other data processing services by removing pre-commercial, commercial, technical and organizational obstacles. For example, the customer must be provided with contractual terms of such switching prior to signing of the contract, and the terms must include a clause allowing the customer to switch services. Moreover, the customer should be provided with information on switching charges. Said charges must be abolished by 2027. These rules aim to improve customers’ possibilities to move easily between cloud service providers.

Timeline

After its publication on December 2023, the regulation enters into force on 11 January 2024, and it is applied from 12 September 2025. However, the obligation for data to be accessible by default (article 3(1)) will apply to connected products and the services related to them placed on the market after 12 September 2026.