On November 27, 2023, the Council of the European Union adopted the EU Data Act, a new regulation providing harmonized rules on access to data, switching cloud providers, and interoperability requirements across the EU. The Data Act aims to lay the foundations of a data economy by changing the legal status of data generated or collected by connected devices and related services. This will require far-reaching modifications of existing business models.
The Data Act is intended to complement the rights of access and data portability under the GDPR by providing more specific rules. Thus, the Data Act is without prejudice to the GDPR and the ePrivacy Directive 2002/58, including regarding the powers of supervisory authorities and the rights of data subjects.
The Data Act will enter into application in the second half of 2025 and will be relevant far beyond the EU’s borders. The Data Act will apply to manufacturers of connected products and providers of related services placed on the EU market irrespective of their place of establishment. However, the Data Act’s provisions on data sharing only apply to users located in the EU. For providers of data processing services, the Data Act will apply, irrespective of their place of establishment, if they provide such services to customers in the EU.
In previous blog posts, we provided an overview of the Data Act. We then focused on data rights and obligations before digging into switching and interoperability requirements and restrictions for international transfers of non-personal data.
In this final issue of our series of blog posts on the Data Act, we discuss the enforcement system of the Data Act.
Competent Authorities
- EU Countries. It is up to each EU member state to designate the competent authorities responsible for the enforcement of the Data Act. EU countries may create one or several authorities or entrust these tasks to an existing authority. Countries that designate several competent authorities need to designate a data coordinator to facilitate cooperation between them.
- Data Protection. National data protection authorities will remain responsible for monitoring and enforcing the Data Act insofar as the protection of personal data is concerned.
- EU Institutions. The European Data Protection Supervisor (EDPS) will be responsible for monitoring the Data Act insofar as it concerns the European Commission, the European Central Bank, and Union bodies.
- European Data Innovation Board. The Data Act creates a new expert group called the European Data Innovation Board (EDIB), consisting of representatives of the competent authorities of all EU countries, the European Data Protection Board (EDPB) (which gathers data protection authorities from EU member states and the EDPS), the EDPS, ENISA (the EU agency for cybersecurity), the European Commission, the EU body for the implementation of the EU SME strategy (EU SME Envoy), and other representatives of bodies in specific sectors and with specific expertise.
- Cooperation. The EDIB will facilitate cooperation between competent authorities through capacity building and the exchange of information. It does not have powers comparable to the powers of the EDPB. The EDIB is also intended to help ensure the consistent and effective application of the Data Act. On paper, this approach may be understandable. However, experience shows that the EDPB’s work to ensure the consistency of the GDPR is giving rise to many questions and controversies. One may therefore expect the EDIB’s work to be very complex. This work will be even more delicate since it will involve reconciling various EU bodies attached to the rules for which they are responsible and that are unlikely to give up their own reading grid.
- Advice. The EDIB will advise and assist the Commission regarding the drafting of essential requirements regarding interoperability of data spaces, implementing and delegated acts, and guidelines laying down interoperability specifications.
Judicial Remedies
If natural or legal persons consider that their rights under the Data Act have been violated, they can lodge a complaint individually or collectively with the competent authority in the EU country where they usually live or work (for natural persons) or where they are established (for legal persons).
Natural and legal persons also have a right to an effective judicial remedy against competent authorities’ binding decisions. They have such remedy where competent authorities fail to act on a complaint. Alternatively, in such a case, natural and legal persons can request a review by an impartial body with the appropriate expertise.
Sanctions
Sanctions under the Data Act must be effective, proportionate, and dissuasive. This wording is very much inspired by the GDPR.
The Data Act also states that certain criteria for the imposition of fines must be taken into account, namely:
- the nature, gravity, scale, and duration of the infringement;
- any action taken to mitigate or remedy the damage caused by the infringement;
- any previous infringements by the infringing party;
- the financial benefits gained or losses avoided by the infringing party due to the infringement, insofar as such benefits or losses can be established;
- any other aggravating or mitigating factors; and
- the infringer’s annual turnover of the preceding financial year in the EU.
It is up to EU countries to lay down national rules on penalties implementing these requirements and to take all measures necessary to ensure that they are implemented. Penalties will therefore likely vary from country to country.
EU countries must consider the recommendations of the EDIB. The EDIB’s recommendations are not binding, but the Data Act provides that Member States “shall take [them] into account.”
If a violation of the Data Act also concerns personal data, national data protection authorities may, in addition to the fines under the Data Act, impose fines up to EUR 20 million or 4% of a company’s annual turnover of the preceding year, whichever is higher, for violations of data access and sharing rules with users under the Data Act.
The authors would like to thank Antonio Marzano for his assistance in preparing this blog post.