This Essential Guide to the European Data Act is part of Orrick's Cybersecurity & Privacy Compass Series. The Cybersecurity & Privacy Compass is your global guide to the evolving cybersecurity and privacy regulatory landscape.
In this guide, we answer pressing questions about the European Data Act, including what the Data Act covers, who is impacted, the law's objectives, rights and obligations created by the act, legislative status and recommended next steps for companies.
- What are the objectives of the Data Act?
- Who is impacted?
- What rights and obligations are created under the Act?
- What is the legislative status?
- What are the action items?
What are the objectives of the Data Act?
The Data Act is the European Union regulation on harmonised rules on fair access to and use of data ("Data Act"). It is one of the key measures intended to make more data available to the private and public sectors. The Data Act complements the Data Governance Act adopted in 2022, which was the first deliverable under the European strategy for data.
While the Data Governance Act creates the processes and structures to facilitate sharing data, particularly in the public sector, the Data Act sets up new rules for how users of connected products and related services can use the generated data—and how and under which conditions data holders can generate economic value from such data.
The Data Act provides horizontal rules, i.e., rules across all economic sectors and situations. It aims to:
- ensure fairness in allocating value in the digital environment;
- stimulate a competitive data market;
- open opportunities for data-driven innovation; and
- make data more accessible.
It remains to be seen whether these goals can be achieved, particularly the stimulation of a competitive data market. It also remains to be seen how the economy will adopt and implement the new rules into connected devices.
The Data Act aims to make more data available and remove barriers to a functioning market for data. It should allow users of connected products to access data the devices generate while in use and to share the data with third parties providing aftermarket or other data-driven services. By regulating switching between data processing services and developing interoperability standards, the act aims to avoid vendor lock-ins.
The Data Act sets out numerous provisions that concern personal and non-personal data. Most importantly, the regulation:
- creates a data access and sharing regime for data generated by connected devices;
- stipulates contractual requirements for data sharing agreements;
- creates a regime for public entities;
- creates rights for customers and obligations for providers of data processing services (e.g., cloud service provider) regarding the ability to switch to another service provider;
- introduces safeguards against unlawful third-party access to non-personal data (e.g., by requiring the implementation of technical protective measures); and
- provides a framework to develop interoperability standards for data to be accessed.
Who is impacted?
The Data Act applies to a wide range of people and organizations, including:
- manufacturers of connected products (Internet of Things, e.g., connected cars, smart-home devices, medical devices and smart and connected consumer goods as well as industrial machinery), and providers of related services, where such products and services are placed in the market in the European Union ("EU") (e.g., platform services related to connected products, e.g., smartwatch providers),
- users of connected products or related services in the EU,
- data holders defined as natural or legal persons (e.g., people and companies) with the right or obligation to use and make data available,
- data recipients, defined as natural or legal persons to whom data holders make data available to non-users for commercial purposes,
- public sector bodies of EU member states or institutions, agencies or bodies of the EU that request data holders to make data available in case of exceptional needs (e.g., public emergencies),
- providers of data processing services (in particular cloud-services such as SaaS, PaaS, IaaS as governed by the EU Cloud Strategy and edge service providers as included in the European strategy for data) providing such services to customers in the Union, and
- participants in data spaces, vendors of applications using smart contracts and persons whose trade, business or profession involves the deployment of smart contracts for others.
Because the term "user" includes natural and legal persons, the Data Act's obligations apply to business-to-consumer as well as business-to-business relationships and to public entities.
Micro-, small- and medium-sized enterprises ("MSMEs") are partially exempted from the obligations of the Data Act.
What rights and obligations are created under the Act?
The rights and obligations under the Data Act include:
Obligation to Inform, Share Data and Provide Data in Standard Formats
Where a user cannot directly access data from the connected product or related service, the Data Act requires data holders to make data accessible or have data shared upon request without undue delay, in a common and machine-readable format, free of charge and, where relevant and feasible, continuously and in real-time.
Along with this obligation, the provider of a connected product or related service must provide information so the user better understands in advance to what extent data can be provided. In specific circumstances, data recipients have a right to receive data from the data holder. Where a data holder is obliged to disclose data to a recipient, either under the terms of the Data Act or other EU or national law, the data holder must do so on terms that are fair, reasonable and non-discriminatory (FRAND). Any compensation for making data available shall also be reasonable. Where the data recipient is a MSME or non-profit research organization, under certain circumstances, compensation must not exceed the costs directly related to making the data available.
By requiring data to be provided in a comprehensive, structured, commonly used and machine-readable format, the Data Act removes barriers to use data and promotes the implementation of technical standards.
Incentives for Investing in Data
The Data Act maintains incentives for data holders to continue to invest in high-quality data generation by covering their transfer-related costs and excluding direct competitors from the ability to access and use data.
Public Sector Entities' Right to Access Data
Public sector entities have the right to request and obtain data stored by a data holder where they can demonstrate an exceptional need. A data holder receiving a request for access to data is required to make the data available at no cost and without undue delay (exceptions apply to MSME). Among other things, the entity must specify the data required, the duration of use and the purpose for which the data is requested.
Facilitating Data Portability
The Data Act requires providers of data processing services to enable customers to switch to another data processing service, covering an equivalent service, which is provided by a different provider of data processing services. The Data Act thus complements the right of data portability provided in Art. 20 of the General Data Protection Regulation ("GDPR"). Providers of a data processing service shall not impose and shall remove commercial, technical, contractual and organisational obstacles that inhibit customers from terminating, concluding new contractual agreements, porting the customer’s exportable data and achieving functional equivalence in the use of the new service in the IT environment of the different provider. For example, the Data Act requires covered entities to allow customers to switch data with a maximum transitional period of 30 days.
Rebalancing Rights of MSMEs
The Data Act contains measures to rebalance the negotiation powers for MSMEs in contracts concerning access to and use of data. These measures include provisions according to which contractual terms shall not be binding where access and use of data or the liability and remedies for a breach have been unilaterally imposed on another entity if these terms are deemed to be unfair. A contractual term will be deemed unfair if its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing. These requirements will be particularly relevant to data licensing agreements and essential to developing certain forms of AI models.
What is the legislative status?
The Data Act was enacted on 11 January 2024. While some of the rules will apply 32 or 44 months after it was enacted, most rules of the Data Act will apply 20 months from the date of its passing. This means most rules of the Data Act will start to apply in the EU on 11 September 2025.
What are the action items?
Companies should consider:
- Conducting an assessment as soon as possible regarding whether and how the Data Act rules apply to their business.
- If the Data Act applies, companies providing connected products and/or related services should assess:
- The consequences for their businesses.
- This is particularly true for data holders who will be obligated to develop the technical means to allow data access in a comprehensive, structured, commonly used and machine-readable format.
- This may require updating standards for data storage and structure, and companies may also have to consider developing connected products in a way that allows users to access data directly.
- Implementing new functions into products and converting production processes often takes time. Hence, this assessment should be a high priority.
- Companies will need to consider the effects with the responsible product owners and product development teams.
- The need to prepare a comprehensive data notice and consider including the requirements of the Data Act and the GDPR.
- Whether contractual terms provide for any terms that might be deemed unfair or void according to the Data Act.
- Whether its technical protection measures are sufficient against unauthorised use and disclosure of data.
- Companies outside the EU that provide connected products and/or related services should determine whether they are required to appoint a legal representative in the EU.
This Essential Guide was first published in June 2023. It was updated after the European Data Act was passed on 11 January 2024. If you have questions about the European Data Act, reach out to our authors (Julia Apostle, Christian Schröder, Robert Weinhold, and Yumiko Olsen) or other members of the Orrick team.