On November 9, 2023, the European Parliament adopted the EU Data Act, a new regulation providing harmonized rules on access to data, switching cloud providers and interoperability requirements across the EU. It is widely expected that the Data Act will have significant impact on most companies doing business in the EU.
This blog post provides an overview of the Data Act. We will soon publish additional blog posts and client alerts discussing key provisions, such as the data access rights and obligations and their limits, switching and interoperability requirements for cloud and other data processing services, and the enforcement mechanism.
The European Commission issued its proposal for a Data Act in February 2022. Subsequent negotiations with the European Parliament and the Council of the European Union eventually resulted in an agreement in June 2023. With the vote of the European Parliament on November 9, 2023, the legislative process is almost complete. The Data Act will enter into force 20 days after publication in the Official Journal, and it will apply 20 months after entry into force. The obligation to design connected products/related services in such a way that product and related service data is accessible by default will apply as of 32 months after entry into force. While these may appear to be rather generous timelines, several categories of actors may face significant redesigns of their products and services, which should be initiated as soon as possible.
The text adopted by the European Parliament is available here.
The adoption of the Data Act takes place in the context of the European Union’s ambitions to boost the EU’s data economy and to create a Digital Single Market. The intended role of the Data Act is to set requirements for the use and value creation of data by providing users of connected products or services with more rights, and increasing competition in digital markets, especially by strengthening SMEs’ competitive position.
To that end, the Data Act defines the conditions for a right of access to product and service data generated by connected products and related services. The Data Act also specifies the cases in which EU public institutions will be able to have access to such data. In this context, the Data Act provides safeguards against unlawful third-party use, the disclosure of trade secrets, and unfair contractual provisions. International and third-country governmental access and transfer of nonpersonal data held in the EU is subject to restrictions. In addition, the Data Act provides for interoperability standards on providers of cloud and other data processing services to facilitate switching. Noncompliance will lead to penalties set and enforced by EU countries.
From a business perspective, most of the provisions of the Data Act will apply to data holders, i.e., typically (but not always) manufacturers of connected products and providers of related services.
Importantly, the Data Act will be relevant far beyond the EU borders. The Data Act will apply to manufacturers of connected products and providers of related services placed on the EU market (and to data holders making data available to data recipients in the EU), irrespective of their place of establishment. However, the Data Act’s provisions on data sharing only apply to users located in the EU.
Key Rights and Obligations
- Data access by design and by default. Connected products/related services must be designed and manufactured/provided in such a way that product and related service data is accessible to users by default. This includes the relevant metadata necessary to interpret and use the data (together, the “Data”).
- Data sharing with third parties. Upon request by a user, or by a party acting on behalf of a user, the data holder must make the Data available to a third party.
- Data sharing with EU or national public institutions. Private data holders that are legal persons must make the Data available to EU public institutions upon a duly justified request in cases of exceptional need.
- Transparency. Before concluding a contract for the purchase, rent or lease of a connected product or the provision of a related service, the data holder must provide specific information to the user in a clear and comprehensible format.
- Unfair contract terms. The Data Act prohibits unfair contract terms in order to prevent the abuse of contractual imbalances in B2B relationships.
- Interoperability. The Data Act imposes interoperability specifications to prevent lock-in effects in cloud services.
Relationship With the GDPR
The Data Act is without prejudice to the GDPR and the ePrivacy Directive 2002/58, including with regard to the powers of supervisory authorities and the rights of data subjects. The Data Act complements the rights of access and data portability under Articles 15 and 20 of the GDPR. In the event of a conflict between the Data Act and EU or national law on the protection of personal data or privacy, the law on the protection of personal data or privacy will prevail.
For more information on this or other digital matters, please contact one of the authors. The authors would like to thank David Llorens Fernández for his assistance in preparing this alert.