On December 22, 2023 the EU Regulation on harmonised rules on fair access to and use of data, also known as the Data Act, was published in the Official Journal of the European Union. It shall enter into force on the twentieth day following that of its publication, namely on January 11, 2024, and become applicable on September 12, 2025.
The Data Act affects manufacturers of connected products and also providers of related services, including virtual assistants, which represents a fairly broad set of stakeholders, defined as ‘data holders’. It sets out rules for the use, access, availability and sharing of data (both personal and non-personal data) generated by the use of connected products and related services. These data are usually deployed by ‘data holders’ to enhance their products and related services, and the Data Act will revolutionise the concepts of “data ownership” and “data availability” in the context of connected technologies, by impacting the competitive advantage for data holders who currently control the valuable pool of data generated by connected products.
By September 2025, potential data holders will need to carry out due diligence into the products and services concerned, and re-visit their product/service delivery framework in order to make sure they are able to comply with the new requirements, including applicable agreements with users. For the sharing of data, the Commission will provide voluntary model contractual terms to help stakeholders to conclude agreements based on fair practices, which should be issued before the Data Act becomes applicable.
Background
The Data Act is part of the European Data Strategy, which seeks to make the EU a leader in the interconnected world. It aims to maximize the economic value of datasets, boost innovation in the digital environment and stimulate a more competitive market (especially by strengthening the competitiveness of small and medium-sized enterprises), in which the rules for data access and use are clear, practical and fair and in which European standards are fully respected, especially in terms of privacy and data protection.
The Data Act aims to make data generated by connected products more widely and easily available to both business and consumer users of connected products, so that they can use the data, including by sharing them with third parties of their choice. In order to achieve that goal the data holders will be obliged to allow access under fair conditions, which are precisely regulated. Member States’ influence is very limited, as their legislative powers must not be used within the Data Act’s scope of applicability except if and to the extent expressly allowed.
As with other recent EU legislation (e.g., the draft AI Act or the Digital Services Act) the Data Act takes a holistic approach to these goals, by addressing civil law (e.g., as regards unfair contractual terms according to Art. 13 Data Act) and public law (e.g., as regards the competent authority according to Art. 37 Data Act) in a single regulation.
Scope
Broadly speaking, the Data Act obliges individuals and/or legal entities that qualify as “data holders” to share with others in the value chain the data collected through connected products (which we commonly refer to as the Internet of things or “IoT”), related services (services other than electronic communications without which the connected product could not perform its functions) and virtual assistants (software capable of processing requests, tasks and queries and, based on these, accessing other services or controlling the product’s functions). Some examples of products or services to which the Data Act will apply include smart home appliances, smart industrial machinery, smart vehicles or medical devices.
The Data Act has extraterritorial scope. It applies to manufacturers of connected products in the EU and providers of related services, irrespective of the place of establishment of those manufacturers and providers. Moreover, the Data Act applies to both personal and non-personal data collected through products or during the provision of services included in the scope. This includes, for example, raw data generated by the user interface and the device itself, but does not extend to information inferred or derived from such data.
The Data Act clearly states that it is “without prejudice” to the GDPR or other laws on the protection of personal data acts and shall “complement” them, which is further elaborated in the Data Act (especially in its recitals). In particular, the data access rights granted under the Data Act are separate from the access right that individuals are granted under the GDPR. Data holders will therefore have to distinguish whether an access request under the Data Act refers to personal or non-personal data.
Main obligations
The main features of the Data Act are as follows:
- Data access: Upon a user’s request (in both B2B and B2C relationships), data holders must provide access to certain data for in-scope products or services. However, a data holder may require that certain conditions be met before sharing data constituting trade secrets or, exceptionally, may deny or suspend user access, as well as the sharing of such data with third parties, in order to safeguard the confidentiality of trade secrets.
- Data sharing with third parties: Data holders have the obligation to make data available to third parties at the request of users on fair, reasonable and non-discriminatory terms and in a transparent manner.
- Data sharing with public sector bodies: In circumstances of public interest, such as natural disasters, private data holders are obliged, upon request, to make data available to EU public institutions. Personal data may only be requested in cases of exceptional need; for example, when it is necessary to respond to a public emergency and public sector bodies are unable to obtain such data by alternative means in a timely and effective manner under equivalent conditions.
- Service switching and interoperability: Data processing service providers are required to adopt specific measures to enable customers to effectively switch between data processing services (e.g. cloud services). Moreover, the aim is to improve interoperability for data access, transfer and use.
- List of abusive clauses: In order to prevent the abuse of imbalance in certain B2B relationships, a list of clauses that are always considered abusive and a list of clauses that are presumed to be abusive between companies in relation to access to and use of data have been included.
- Unlawful international access and transfers: To prevent international transfers and access from third countries of non-personal data retained in the EU that contravene EU or national law, data processing service providers must implement appropriate technical, organizational and legal measures, including contractual arrangements, to protect the data.
Entry into force
The Data Act will enter into force 20 days after its publication, that is January 11th, 2024.
It will become applicable 20 months after its entry into force, that is from September 12th, 2025 – with the nuance that Article 3 (1) (simplified data access requirements for new products) will apply to connected products and related services placed on the market from 32 months after the date of entry into force of the Act, i.e. in September 2026.