In Data Privacy

Getting ready for the EU Data Act

January 8, 2024 by Michaela Nebel, Magalie Dansac Le Clerc, Florian Tannen, Elisabeth Dehareng, Prof. Dr. Michael Schmidl, Dr Lukas Feiler, Vinod Bange, Jose María Méndez, Pablo Uslé, Patricia Pérez, David Molina, Francesca Gaudino and Kathy Harford 6 Mins Read

On December 22, 2023 the EU Regulation on harmonised rules on fair access to and use of data, also known as the Data Act, was published in the Official Journal of the European Union. It shall enter into force on the twentieth day following that of its publication, namely on January 11, 2024, and become applicable on September 12, 2025.

The Data Act affects manufacturers of connected products and also providers of related services, including virtual assistants, which represents a fairly broad set of stakeholders, defined as ‘data holders’. It sets out rules for the use, access, availability and sharing of data (both personal and non-personal data) generated by the use of connected products and related services. These data are usually deployed by ‘data holders’ to enhance their products and related services, and the Data Act will revolutionise the concepts of “data ownership” and “data availability” in the context of connected technologies, by impacting the competitive advantage for data holders who currently control the valuable pool of data generated by connected products.

By September 2025, potential data holders will need to carry out due diligence into the products and services concerned, and re-visit their product/service delivery framework in order to make sure they are able to comply with the new requirements, including applicable agreements with users. For the sharing of data, the Commission will provide voluntary model contractual terms to help stakeholders to conclude agreements based on fair practices, which should be issued before the Data Act becomes applicable.

Background

The Data Act is part of the European Data Strategy, which seeks to make the EU a leader in the interconnected world. It aims to maximize the economic value of datasets, boost innovation in the digital environment and stimulate a more competitive market (especially by strengthening the competitiveness of small and medium-sized enterprises), in which the rules for data access and use are clear, practical and fair and in which European standards are fully respected, especially in terms of privacy and data protection.

The Data Act aims to make data generated by connected products more widely and easily available to both business and consumer users of connected products, so that they can use the data, including by sharing them with third parties of their choice. In order to achieve that goal the data holders will be obliged to allow access under fair conditions, which are precisely regulated. Member States’ influence is very limited, as their legislative powers must not be used within the Data Act’s scope of applicability except if and to the extent expressly allowed.

As with other recent EU legislation (e.g., the draft AI Act or the Digital Services Act) the Data Act takes a holistic approach to these goals, by addressing civil law (e.g., as regards unfair contractual terms according to Art. 13 Data Act) and public law (e.g., as regards the competent authority according to Art. 37 Data Act) in a single regulation.

Scope

Broadly speaking, the Data Act obliges individuals and/or legal entities that qualify as “data holders” to share with others in the value chain the data collected through connected products (which we commonly refer to as the Internet of things or “IoT”), related services (services other than electronic communications without which the connected product could not perform its functions) and virtual assistants (software capable of processing requests, tasks and queries and, based on these, accessing other services or controlling the product’s functions). Some examples of products or services to which the Data Act will apply include smart home appliances, smart industrial machinery, smart vehicles or medical devices.

The Data Act has extraterritorial scope. It applies to manufacturers of connected products in the EU and providers of related services, irrespective of the place of establishment of those manufacturers and providers. Moreover, the Data Act applies to both personal and non-personal data collected through products or during the provision of services included in the scope. This includes, for example, raw data generated by the user interface and the device itself, but does not extend to information inferred or derived from such data.

The Data Act clearly states that it is “without prejudice” to the GDPR or other laws on the protection of personal data acts and shall “complement” them, which is further elaborated in the Data Act (especially in its recitals). In particular, the data access rights granted under the Data Act are separate from the access right that individuals are granted under the GDPR. Data holders will therefore have to distinguish whether an access request under the Data Act refers to personal or non-personal data.

Main obligations

The main features of the Data Act are as follows:

Data access: Upon a user’s request (in both B2B and B2C relationships), data holders must provide access to certain data for in-scope products or services. However, a data holder may require that certain conditions be met before sharing data constituting trade secrets or, exceptionally, may deny or suspend user access, as well as the sharing of such data with third parties, in order to safeguard the confidentiality of trade secrets.
Data sharing with third parties: Data holders have the obligation to make data available to third parties at the request of users on fair, reasonable and non-discriminatory terms and in a transparent manner.
Data sharing with public sector bodies: In circumstances of public interest, such as natural disasters, private data holders are obliged, upon request, to make data available to EU public institutions. Personal data may only be requested in cases of exceptional need; for example, when it is necessary to respond to a public emergency and public sector bodies are unable to obtain such data by alternative means in a timely and effective manner under equivalent conditions.
Service switching and interoperability: Data processing service providers are required to adopt specific measures to enable customers to effectively switch between data processing services (e.g. cloud services). Moreover, the aim is to improve interoperability for data access, transfer and use.
List of abusive clauses: In order to prevent the abuse of imbalance in certain B2B relationships, a list of clauses that are always considered abusive and a list of clauses that are presumed to be abusive between companies in relation to access to and use of data have been included.
Unlawful international access and transfers: To prevent international transfers and access from third countries of non-personal data retained in the EU that contravene EU or national law, data processing service providers must implement appropriate technical, organizational and legal measures, including contractual arrangements, to protect the data.

Entry into force

The Data Act will enter into force 20 days after its publication, that is January 11th, 2024.

It will become applicable 20 months after its entry into force, that is from September 12th, 2025 – with the nuance that Article 3 (1) (simplified data access requirements for new products) will apply to connected products and related services placed on the market from 32 months after the date of entry into force of the Act, i.e. in September 2026.

Author Michaela Nebel

Dr. Michaela Nebel is a partner in the Frankfurt office of Baker McKenzie. Michaela advises German and international companies on all aspects of information technology law, data protection law, IT contract law as well as on e-commerce, IT / data litigation related matters. Her practice covers in particular advice of companies on issues concerning domestic and cross-border data privacy law.

Author Magalie Dansac Le Clerc

Magalie Dansac Le Clerc is a partner in Baker McKenzie's Paris office. A member of the Firm's Information Technology and Communications Practice Group, she is a Certified Information Privacy Professional (CIPP).

Author Florian Tannen

Florian Tannen is a partner in the Munich office of Baker McKenzie. He advises on all areas of contentious and non-contentious information technology law, including internet, computer/software and data privacy law.

Author Elisabeth Dehareng

Elisabeth is a partner in Baker McKenzie's Brussels office. She advises clients in all fields of IT, IP and new technology law, with a special focus on data protection and privacy aspects. She regularly works with companies in the healthcare, finance and transport and logistics sectors.

Author Prof. Dr. Michael Schmidl

Prof. Dr. Michael Schmidl is co-head of the German Information Technology Group and is based in Baker McKenzie's Munich office. He is an honorary professor at the University of Augsburg and specialist lawyer for information technology law (Fachanwalt für IT-Recht). He advises in all areas of contentious and non-contentious information technology law, including internet, computer/software, data privacy and media law. Michael also has a general commercial law background and has profound experience in the drafting and negotiation of outsourcing contracts and in carrying out compliance projects.

Author Dr Lukas Feiler

Dr. Lukas Feiler, SSCP, CIPP/E, has more than eight years of experience in IP/IT and is a partner and head of the IP and IT team at Baker McKenzie • Diwok Hermann Petsche Rechtsanwälte LLP & Co KG in Vienna. He is a lecturer for data protection law at the University of Vienna Law School and for IT compliance at the University of Applied Science Wiener Neustadt.

Author Vinod Bange

Vin leads our London Data Privacy practice and is also a member of our Global Privacy & Security Leadership team bringing his vast experience in this specialist area for over 22 years, advising clients from various data-rich sectors including retail, financial services/fin-tech, life sciences, healthcare, proptech and technology platforms.

Author Jose María Méndez

José María Méndez es socio responsable del área de Propiedad Intelectual y Tecnologías de la Información y Comunicaciones de Baker & McKenzie Madrid. Anteriormente, fue socio del área de Propiedad Intelectual en un despacho internacional, así como secretario general adjunto de Sogecable y director de la asesoría jurídica del área de cinematografía y televisión. Participa con frecuencia en actividades sin ánimo de lucro de organizaciones como Caritas Diocesanas y Aldeas Infantiles. Asimismo, imparte clases en el Máster de Propiedad Intelectual de la Universidad Carlos III.

Author Pablo Uslé

Author Patricia Pérez

Patricia Perez joined the Information Technology & Communications Department of Baker & McKenzie in Madrid in 2013. Her prior experience includes working at national law firms in the Corporate and Intellectual Property and Information Technology departments.

Author David Molina

Author Francesca Gaudino

Francesca Gaudino is the Head of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology.

Author Kathy Harford

Kathy Harford is the Lead Knowledge Lawyer for Baker McKenzie’s global IP, Data & Technology practice.

Related Posts

U.S. Prohibits Data Brokers from Making U.S. Sensitive Data Available to Foreign Adversaries

A legal framework for NFTs and other tradeable assets in video games: the Great French Experiment

Kentucky is Off to the Races: Bluegrass state is 15th to Pass Comprehensive Privacy Law