Latest Posts
Search for:
In Data Privacy

The new EU regulation on harmonised rules on fair access to and use of data (“Data Act”)

by , and 5 Mins Read

Where can I find the text of the Data Act?

The published text can be found here.

What is the Data Act about?

  • It requires organisations to make data collected through connected products or related services (including virtual assistants in so far as they interact with a connected product or related service) available to users and, upon a user’s request, to third parties.
  • By mixing concepts of both data and competition law, the Data Act aims to facilitate the creation of a single market for data.
  • The Data Act will apply to all in-scope data in addition to existing requirements under the GDPR, which will apply to any personal data falling within scope.

What else is governed by the Data Act?

  • Elimination of unfair terms related to data access and use in B2B contracts;
  • Obligations to share data with EU public bodies in case of exceptional need;
  • Switching between data processing services (including cloud and edge services);
  • Regulation of non-personal data transfers outside the EU;
  • Interoperability and harmonised standards for data access, transfer and use.

Who and what is in scope?

1. Actors, products and services

  • Manufacturers of connected products placed on the market in the EU and providers of related services (irrespective of their place of establishment).
    • Connected product means an item that (i) obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and (ii) whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user.
    • Related service means (i) a digital service, other than an electronic communications service, including software, (ii) which is connected with the product at the time of the purchase, rent or lease (iii) in such a way that its absence would prevent the connected product from performing one or more of its functions, or (iv) which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected product.
    • Virtual assistants means software that can process demands, tasks or questions including those based on audio, written input, gestures or motions, and that, based on those demands, tasks or questions, provides access to other services or controls the functions of connected products.
  • Users in the EU of connected products or related services.
  • Data holders making data available to data recipients in the EU (irrespective of their place of establishment).
  • Data recipients in the EU to whom data are made available.
  • Public sector bodies, the Commission, the European Central Bank and Union bodies that request data holders to make data available where there is an exceptional need for those data for the performance of a specific task carried out in the public interest and to the data holders that provide those data in response to such request.
  • Providers of data processing services providing such services to customers in the EU (irrespective of their place of establishment). This covers, in particular, cloud services.
  • Participants in data spaces and vendors of applications using smart contracts and persons whose trade, business or profession involves the deployment of smart contracts for others in the context of executing an agreement.

2. Categories of data

  • Data, i.e., any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording.
  • Product data, i.e., data generated by the use of a connected product that the manufacturer designed to be retrievable, via an electronic communications service, physical connection or on-device access, by a user, data holder or a third party, including, where relevant, the manufacturer.
  • Related service data, i.e., data representing the digitisation of user actions or of events related to the connected product, recorded intentionally by the user or generated as a by-product of the user’s action during the provision of a related service by the provider.
  • Readily available data, i.e., product data and related service data that a data holder lawfully obtains or can lawfully obtain from the connected product or related service, without disproportionate effort going beyond a simple operation.
  • Metadata, i.e., a structured description of the contents or the use of data facilitating the discovery or use of that data.
  • Non-personal data, i.e., data other than personal data, whereas personal data means personal data as defined in Art. 4 (1) of the GDPR.

Timeline

  • Entering into force: 11 January 2024
  • General date of application: 12 September 2025; exceptions:
    • The “data accessibility by design” obligation under Art. 3 (1) applies to connected products and related services placed on the market after 12 September 2026.
    • Chapter III (obligations for data holders legally obliged to make data available) applies in relation to obligations to make data available under EU law or national legislation adopted in accordance with EU law, which enters into force after 12 September 2025.
    • Chapter IV (unfair terms related to B2B data access and use) applies to contracts concluded after 12 September 2025. However, from 12 September 2027, Chapter IV shall also apply to contracts concluded on or before 12 September 2025 provided that they are (i) of indefinite duration; or (ii) due to expire at least 10 years from 11 January 2024.
    • There shall be a gradual withdrawal of switching charges from 11 January 2024 to 12 January 2027.
Categories:
Tags:
Author

Simone Rieken is a senior associate in Baker McKenzie's Frankfurt office and a member of the Information Technology Practice Group. Prior to joining the Firm, she worked for a large German corporate law firm, focusing on IT and data protection law. She studied law at the University of Trier and at Queen Mary, University of London and clerked in Hamburg and Los Angeles. She advises national and international companies on all aspects of IT and data protection law. She focuses on data protection with regard to direct marketing and related tracking and profiling activities. Another focus of her practice is on IT (outsourcing) projects and agile software developments.

Author

John is an associate in Baker McKenzie's Intellectual Property and Technology team, based in London. He joined the Firm in 2016 and was admitted as a solicitor in England and Wales in 2018. He is also admitted as an attorney in the state of New York. His practice encompasses aspects of commercial, technology and intellectual property law. He has a particular focus on data protection.

Author

Marilyn is an associate in the Intellectual Property, Data and Technology team based in London. She joined Baker McKenzie as a Trainee Solicitor in September 2020 and was admitted as a solicitor in England and Wales in September 2022. During her training, Marilyn was seconded to Baker McKenzie's Dubai office for six months and later to Google's commercial legal team for six months.

Related Posts