European Data Act - Key Provisions and their implications

The European Union (EU) entered a historic, new era of data governance by enacting the Data Act. Effective from 11 January 2024, this legislative milestone introduces transparent and equitable rules governing data access within the European data economy and has been developed to be compatible with other pieces of legislation, including, the General Data Protection Regulation (GDPR). It is a crucial component of the EU's broader Strategy for Data.

The Data Act also closely aligns with the Data Governance Act implemented in September 2023, which focuses on the rules for reusing data and introduces processes and structures to facilitate data-sharing. Collectively, these acts are aimed at achieving the EU’s Digital Decade objective of advancing digital transformation.   

We provide an overview of key provisions of the Data Act and its implications for organisations and consumers. 

Overview of the EU Data Act

Addressing the surge in Internet of Things (IoT) products, the Data Act ensures that users retain control over data generated by their connected devices. For context, IoT refers to a network of physical devices that can transfer data to one another without human intervention in real time, such as computers, machinery, wearable technologies and devices.
 
The Data Act requires manufacturers and service providers to ensure that individuals or organisations (users) are able to reuse the data that was created through the use of their services and/or products. Moreover, it gives users the leverage to share this data with third parties. For example, the owner of a coffee machine sharing data with the company providing repair services. Manufacturers are mandated to design products in a way that allows both businesses and consumers fully to utilise IoT-generated data, promoting fair distribution and access.

Key elements of the Data Act, including the available rights and penalties for non-compliance

Both personal and non-personal data fall within the scope of the Data Act. It applies to “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording”.

If personal data is being processed, the GDPR will also apply which means that organisations must be aware of their obligations under the GDPR as well. The Data Act aims to make data more accessible to all, provide standards for the reuse of data and facilitate access to and the use of data by consumers and businesses.

Below we provide a summary of the Data Act’s key elements, including new rights that it introduces

Why is the EU Data Act significant and what does it mean for my business?

The Data Act will apply fully 20 months from the date of its entry into force (which is 11 January 2024). Although the Data Act constitutes EU legislation, it will have wider implications for organisations beyond the EU, including businesses in the UK. We expect that the Data Act will have at least some impact on the following organisations: 
  • UK manufacturers and providers of connected products (for example IoT devices) that will be placed on the EU market;
  • UK data holders who make data available to the users in the EU; and
  • Organisations that provide data processing services (for example, cloud services) to EU clients, whether based in the EU or outside the UK.
Moreover, it is possible that the Data Act will set a new global standard in the field, similar to the GDPR. This means that, even when not caught by the Act, UK organisations may seek to differentiate themselves in the UK market by choosing to comply with the “Golden Standard”. While we have not seen any declared plans by the UK government to enact a similar piece of legislation, it is possible that we may see that similar standards are mirrored in the UK’s domestic regulatory environment in the future.

If you have any queries or would like further information, please visit our data protection services section or contact Christopher Beveridge.
 

Key elements of the Data Act

The Data Act grants users the right to access the generated data using products and/or related services. If data cannot be accessed from the product in real time, the data holder is required to make it available without delay and for free (where applicable). This must be done based on a simple request through electronic means where technically feasible. For context, a ‘data holder’ means an individual or an organisation that can or is required to make the data available. 

Complementing the right to data portability under the GDPR, the Data Act introduces the right of users to share data with third parties. Considering that the scope of the Data Act covers personal and non-personal data, the right to share data is an expansion on the portability right under the GDPR. 

The obligations described in the above two points will not apply to data generated using products manufactured and/or related services provided by micro or small enterprises. The obligations related to the data subject’s rights to access data and to share the data with third parties do not apply to data generated through the use of products or related services as long as these were manufactured/provided by enterprises that qualify as micro or small enterprises.#

However, there are specific conditions so we would advise you to check the Data Act if you can benefit from this. For clarity, a micro enterprise is defined as an enterprise that employs fewer than 10 people and whose annual turnover/annual balance is less than EUR 2 million. A small enterprise is defined as an enterprise that employs fewer than 50 people and has an annual turnover/annual balance of less EUR 10 million. 

In certain circumstances, data holders may receive “reasonable” and previously agreed compensation from third parties for making data available. The compensation needs to be fair, non-discriminatory and reasonable. Even if a data holder and a third party are unable to agree on the terms for such direct access, this should not prevent the data subject from exercising the rights contained in the GDPR, including the right to data portability.

The Data Act seeks to safeguard against potential unfair terms in data-sharing contracts with micro enterprises and SMEs whereby any contractual clauses that fail to meet the criteria set out in the Data Act will not be binding on these organisations. The Data Act requires the EU Commission to develop model, but not mandatory, contractual clauses to assist SMEs in negotiating fair data-sharing contracts. 

The Data Act provides for the requirement to share data with public bodies in specific circumstances such as natural disasters or terrorist attacks or to comply with legal obligations. Where data-sharing is necessitated by a response to a public emergency, the data must be provided free of charge and without undue delay. The data holder can request compensation of the costs in certain cases.

The Data Act introduces a set of minimum regulatory requirements to facilitate switching between providers of cloud and other data-processing services. These provisions will allow the transfer of private and business data from one provider to another without cost. 

The Data Act introduces safeguards to address unlawful international transfers or governmental access to non-personal data held in the EU. The data holders are required to implement appropriate technical, legal and organisational measures to handle access requests from authorities of non-EU countries, where such transfers create conflict with the EU or member state law.

For more information, refer to Article 27 of the EU Data Act which lists specific safeguards for the international transfers of non-personal data. At the same time, remember that international transfers of personal data will have to comply with Chapter V of the EU GDPR.

The Data Act also revisits aspects of the Database Directive, providing clarity on the role of the so-called sui generis database right, especially concerning databases derived from data generated through IoT devices. For context, sui generis is the right of the maker of a database to prevent extraction or reuse of the whole or a substantial part of that database. 

In addition to the impact on personal and non-personal data, the most negotiated area of the Data Act has been balancing intellectual property rights and protection of trade secrets with the overall objective of the Data Act. The Act does not affect existing rules in the areas of intellectual property, with one exception provided by Article 35: the sui generis right under Directive 96/9/EC (the EU Database Directive) does not apply to databases containing data obtained from or generated by the use of an IoT or connected product or related service to ensure that they can be accessed and used.

The EU Data Act does not provide any specific penalties for non-compliance. Instead, it requires EU Member States to lay down the appropriate sanctions, fines, and penalties for infringements of the Data Act. It also mandates that EU member states designate one or more competent new or exiting authorities which will carry out effective enforcement actions and oversee complaints. Data protection authorities will continue to be responsible for monitoring compliance with the GDPR where personal data is concerned.