The European Data Act and its Consequences for your Company
The European Data Act will be implemented in September 2025 and will affect the use and access of non-personal, user-generated data across all industries. Companies should start preparing now to ensure compliance with the new legislation. Find a comprehensive checklist and key takeaways to help you and your company navigate data access, sharing, and protection requirements.
The Data Act – What You Need to Know Now / Preparation Checklist
On the 9th of November 2023, the European Parliament approved the agreed-upon text for a new regulation titled "Establishment of Uniform Rules for Equitable Data Access and Fair Utilization," commonly referred to as the Data Act. Official confirmation from the Council of the European Union occurred on November 27, 2023. The Data Act is anticipated to be published in the Official Journal of the European Union in the coming weeks and is set to take effect 20 days thereafter. It will be applicable from September 2025, marking 20 months since its enactment. Below, we provide crucial information to assist your company in effectively preparing for the implementation of the Data Act.
What is the Purpose of the Data Act?
The Data Act aims to re-regulate the legal conditions for access to and use of non-personal, user-generated data by creating rights of access to data for both the private and public sectors, while imposing significant obligations on data holders, product manufacturers and cloud providers.
Because of its cross-sectoral approach, the Regulation applies to all industries and sectors of the economy. Virtually any business that processes data in any way is potentially affected by the Data Act, although most of the obligations of the Data Act do not apply to small businesses.
The Data Act regulates the collection of data, both personal and non-personal, from IoT devices and related services such as home appliances, fitness devices, voice assistants, industrial equipment and connected vehicles. This data is valuable for product development, device maintenance, and algorithm training. Manufacturers and retailers will no longer be able to store this data exclusively. For small and medium-sized businesses, the Data Act offers new ways to access this data and develop new business opportunities. The Data Act applies to both European and non-European companies that operate in the EU or market products or related services.
How does the GDPR come into play with the Data Act?
Regarding the GDPR, it focuses on personal data, while the Data Act encompasses both personal and non-personal data. It is crucial to consider both regulations together, especially in situations involving mixed data sets.
The Data Act complements the GDPR without undermining existing rights and obligations. The draft explicitly states that when processing personal data, data holders should act as controllers under the GDPR, subject to its obligations. Transparency requirements outlined in the Data Act for data from connected devices do not override controllers' information obligations under the GDPR. In the context of connected devices, the Data Act strengthens the right to data portability, allowing users to access and transfer both personal and non-personal data from these devices. Additionally, safeguards for the international flow of non-personal data are introduced, without affecting rules governing the transfer of personal data to third parties outside the EU.
Key Take-Aways:
Small Companies, Microenterprises, and newly-formed Medium-Sized Companies or with affected Products less than a year old are exempt from the Data Act.
Small companies and microenterprises are excluded from the scope of the Data Act. Chapter 2 of the Act does not apply to them. Medium-sized companies are exempt from the scope of the Data Act if they have met the threshold for this category for less than one year. If a medium-sized company's product is affected, it is exempt from the scope of application if the product has been placed on the market for less than one year.
Making Stored Data Available to Users and Third-Party Recipients
The Data Act gives users (consumers and businesses) the right to access and share IoT data from connected products and services with third parties in the same quality as the original. The data should be made available in real time, free of charge, and in a machine-readable format. Holders of the data must inform users about data access and sharing before concluding a contract. Users have the right to know the nature and extent of the data generated, whether it is generated continuously in real time, the manufacturer's intention to use or disclose the data, and the identity of the data holder. If necessary, users may lodge a complaint with a competent authority if these rights are violated.
Data Holders may only use the data for their own purposes if this has been expressly agreed with the user in the form of a license. Users are free to choose the recipient of their data, and may enter into license agreements granting third parties the right to their data. There is one exception to this. If the recipient is a "gatekeeper" as defined in the Digital Markets Act, they may not enter into a license for the user data. A gatekeeper controls market access and has considerable influence, such as Microsoft, Google, Apple and Facebook. As a result, gatekeepers may not receive user data directly or indirectly.
Data provided to B2B recipients must be subject to fair, reasonable and non-discriminatory contractual terms. The user grants a license to third parties and determines which recipients may access the data. The data owner may require reasonable compensation for sharing the data.
Cloud Switching
The user can terminate the contract with the data processor, e.g. a cloud provider, within 30 days. The cloud provider must ensure the change of service provider through interfaces and compliance with interoperability standards, while maintaining functional equivalence and security standards. After the change, all data and metadata must be deleted. Providers of data processing services may only charge a reduced fee for data transmission.
In addition, providers must disclose whether they have IT infrastructure in third countries and take measures to prevent unauthorized government access to non-personal data in violation of EU law (Art. 27 Data Act).
Access by public authorities
Public authorities and EU bodies may have access to data, in particular in the event of public emergencies such as natural disasters, pandemics or when carrying out tasks in the public interest. The public authority may access data if there is no other timely and efficient way to obtain it under equivalent conditions, with priority given to obtaining data from the market for public interest tasks.
If a company receives such a request, it must provide the requested data without delay (Art. 18 (1) Data Act), unless it does not have the data or the request does not comply with the legal requirements. If necessary, personal data should be anonymized or pseudonymized prior to disclosure.
Fair Contractual Clauses between Data Holders and Data Recipients
The Data Act aims to prevent unfair contractual terms between data controllers or holders of data and recipients. The regulation defines unfair terms as those that depart significantly from good commercial practice and are contrary to good faith and fair dealing. Examples include limitations on liability for intent or gross negligence, exclusion of remedies for non-performance, unilateral rights to interpret terms, access to data in violation of the other party's legitimate interests, obstruction of the use of data, refusal to provide copies of data, and unreasonably short notice for terminating contracts.
The Commission will introduce standard contract clauses to avoid unfair terms. The Data Act does not regulate data use in commercial agreements with consumers that wish to obtain large amounts of data, and there is currently no guidance on how to draft such commercial terms in a legally compliant manner. Businesses should ensure that such data use agreements are clearly drafted and that, at a minimum, consumers do not blanketly waive all rights to their data.
Intellectual Property Protection
The Data Act does not require companies to disclose their trade secrets (Art. 8 (6) Data Act). Data owners may take the necessary measures to protect their trade secrets before disclosing data and may contractually require users or data recipients to take additional measures to protect the data. In exceptional cases, data owners may refuse to disclose data if serious and irreparable economic damage is to be expected, in which case notification to the competent authority is required for review. Any use of the data for the development of competing products is strictly prohibited (Art. 4 para. 4 Data Act).
If a recipient receives or uses the data of the data owner without authorization, he must destroy it together with the goods derived from it and pay compensation (Art. 11 para. 2 Data Act), unless no damage has been caused or the measure is disproportionate.
Preparation Checklist for medium and large companies (see also FAQs):
- Determine the type and scope of data that may be generated when a product or related service is used.
- Develop processes to make all user-generated data collected by associated products and services available directly through the product, in real time, free of charge, and on an ongoing basis in a machine-readable format.
- Adapt contracts and websites in advance of data law implementation to obtain a license from the user to use the data for their own purposes and provide information on how to initiate data access and transfer to third parties (data portability).
- Use basic model contract clauses with data recipients as soon as they are available.
- Avoid unfair contractual clauses (discrimination against individual data recipients, exclusive provision to only one data recipient).
- Set reasonable charges for providing data to third parties and, in the case of a recipient that is a micro-enterprise, ensure that the charges cover only what is necessary to collect and provide the data.
- Ensure that personal data is only disclosed to the data subjects or that there is a legal basis under the GDPR for disclosure.
- Ensure the protection of business secrets and the use of contractual and technical safeguards against the disclosure of intellectual property when providing data.
- Provide data to public authorities only in exceptional cases, and anonymize or pseudonymize personal data whenever possible.