In the rapidly evolving digital landscape, the European Union’s Data Act (Data Act), adopted on November 27, 2023 marks a significant shift in data, privacy, and intellectual property regulation.
The Data Act applies to manufacturers of connected devices (such as IoT and medical devices, but also connected vehicles). Among other entities, it also applies to data processing services, such as cloud services providers and their users, public sector bodies, and others.
Similarly to the General Data Protection Regulation (GDPR), it equally applies to EU and non-EU businesses, even if they are not established in the European Union. However, unlike the GDPR, it applies to both personal and non-personal data.
This crucial piece of legislation came into force on January 11, 2024 and will be applicable as of September 12, 2025. Businesses within its scope should not delay implementation efforts, given the broad data access/sharing obligations, compliance with which will impact their current internal business processes. Similar efforts will be needed regarding various transparency and contracting obligations, which may require longer lead times to be fully integrated into companies’ practices.
Background, Purpose and Scope of the EU Data Act
Following in the footsteps of the 2022 Data Governance Act, the Data Act represents a significant advancement in the EU strategy to effectively manage, regulate and utilize the growing potential of the expanding data economy.
The Data Act’s primary purpose is to ensure that the wealth of product and related services data generated across the European Union is accessible not just to large corporations, but also to small and medium-sized enterprises, startups, and individual consumers. The European Union sees this democratization as a crucial step towards fostering a more equitable and competitive digital market.
The scope of the Data Act is broad, encompassing all sectors of the economy. Similarly to the GDPR, it also impacts businesses, which are not established in the European Union. The Data Act applies to:
Manufacturers of connected devices and providers of related services placed on the EU market
Users of any such connected devices and related services
Data holders (e.g., manufacturers of connected devices) making data available to data recipients in the European Union and the data recipients themselves
Providers of data processing services (such as cloud services providers)
Participants in data spaces and various stakeholders in the area of smart contracts; and
Public sector bodies/EU institutions that request data holders to make data available under specific circumstances.
As to the types of data covered by the Data Act, the scope of the Act includes data produced by connected devices and related services and data processed by data processing services (including cloud services providers). In all such cases the data covered may be personal or non-personal. By including such a wide range of entities and industries, the Data Act aims to establish a universal standard for data access and sharing within the European Union, impacting the digital economy at large.
Key Provisions of the EU Data Act
The Data Act is a significant piece of legislation with far-reaching implications across various economic sectors. It introduces several key provisions that redefine how personal and non-personal data is accessed, shared, and protected. Key elements of the new legislation include:
Data Sharing Obligations: One of the fundamental provisions of the Data Act is the mandate for manufacturers of connected products and service providers to share data. This includes making data generated by the use of these products and services accessible to users of these same products and services and, under certain conditions, to third parties. This provision aims to democratize data access, fostering innovation and competition.
Protection of Intellectual Property and Trade Secrets: While promoting data sharing, the Data Act also safeguards intellectual property and trade secrets. It grants manufacturers a veto right in specific scenarios where sharing data could lead to serious and irreparable economic loss or compromise sensitive trade secrets, thus balancing data accessibility with the protection of business interests.
Data Portability and Design Requirements: The Act strengthens user rights to access data generated by their use of products and services by requiring manufacturers to design these products and services to ensure data accessibility. This enhances data portability, enabling users to transfer their data seamlessly between different service providers, thus promoting consumer choice and flexibility. Compliance with these design standards is essential for manufacturers and service providers to align with the new regulatory landscape.
Sector-Specific Rules: Recognizing the unique needs of different industries, the Data Act includes provisions for tailored regulations in sectors like healthcare and the automotive industry. For instance, it addresses the specific challenges and opportunities in sharing data from medical devices and smart vehicles, ensuring sector-specific compliance and innovation.
Data Protection and GDPR Compliance: In line with the robust EU data protection framework, the Data Act stipulates that all data sharing and handling must comply with the GDPR. This ensures that personal data that is accessed, used, and shared by virtue of the Data Act, is also processed in compliance with the GDPR.
Transparency: The new legislation institutes strong transparency obligations, which will impact manufacturer’s production processes, such as the requirement to inform users on product data, which the connected product is capable of generating, before concluding contracts for the purchase, rent or lease of the connected product.
Public Sector Access in Emergencies: The Data Act also outlines conditions under which public sector bodies can access data held by private entities during emergencies. This provision is designed to ensure that critical data can be utilized effectively in situations like public health crises or natural disasters, while maintaining appropriate safeguards.
Dispute Resolution and Enforcement: The Data Act establishes mechanisms for resolving disputes related to data sharing and sets out enforcement provisions. This includes the designation of competent authorities and the establishment of penalties for non-compliance by EU Member States, to ensure that its provisions are effectively upheld.
Challenges and Considerations
Consumer Rights and Privacy: Balancing user access rights with privacy concerns, especially under the GDPR, requires a nuanced approach. This is particularly crucial in health-related data, where personal and sensitive information is at stake. Businesses will also need to navigate complex decisions about which legal basis they can rely on for the access and sharing of personal and non-personal data under the Data Act. While the Data Act is clearer in some instances (e.g., with regards to non-personal data sharing based on a contract), it leaves room for interpretation (and risk assessment) to businesses when it comes to the legal basis they can rely on when sharing personal data (albeit, it hints at consent and contract as the appropriate legal bases).
Legal and Technical Complexity: The interplay between data sharing obligations and IP rights, particularly in sectors dealing with sensitive data like healthcare, presents legal challenges. Businesses must navigate these complexities while ensuring compliance and protecting their competitive edge.
Adaptation and Implementation: The Act’s broad scope means that businesses across various sectors must adapt their practices, potentially overhauling their data handling and product design strategies.
Contractual Protections: The Data Act establishes strong contractual protections for users. It clarifies that any contractual terms to the detriment of the user (in particular if these exclude or derogate from and/or change their rights) would not be binding. Businesses therefore must consider such provisions carefully, in light of potential future enforcement and litigation.
Looking Ahead: A Data-Driven Future
As the Data Act moves towards implementation, it imposes new regulatory challenges and opportunities for businesses, particularly in terms of data sharing and protection. It requires businesses to make significant changes to their operations, requiring them to ensure compliance with stringent data management and privacy standards.
Policymakers and industry stakeholders will need to collaborate closely to navigate these changes effectively. The Data Act’s successful execution will depend on how its complex legal requirements will be implemented in practice and the ability of businesses to innovate within these constraints, setting a new standard for the digital economy in the European Union.
We have yet to see if the Data Act will follow in the footsteps of the GDPR and influence global data governance practices for connected products and related services.