By Rowena Cormack, Aidan Healy & Charlotte Burke

|

Published 26 July 2023

Overview

On 27 June 2023, it was announced that European Council and Parliament policymakers had reached agreement on the provisions of the proposed European Data Act ("the Data Act"). The Data Act is a new regulation which will establish harmonised rules governing making data generated by the use of a product or related service available to the product / service user, to data recipients and to public bodies for public interest purposes where there is an exceptional need.

Overview

The Data Act is intended to address the "lack of clarity" identified by the Commission regarding who can use and access data generated by connected products (i.e. Internet of Things/IoT devices), barriers to switching between cloud computing services within the EU and the limited ability to combine data emanating from different industry sectors.

The stated aim of the Data Act is to ensure fairness in the digital market and to stimulate innovation and a competitive data market. It is hoped that the Data Act will make more data available for reuse and, according to the Commission, the Data Act is expected to create €270 billion of additional EU GDP by 2028.

It will focus on the following areas:

  • Measures to allow users of IoT devices to access the data generated by these devices (which is currently often exclusively harvested by manufacturers) and to share this data with third parties to drive aftermarket and other data-driven innovative services;
  • Measures to rebalance negotiation power for SMEs in order to protect them from unfair contractual terms imposed by tech giants who have significantly stronger bargaining power;
  • Measures to enable public sector bodies to access and use data held by the private sector that is necessary in exceptional circumstances, for example, in the case of a public emergency. In this regard data insights from the private sector could be of significant assistance, for example, access to location data in the event of a flood or wildfire;
  • Measures to enable customers to switch between cloud computing providers efficiently and effectively and to ensure there are safeguards in place to prevent unlawful data transfer.

It is intended that the Data Act will be fully consistent with, and will build on the provisions of the GDPR. Specifically, the Data Act will enhance the right of data portability, which is currently enshrined in the GDPR, but relates only to personal data. The Data Act will extend that right to any data (personal or otherwise) generated by IoT devices.

Next Steps

The agreement reached between the EU Council and Parliament is now subject to formal approval by both bodies. It will then be adopted by the bodies following legal-linguistic revision. Once adopted, the Act will enter into force on the 20th day following its publication in the Official Journal and will become applicable 20 months after the entry into force. It is therefore envisaged that the Act will come into force in early to mid-2025.

For a copy of the Commission's press release on the Act, click here.

Authors