Data Act: European Union harmonises rules on fair access and user rights

By Bláithín Sheil & Aidan Healy

Published 07 February 2024

Overview

The European Data Act (Regulation (EU) 2023/2854) ("the Data Act") became law on 11 January 2024 and will become applicable in September 2025. It establishes harmonised rules relating to the fair access and user rights of data while ensuring the ongoing protection of personal data. It is a key pillar of the EU data strategy and plays a key role in the Digital Decade's objective to advance digital transformation to empower citizens and business.

EU Data Strategy Context

The measures also complement the Data Governance Act (Regulation (EU) 2022/868), which was the first deliverable under the EU data strategy and came into force in September 2023. The Data Governance Act supports the set-up and development of common European data spaces in strategic domains, involving both private and public players, in sectors such as health, environment, energy, agriculture, mobility, finance, manufacturing, public administration and skills.

The EU Data Act and the Data Governance Act together will facilitate reliable and secure access to data, fostering its use in key economic sectors and areas of public interest.

Overview of the Data Act

The Data Act enhances the right of data portability, which is already enshrined in the GDPR but relates only to personal data. The Data Act extends that right to any data (personal or otherwise) generated by Internet of Things/IoT devices.

It will enable a fair distribution of the value of data by establishing clear and fair rules for accessing and using data within the European data economy, a necessity heightened by the growing prevalence of the Internet of Things (IoT).

In summary, connected products must now be designed and manufactured in a way that empowers users (businesses or consumers) to easily and securely access, use and share the generated data

The Data Act now requires that any data generated by the use of a product or related service must be made available to (i) the product / service user themselves; (ii) the data recipients; and (iii) any public bodies for public interest purposes where there is an exceptional need.

Much like the GDPR, the Data Act seeks to have extraterritorial effect and may apply to manufacturers of connected products placed on the market in the EU and organisations providing data processing services to customers in the EU, regardless of where those manufacturers and organisations are based.

The new measures

Data will now be more readily available due to the following measures:

Increased legal certainty for those engaged in data generation by establishing clear rules on the permissible use of data and associated conditions. The rules aim to facilitate the seamless transfer of valuable data between holders and users while maintaining confidentiality. This will encourage more actors, regardless of their size, to participate in the data economy. The European Commission will develop model contract clauses to assist market participants negotiate fair data-sharing contracts.
Business-to-business data sharing: mitigating the abuse of contractual imbalances that prevent the equitable sharing of data. This involves safeguarding smaller businesses/SMEs from unfair or unequal contractual terms imposed by the party with a considerably stronger market position.
Business-to-public data sharing: access by public sector to data held by private sector for specific public interest reasons (i.e. exceptional need), such as requesting data to enable a public sector body to respond quickly and safely to a public emergency.
Cloud switching and interoperability: new framework for customers to switch between different data-processing service providers, to unlock the EU cloud market. This also adds to the overall framework for data interoperability.
Review of the Database Directive, with a focus on making clearer the role of the sui generis database right (i.e. "of its own kind" or unique database).

Enforcement & Penalties

Each Member State must designate a competent authority to enforce the Data Act. Entities which fall within the scope of the Data Act will generally be subject to the competence of the Member State where they are established or the location of their main establishment if established in multiple EU jurisdictions. There will also be a European Data Innovation Board which will be set up as a Commission expert group in which competent authorities are represented, to support consistent application of the Data Act.

Unlike the GDPR, there is no EU-wide system of fines and each Member State will lay down its own rules for the application penalties for violations of the Data Act. Fines will naturally, therefore, vary from country to country. However, in respect of infringements of certain obligations under the Data Act, the supervisory authorities referred to in the GDPR will impose fines.

Conclusion

The first step for organisations is to understand whether they are in-scope of the Data Act. Those that are in scope will need to put in place a programme to ensure they meet the obligations which are being imposed, as well as analysing the potential opportunities it may bring.

Consumers will have new or enhanced rights of access and portability and while not perhaps as far reaching as the GDPR, it is likely that the Data Act will have a global impact.