What you need to know about the new EU Data Act

Following a political deal between the Council and the European Parliament (EP) on 27 June 2023 and formal adoption by the EP on 9 November 2023, the Council formally approved the EU Data Act, on 27 November 2023, clearing the final hurdle for the act to be published and enter into force. The Act was proposed by the European Commission (EC) in February 2022 and sets out rules for access to, and use of, data generated in the EU across economic sectors. It is the second main legislative initiative resulting from the EC's February 2020 European strategy for data. The EU Data Governance Act, adopted by the co-legislators in 2022, was the first initiative.

Main objectives of the Act

As our previous post explained, the EU Data Act establishes harmonised rules for the sharing of data generated by the use of connected products or related services (e.g. the internet of things). It aims to remove barriers to access data, for both private and public sector bodies, while preserving incentives to invest in data generation. 

The Act also aims to ease the switching between providers of data processing services, puts in place safeguards against unlawful data transfer and provides for the development of interoperability standards for data to be reused between sectors.

Scope of the Act

The Act covers both personal and non-personal data and applies to:

• (a) manufacturers of connected products placed on the market in the EU and providers of related services (irrespective of the place of establishment of those manufacturers and providers);
• (b) users in the EU of connected products or related services as referred to in point (a);
• (c) data holders (irrespective of their place of establishment) that make data available to data recipients in the EU;
• (d) data recipients in the EU to whom data are made available;
• (e) public sector bodies, the EC, the European Central Bank and EU bodies that request data holders to make data available where there is an exceptional need for those data for the performance of a specific task carried out in the public interest and to the data holders that provide those data in response to such request;
• (f) providers of data processing services (irrespective of their place of establishment), providing such services to customers in the EU;
• (g) participants in data spaces and vendors of applications using smart contracts and persons whose trade, business or profession involves the deployment of smart contracts for others in the context of executing an agreement.

Rebalancing negotiation power, compensation and trade secrets

The Act includes measures to prevent abuse of contractual imbalances in data sharing contracts due to unfair contractual terms imposed by a party with significantly stronger bargaining position. According to the Council's press release, these measures will protect EU companies from unfair agreements and give SMEs “more room for manoeuvre”.

The Act also contains provisions regarding the reasonable compensation of businesses for making the data available (including to protect SMEs) and protections for trade secrets when companies are obliged to share data.

Interaction with other key EU acts

The Act is designed to complement, and is without prejudice to, EU law on data protection and privacy (the EU General Data Protection Regulation (GDPR) and Directive on privacy and electronic communications). It is part of a data package which includes the Data Governance Act and also complements the Digital Markets Act (DMA), which entered into force in November last year and will start to bite in March 2024. The DMA will require certain providers of core platform services identified as ‘gatekeepers’ to provide, inter alia, more effective portability of data generated through business and end users’ activities.

Implementation and enforcement

In order to ensure the application and enforcement of the Act, EU Member States should designate one or more competent authorities. Where an EU Member State designates more than one competent authority, it must also designate a “data coordinator” from among them to facilitate cooperation between the competent authorities.

Non-compliance with the Act can result in penalties set and enforced by the national competent authorities.

Next steps

The new regulation will be published in the EU’s official journal in the coming weeks and will enter into force the twentieth day after this publication. Most of its provisions will then apply 20 months after it enters into force. 

Once it applies, the Act is likely to have a significant impact on data companies and the digital economy. It will also be interesting to see how its provisions will interact with, for example, gatekeepers' obligations under the DMA and data portability provisions under the GDPR. A study funded by the Computer and Communications Industry Association has warned that these and other new digital regulations in the EU (such as the Digital Services Act and the proposed AI Act) “will shape, likely quite dramatically, the environment for doing digital business in Europe and beyond”. The study is available: here.