The EU Data Act (the "Act"), which entered into force on 11 January 2024, is a comprehensive piece of legislation aimed at fostering a fair and competitive digital environment in the European Union. It focuses on ensuring that data is shared more effectively, while protecting the rights of individuals and businesses.
Please see our other articles on this topic:
- The EU Data Act: Switching, interoperability and prevention of unauthorised access to non-personal data
- The EU Data Act: Data sharing
- The EU Data Act: Rights of Access to Data
Here's an overview of what the Act entails:
Purpose and scope
Application
The first part of the Act is designed to regulate access to and use of data generated by connected products and related services ("data"). It aims to balance the interests of data holders, users, and data recipients by setting out rules on data sharing. The Act therefore applies to a wide range of stakeholders, including:
- manufacturers of connected products (these may be considered "data holders");
- providers of related services (these may also be considered "data holders");
- users of the connected products and related services who generate data through these products and services (these can be consumers or businesses and are considered "users"); and
- third parties to whom data holders make the data available (these are considered "data recipients").
The second part of the Act is designed to regulate switching between providers of data processing services (which includes cloud services providers), by setting out rules on switching and porting. This part of the Act primarily regulates:
- providers of data processing services, which are services that enable the processing of data by means of ICT infrastructure (including cloud services providers) ("Data Processing Services Providers"); and
- customers of Data Processing Services Providers.
Key features
The Act contains the following key features:
- Data Access Rights and Obligations: The Act mandates that connected products must be designed and manufactured, and related services must be provided, in such a way that data generated by these products and services must be directly accessible to users. If data cannot be made directly accessible, it must be made available on request without undue delay. The Act disapplies database rights to data falling in scope of the Act. meaning that the usual protections for those who make a substantial investment in obtaining, verifying or presenting database contents will not apply in respect of data that falls within the scope of the Act. It also creates an exception to the obligation to provide or make data available when it is considered a trade secret.
- Data Sharing and Portability: The Act mandates that data must also be made available to data recipients following a request from the user and must be made available to public sector bodies, the Commission, the European Central Bank or an EU body where there is an exceptional need. The latter allows data to be made available where, for example, there is a public emergency such as a pandemic.
- Fairness and Reasonableness: Any terms under which the data is made available to a data recipient must be fair, reasonable, and non-discriminatory. This means that data holders cannot impose unfair conditions on data recipients. This provision is particularly significant for small and medium-sized enterprises (SMEs), ensuring they are not disadvantaged by larger competitors. Data holders may also charge a reasonable and non-discriminatory fee for providing data to data recipients.
- Interoperability and Data Processing Services: The Act imposes obligations on Data Processing Services Providers to promote the switching and porting of data. Importantly, the Act:
a) mandates the inclusion of provisions relating to switching in customer contracts. Similar to requirements for data processing arrangements, the Act sets out a number of specific arrangements that must be included in customer contracts, including in relation to notice periods, maximum transition times, specifications of categories of data and digital assets that can be ported and support for the customer's exit strategy;
b) phases out the levying of switching charges imposed on customers, with an outright prohibition on such charges commencing on and from 12 January 2027; and
c) requires Data Processing Services Providers to facilitate functional equivalence after switching, make open interfaces available, and ensure compatibility with common specifications or harmonized standards.
- International Transfers of Non-Personal Data: Data Processing Services Providers must take adequate technical, legal and organisational measures to prevent international governments from accessing and transferring non-personal data where such access or transfer conflicts with EU or member state law. Any decisions or judgments of a court or tribunal in a country that has an international treaty in place with the EU or relevant member state, shall still be permitted.
Oversight and liability
The Act requires each member state to designate a competent authority to oversee compliance with and to enforce the provisions of the Act and appoints the European Data Innovation Board as the body responsible for ensuring the competent authorities' consistent application of the Act.
Any person whose rights under the Act have been infringed has a right to lodge a complaint with their local competent authority and have an effective judicial remedy if that competent authority fails to act on the complaint.
Member states have been tasked with laying down the rules on the penalties for infringements of the Act. However, where an infringement of the Act relates to personal data, the relevant supervisory authority appointed under the General Data Protection Regulation (GDPR) has the power to issue fines of up to €20 million or 4% of global annual turnover. Notably, unlike the GDPR, there is no explicit right under the Act for an affected person to claim damages against an infringing person.
Important dates
Although it is already in force, the Act does not apply until 12 September 2025, with the data access rights and obligations key feature listed above applying to products placed on the market after 12 September 2026.
Implications for businesses
Businesses will need to adapt to the new regulatory environment by reviewing and potentially revising their data management and sharing practices, and redesigning their products, in particular to allow them to comply with the data access and portability rights. Additionally, businesses should be prepared to negotiate fair data sharing agreements and develop strategies to protect their data and intellectual property while still complying with the requirements of the Act.
For Data Processing Services Providers it is critical that template contracts are updated to include mandatory requirements and also to update technical arrangements to support switching. Data Processing Services Providers should also consider how they will engage with other Data Processing Services Providers involved in any switching or porting process.
Next steps
Over the coming weeks we will be publishing a series of articles covering each of the key provisions listed above. If you haven't already, subscribe to our Technology and Data Protection newsletters or follow any of the authors on LinkedIn to receive these updates.