Navigating the European Data Act: Key provisions, changes and challenges

On 11 January 2024, the European Data Act (the EU Data Act) came into force, heralding a new era in data governance across all economic sectors within the European Union (EU).

The EU Data Act is designed to promote fairness in value allocation, foster a competitive data market, stimulate innovation, and enhance data accessibility. While primarily focusing on industrial, non-personal data, it is pertinent to data protection considerations.

The EU Data Act introduces changes, such as granting users and third parties access and use rights to connected device data, expanding access to restricted data for specified groups, and establishing new compensation, portability, and transfer safeguards for non-personal data. However, navigating the EU Data Act comes with challenges, including ensuring consistency with the GDPR, aligning with other existing instruments, and addressing potential conflicts with contractual, competitiveness, and trade secret protection rights.

Scope of application

The EU Data Act obliges "data holders" (defined as natural or legal persons, e.g. people and companies) to share personal and non-personal data that is obtained, generated, or collected from data recipients (defined as natural or legal persons to whom data holders make data available to non-users for commercial purposes), by "connected products," "related services" and "virtual assistants”.

The EU Data Act has an extraterritorial scope. It applies, regardless of the place of establishment, to a variety of entities:

• Manufacturers of connected products - e.g. connected cars, smart-home devices, medical devices, and providers of related services, where such products and services are placed in the market in the EU.
• Users of connected products or related services in the EU.
• Public sector bodies of EU member states or institutions, agencies or bodies of the EU that request data holders to make data available in case of exceptional needs (e.g. public emergencies).
• Providers of data processing services - in particular cloud-services such as SaaS, PaaS, IaaS as governed by the EU Cloud Strategy, and edge service providers as included in the European strategy for data - providing such services to customers in the Union.
• Participants in data spaces, vendors of applications using smart contracts and persons whose trade, business or profession involves the deployment of smart contracts for others.

Key obligations and requirements

• Data access. Upon request by a data recipient, the data holders must provide access to certain data.
• Data sharing with third parties. Data holders are obliged to make data available to third parties under data sharing contracts.
• Data sharing with public sector bodies. Data holders are obliged to make data available to public bodies in case of public emergencies.
• Design requirements and transparency. Obligations for manufacturers to design their products so that data generated or captured by those products are available to users of the product for free and ideally directly.
• Unlawful international governmental access and transfer. To prevent international and third-country governmental access and transfer of non-personal data held in the EU that could create a conflict with EU law.

The EU Data Act and EU GDPR

Unlike the GDPR, which is limited to personal data, the EU Data Act applies to both personal data and non-personal data, which means that its scope of application is broader.

However, the EU Data Act make it clear that it is without prejudice to the GDPR, which include the powers and competences of supervisory authorities and the rights of data subjects. As such, where personal data is generated from connected products or related services, the requirements of both the Data Act and the GDPR must be satisfied.

Important dates

Whilst the EU Data Act entered into force on 11 January 2024, applicability starts on 12 September 2025.

This deadline also applies to member states informing the European Commission about national rules concerning penalties for noncompliance as well as the European Commission’s release of non-binding model contractual terms on data access and use, and the non-binding standard contractual clauses for cloud computing contracts.

Provisions on design and manufacturing requirements and unfair contractual terms have staggered implementation dates. These include:

• Provision on design and manufacturing requirements for simplified data access applies to connected products and related services placed on the market after 12 September 2026.
• Provisions on unfair contractual terms apply to contracts concluded after 12 September 2025. Such provisions apply from 12 September 2027 to specific contracts concluded on or before 12 September 2025.
• Provisions concerning statutory data sharing obligations apply regarding EU law or national legislation adopted in accordance with it, which enters into force after 12 September 2025.

Comment

The EU Data Act marks a transformative step in data governance, emphasising accessibility, fairness, and innovation. Navigating its provisions and aligning with existing regulations pose challenges, but the EU Data Act’s impact on data dynamics within the EU cannot be overstated. As businesses and entities adapt to these changes, a more transparent, competitive, and accessible data landscape is envisioned.

 

Related items:

• https://kennedyslaw.com/en/thought-leadership/article/2023/a-wave-of-data-privacy-litigation-is-coming/

• https://kennedyslaw.com/en/thought-leadership/article/2023/uk-us-data-bridge-takes-effect-today-12-october-2023/

• https://kennedyslaw.com/en/thought-leadership/article/2023/data-s-damp-squib-the-latest-iteration-of-the-eu-us-data-privacy-framework/