The Data Act – the EU's bid to "ensure fairness in the digital environment and a competitive data market" – has been adopted
9 min read
On November 27, 2023, the European Union ("EU") adopted the final text of the Data Act, marking an effort to create a harmonized, cross-sectoral data sharing framework with the stated goal of ensuring fair access to and use of data.
The Data Act is part of the European Data Strategy Package,1 which aims for the EU to take a leading role in our networked world. Following the Data Governance Act,2 which facilitates voluntary data sharing by businesses, individuals and the public sector, the Data Act is the second key piece of legislation aiming to make generated data more available for reuse. To that end, the Data Act seeks to maximize the value of data and to stimulate a competitive data market in which open opportunities for data-driven innovations make data more accessible for all.
The Data Act initially was proposed by the European Commission on February 23, 2022 and, after subsequent negotiations led to an agreement in June 2023, the regulation was adopted by the Parliament on November 9, 2023. With approval of the final text by the Council on November 27, 2023, the legislative process is almost complete, and the Data Act enters into force 20 days after it is published in the EU’s Official Journal.
Contribution to the digital transformation
In order to boost the EU's data economy, the EU is seeking to improve fairness, innovation and competitiveness in the digital environment. The Data Act aims to contribute to this, by:
- Stimulating a single market for data
- Setting up rules to determine who can access data and under which conditions
- Increasing competition, inter alia, by strengthening the competitiveness of small- and medium-sized enterprises ("SMEs")
- Opening opportunities for innovation on the basis of data
- Making data more accessible to all
Contents of the new legislation
In a nutshell, the Data Act obliges legal or natural persons who qualify as "data holders" to share data collected with others in the value chain through "connected products," "related services" and "virtual assistants."
- Connected Products, often referred to as the "Internet of Things", are items: (i) that obtain, generate or collect data concerning their use or environment and that are able to communicate product data (e.g., via an Internet connection, telephone networks or near-field communications); and (ii) whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user.3
- Related Services means digital services, other than electronic communications services (including software) which: (i) are connected to the product from the outset in such a way that the connected product would not work without them; or (ii) are subsequently added to improve the functionality of the connected product.4
- Virtual Assistants means software that can process demands, tasks or questions, including those based on audio, written input, gestures or motions, and that, based on those demands, tasks or questions, provides access to other services or controls the functions of connected products.5
Users (B2B or B2C) are also granted rights to access data from the data holder, and to have that data shared with third parties (expanding upon the data portability concept set out in the GDPR6).
Under the Data Act, limits are, however, placed on the ability of entities designated as "gatekeepers" under the Digital Markets Act7 to access certain user data relating to in-scope products and in-scope services.
In addition to data sharing obligation and access rights, the Data Act includes rules on how manufacturers should design their products, in order to allow users to take full advantage of the data they create. The legislation also contains rules on interoperability and on switching between data processing services.
Scope of application
The Data Act has an extraterritorial scope. It applies, inter alia, and regardless of the place of establishment, to: (i) manufacturers of in-scope products and suppliers of in-scope services in the EU; (ii) data holders that make data available to data recipients in the EU; and (iii) providers of data processing services offering such services to customers in the EU. Unlike the GDPR, the Data Act applies to users and data recipients in the EU only.
The data sharing obligations imposed by the Data Act on data holders apply to "Business to Consumer" ("B2C") as well as "Business to Business" ("B2B") users. The data sharing rights are granted to B2C and B2B users as well as, exceptionally, Business to Government ("B2G"8) users. Special rules are provided for SMEs including B2C and B2B data sharing obligations not applying.9 This is designed to give SMEs more opportunities to compete and innovate on the basis of data they generate, and to encourage more actors, regardless of their size, to participate in the data economy.
What data is covered by the Data Act?
The Data Act applies to both personal and non-personal data collected through in-scope products or during the provision of in-scope services. This includes, for example, raw data generated by the user interface and device itself, but does not extend to information inferred or derived from such data. It also does not apply to data that sensor-equipped in-scope products generate when the user records, transmits, displays or plays content, as well as the content itself with regard to data sharing.10
- Data access. Upon request by a user (B2B or B2C), the data holders must provide access to certain data from the in-scope products or services. A data holder can require that certain conditions are satisfied before sharing data that constitutes trade secrets, or (exceptionally) withhold or suspend the user's access, or the sharing of such data with third parties, if the confidentiality of trade secrets could be undermined.
- Data sharing with third parties. Data holders are under an obligation to make the in-scope data available to third parties under fair, reasonable and non-discriminatory terms and conditions and in a transparent manner.
- Data sharing with public sector bodies. In circumstances of high public interest, such as natural disasters, private data holders are, upon request (that must meet certain formal requirements), required to make the data available to public EU institutions. Personal data can only be requested in cases of exceptional need; for example, when it is necessary to respond to a public emergency and the public sector entities are unable to obtain such data by alternative means in a timely and effective manner under equivalent conditions.
- Design requirements and transparency. In-scope products must be designed and manufactured, and in-scope services must be provided in a way that allows users to access the data by default, in an easy and secure manner, free of charge and in a structured, commonly used and machine-readable format.
- Unfair contractual terms. In order to prevent the abuse of imbalances in B2B relationships, unfair contractual terms concerning access to, and the use of, data are prohibited. A contractual term is unfair if it deviates from good commercial practice in data access and use, contrary to good faith and fair dealing.
- Unlawful international governmental access and transfer. To prevent international and third-country governmental access and transfer of non-personal data held in the EU that could create a conflict with EU law or national law, providers of data processing services must implement adequate technical, organizational and legal measures, including contractual agreements, to protect the data.
- Service switching and interoperability. Data and cloud interoperability rules require data processing service providers to take specific measures in order to enable end users to effectively switch between cloud and edge service providers, or to use several providers at the same time. In addition, data processing service providers must facilitate interoperability between data processing services, including by ensuring compatibility with open interoperability specifications and harmonized standards.
- Restrictions for Gatekeepers. Gatekeepers cannot benefit from the new right of the user to share data with third parties; i.e., they can neither share data themselves nor receive such data, as it is prohibited to make data available to designated gatekeepers.
Relationship with the GDPR
While the scope of the GDPR is limited to personal data, the Data Act applies to both personal data and non-personal data, which means that its scope of application is clearly broader. However, according to Article 1(5) of the Data Act, the Data Act is without prejudice to the GDPR (and other national and EU law on the protection of personal data and privacy), including the powers and competences of supervisory authorities and the rights of data subjects. Where personal data is generated from connected products or related services, the requirements of both the Data Act and the GDPR must be satisfied.
Enforcement, Fines and Outlook
In order to ensure the application and enforcement of the Data Act, EU Member States are required to designate one or more competent supervisory authorities. If there is more than one authority designated, a data coordinator must be appointed as the primary national contact point (see Article 37(1), (2)).
In addition, Member States are responsible for defining penalties for infringements of the Data Act, taking into account various factors, including the infringer's annual turnover of the preceding financial year in the EU. These penalties should be effective, proportionate and dissuasive. According to Article 40(4), infringements of the sharing provisions concerning personal data can be subject to the administrative fines specified in the GDPR11 (i.e., up to the greater of €20m, or four percent of worldwide annual turnover).
The Data Act will enter into force on the 20th day after publication in the Official Journal, and it will apply 20 months after entry into force.12 (see Article 50).
1 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions – A European strategy for data, Brussels, Feb. 19, 2020, COM/2020/66 final.
2 Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act).
3 Article 2(5) and Recital 14 of the Data Act.
4 Article 2(6) and Recital 17 of the Data Act.
5 Article 2(31) and Article 1(4) of the Data Act.
6 Regulation (EU) 2016/679 (General Data Protection Regulation).
7 Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act).
8 I.e., public sector bodies, the Commission, the European Central Bank or a Union body.
9 Article 7(1) of the Data Act.
10 Article 1(2) and Recital 16 of the Data Act.
11 Article 83 (5) of the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR).
12 Article 50 of the Data Act.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2023 White & Case LLP