On 22 December 2023, the EU published Regulation (EU) 2023/2854, the Data Act, in the Official Journal of the EU. The Data Act is a new regulation providing harmonised rules on access to data, switching cloud providers and interoperability requirements across the EU. It is widely expected that the Data Act will have a significant impact on most companies doing business in the EU and will require significant preparation. The Data Act, which will apply from 12 September 2025 onwards, will be relevant far beyond the EU’s borders.
Background
The European Commission issued its proposal for a Data Act in February 2022. Subsequent negotiations with the European Parliament and the Council of the EU resulted in an agreement in June 2023. The European Parliament adopted the Data Act on November 9, 2023 and so did the Council of the EU on November 27, 2023. The Data Act was published on December 22, 2023.
Objectives
The adoption of the Data Act takes place in the context of the EU’s ambitions to boost the EU’s data economy and to create a Digital Single Market. The intended role of the Data Act is to set requirements for the use and value creation of data by providing users of connected products or services with more rights, and increasing competition in digital markets, especially by strengthening SMEs’ competitive position.
To that end, the Data Act defines the conditions for a right of access to product and service data generated by connected products and related services. In this context, the Data Act provides safeguards against unlawful third-party use, the disclosure of trade secrets, and unfair contractual provisions (See Section I). International and third-country governmental access and transfer of nonpersonal data held in the EU is subject to restrictions. In addition, the Data Act provides for interoperability standards on providers of cloud and other data processing services to facilitate switching (See Section II). Noncompliance can lead to penalties set and enforced by EU countries (See Section III).
Scope
From a business perspective, most of the provisions of the Data Act will apply to data holders, i.e., typically (but not always) manufacturers of connected products and providers of related services, if they place products or services on the EU market (and to data holders making data available to data recipients in the EU), irrespective of their place of establishment. However, the Data Act’s provisions on data sharing only apply to users located in the EU.
Relationship With the GDPR
The Data Act is without prejudice to the GDPR and the ePrivacy Directive 2002/58, including with regard to the powers of supervisory authorities and the rights of data subjects. The Data Act complements the rights of access and data portability under Articles 15 and 20 of the GDPR. In the event of a conflict between the Data Act and EU or national law on the protection of personal data or privacy, the law on the protection of personal data or privacy will prevail.
Timelines
Most of the Data Act rules will enter into application from 12 September 2025.
The obligation to design connected products/related services in such a way that product and related service data is accessible by default will apply as 12 September 2026.
The rules on unfair contractual terms related to data access and use between companies will apply as from 12 September 2027 to contracts concluded on or before 12 September 2025 if they are of indefinite duration, or due to expire at least on 11 January 2034.
While these may appear to be rather generous timelines, several categories of actors may face significant redesigns of their products and services, which should be initiated as soon as possible.