On 9 November 2023, the European Parliament formally and overwhelmingly adopted, by a majority of 481 votes in favour, 31 votes against and 71 abstentions, the final version of the proposal for a regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (the “Data Act”). It will now need formal approval by the Council to become law.
The Data Act was initially proposed by the European Commission on 23 February 2022 as part of the EU Data Strategy package, with the aim of ensuring fairness in the digital environment, stimulating a competitive data market, opening up opportunities for data-driven innovation and making data more accessible for all. In practice, it establishes rules on the sharing of data generated through the use of connected products or related services (e.g. the Internet of Things (IoT) and industrial machinery) and allows users to access the data they generate. As such, the Data Act opens the door for the development of new services, particularly in artificial intelligence, where vast amounts of data are required for algorithm training.
Key elements of the Data Act include:
Data sharing. Reinforced data portability and data sharing measures grant users the right to access, port or share with a third party of their choice the data they contributed to generating. The data covered by these sharing measures “represents the digitalisation of user actions and events” resulting from users’ actions intentionally, indirectly or in standby mode. The Data Act also provides for specific rules governing the processing of data by third parties and the relationship between the third party and the original data holder by way of data sharing agreements. The aim is to adapt rules of contract law in order to prevent exploitation of contractual imbalances that may hinder fair access to and use of data.
Trade secrets. The Data Act also provides for specific provisions that concern safeguarding data related to trade secrets against possible abusive behaviour of data holders. In particular, a data holder, which may be a different legal person to the trade secret holder, may prevent unlawful data transfers and data leaks to countries with weaker data protection regulations subject to specific conditions being fulfilled.
Data markets. The Data Act introduces the principle that both the owners of connected devices and product manufacturers can monetise the generated data by sharing, selling or licensing this generated data to other companies, such as start-ups or researchers. Data holders are entitled to receive non-discriminatory and reasonable compensation that might include a profit.
Access by public sector bodies. Public sector bodies are granted access to and use of privately held (personal and non-personal) data in circumstances of clear public interest, such as public health emergencies, subject to specific conditions. Non-emergency uses have been restricted to industrial data and data requests by public bodies are limited to safeguard the value of the data and prevent abuses.
Cloud markets. The Data Act provides for data and cloud interoperability rules allowing end users to effectively switch between cloud and edge service providers. Essentially, cloud service providers are prohibited from imposing obstacles that would prevent consumers from unbundling different cloud services. If such obstacles already exist, cloud service providers must remove them. This is combined with tighter transparency obligations that will result in cloud service providers disclosing switching conditions and technical limitations to their cloud services.
Governance. EU Member States are required to designate one or more competent supervisory authority and are responsible for defining the rules on penalties applicable to infringements of the Data Act. In particular, each EU Member State must designate a data coordinator which, in the context of the Data Act, will be the single point of contact for companies and authorities from other EU countries. Insofar as the protection of personal data is concerned, the data protection supervisory authorities, such as the CNPD in Luxembourg, continue to be responsible for monitoring the application of the Data Act and the rules on penalties under the GDPR will apply.
What’s next?
Once published on the Official Journal of the European Union, the Data Act will enter into force on the 20th day following its publication. The provisions of the Data Act will be applicable 20 months after its entry into force, which, as of today, we expect to be August/September 2025.