The European Data Act



What is the European Data Act?

The European Data Act makes more data available for use, and sets up rules on who can use and access what data for which purposes across all economic sectors in the EU.

According to Article 1, Subject matter and scope:

1. This Regulation lays down harmonised rules, inter alia, on:

(a) the making available of product data and related service data to the user of the connected product or related service;

(b) the making available of data by data holders to data recipients;

(c) the making available of data by data holders to public sector bodies, the Commission, the European Central Bank and Union bodies, where there is an exceptional need for those data for the performance of a specific task carried out in the public interest;

(d) facilitating switching between data processing services;

(e) introducing safeguards against unlawful third-party access to non-personal data; and

(f) the development of interoperability standards for data to be accessed, transferred and used.


September 2024 - The European Commission publishes Frequently Asked Questions about the Data Act.


How does the Data Act interact with the General Data Protection Regulation?

The General Data Protection Regulation (GDPR) is fully applicable to all personal data processing activities under the Data Act. The Data Act does not regulate as such the protection of personal data. Instead, the Data Act enhances data sharing and enables a fair distribution of the value of data by establishing clear rules related to the access and use of data within the EU’s data economy.

In some cases, the Data Act specifies and complements the GDPR (e.g. real-time portability of data from Internet-of-Things (IoT) objects). In other cases, the Data Act restricts the re-use of data by third parties (e.g. Article 6 of the Data Act). In the event of a conflict between the GDPR and the Data Act, the GDPR rules on the protection of personal data prevail (cf. Article 1(5) of the Data Act).


What is a ‘connected product’?

Connected products are items that can generate, obtain, or collect data about their use, performance, or environment and that can communicate this data via a cable-based or wireless connection. This includes communication of data outside the product on an ad hoc basis (e.g. during maintenance operations).

Connected products can be found in all areas of the economy and society. They include smart home appliances, consumer electronics, industrial machinery, medical devices, smartphones, and TVs (cf. recital 14).

Products which primarily fulfil the function of storing, processing, or transmitting data (e.g. servers and routers) are outside the scope of the mandatory data-sharing obligations under Chapter II, unless they are owned, rented, or leased by the user.

Similarly, the fact that a connected product (e.g. a wagon, airplane, or vehicle) must use certain infrastructure (e.g. railways, airports, or highways) to function does not entitle the user of that connected product to access data generated by, for instance, sensors that are part of that infrastructure. Access would only be granted if the user has received ownership or contractual rights over the sensors embedded in the infrastructure.

Finally, the Data Act specifies that prototypes are out of scope, as their manufacturing stage has not been completed.

A connected product falls within the scope of the Data Act if it has been ‘placed on the Union market’ (Article 2(22)). ‘Placing on the market’ concerns the transfer of ownership, possession, or any other property right between two economic actors that occurs after the manufacturing stage.

A connected product is ‘placed on the market’ only once. All subsequent operations are considered as ‘making available on the market’ (Article 2(21)).

The concept of placing on the market refers to each individual product, not to a type of product. The requirements laid out in the Data Act are therefore applicable only to individual products that have been placed on the EU market, and not to all products of that type.


Example:

Sara goes on holiday to Portugal for 2 weeks and needs to rent a car. The rental agency, Sunny Wheels, owns a fleet of cars bought from Omni Motors, a large car manufacturer.

Keen to exercise her rights under the Data Act, Sara asks Sunny Wheels to provide her with a ‘connected car’. Sunny Wheels has a contract with Omni Motors that ensures that Sunny Wheels and its clients can access the data generated by the car. Omni Motors has put in place a data management system that can simultaneously handle data access requests from the thousands of users of their cars.

Sara’s rental agreement contains detailed information on the data generated by the car, including how to access it.

The following are two possible ways of organising access to data generated by Sara’s rented car.

1. ‘Corporate accounts’: Sunny Wheels has a corporate account with Omni Motors. Sunny Wheels provides Sara with the details needed to log in to Omni Motors’ website and access the rented car’s data.

2. ‘Individual accounts’: Sunny Wheels informs Sara that she has to set up her own account and enter into a separate data-sharing contract with Omni Motors. Sunny Wheels notifies Omni Motors that Sara will be using the car for 2 weeks.

In both cases, Omni Motors is the data holder; Sunny Wheels is a user because it owns the rented car and can access the data; and Sara is also a user because she has, by virtue of the rental agreement with Sunny Wheels, received temporary rights over the rented car.

To read the Frequently Asked Questions about the Data Act:

https://digital-strategy.ec.europa.eu/en/library/commission-publishes-frequently-asked-questions-about-data-act


13 December 2023 - Regulation (EU) 2023/2854 (Data Act) was published in the Official Journal of the European Union.

The final text of the European Data Act:

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R2854&qid=1704709568425

Following its entry into force, the Data Act will become applicable in 20 months (12 September 2025).

Source: According to Preamble (117): "In order to allow actors within the scope of this Regulation to adapt to the new rules provided for herein, and to make the necessary technical arrangements, those rules should apply from 12 September 2025."

Article 50, Entry into force and application: "This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. It shall apply from 12 September 2025."

By 12 September 2028, the Commission shall carry out an evaluation of this Regulation and submit a report on its main findings to the European Parliament and to the Council, and to the European Economic and Social Committee.


Article 37: Non-EU entities must also comply.

Article 37.11. Any entity falling within the scope of this Regulation that makes connected products available or offers services in the Union, and which is not established in the Union, shall designate a legal representative in one of the Member States.

37.12. For the purpose of ensuring compliance with this Regulation, a legal representative shall be mandated by an entity falling within the scope of this Regulation that makes connected products available or offers services in the Union to be addressed in addition to or instead of it by competent authorities with regard to all issues related to that entity.

That legal representative shall cooperate with and comprehensively demonstrate to the competent authorities, upon request, the actions taken and provisions put in place by the entity falling within the scope of this Regulation that makes connected products available or offers services in the Union to ensure compliance with this Regulation.

37.13. An entity falling within the scope of this Regulation that makes connected products available or offers services in the Union, shall be considered to be under the competence of the Member State in which its legal representative is located. The designation of a legal representative by such an entity shall be without prejudice to the liability of, and any legal action that could be initiated against, such an entity.

Until such time as an entity designates a legal representative in accordance with this Article, it shall be under the competence of all Member States, where applicable, for the purposes of ensuring the application and enforcement of this Regulation. Any competent authority may exercise its competence, including by imposing effective, proportionate and dissuasive penalties, provided that the entity is not subject to enforcement proceedings under this Regulation regarding the same facts by another competent authority.

37.14. Competent authorities shall have the power to request from users, data holders, or data recipients, or their legal representatives, falling under the competence of their Member State all information necessary to verify compliance with this Regulation. Any request for information shall be proportionate to the performance of the underlying task and shall be reasoned.


27 November 2023 - the European Council adopted the European Data Act.

Following the formal adoption by the Council, the European Data Act will be published in the EU’s official journal in the coming weeks and will enter into force the twentieth day after this publication.

It shall apply from 20 months from the date of its entry into force. However, article 3, paragraph 1 (requirements for simplified access to data for new products), shall apply to connected products and the services related to them placed on the market after 32 months from the date of entry into force of the regulation.

A very important (and very difficult) definition: According to Article 2, ‘connected product’ means an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user;

To make thinks easier, another name for connected products is "Internet of Things".

In preamble 14, we read:

Connected products that obtain, generate or collect, by means of their components or operating systems, data concerning their performance, use or environment and that are able to communicate those data via an electronic communications service, a physical connection, or on-device access, often referred to as the Internet of Things, should fall within the scope of this Regulation, with the exception of prototypes.

Examples of such electronic communications services include, in particular, land-based telephone networks, television cable networks, satellite-based networks and near-field communication networks.

Connected products are found in all aspects of the economy and society, including in private, civil or commercial infrastructure, vehicles, health and lifestyle equipment, ships, aircraft, home equipment and consumer goods, medical and health devices or agricultural and industrial machinery.

Manufacturers’ design choices, and, where relevant, Union or national law that addresses sector-specific needs and objectives or relevant decisions of competent authorities, should determine which data a connected product is capable of making available.

This Regulation applies to:

(a) manufacturers of connected products placed on the market in the Union and providers of related services, irrespective of the place of establishment of those manufacturers and providers;

(b) users in the Union of connected products or related services as referred to in point (a);

(c) data holders, irrespective of their place of establishment, that make data available to data recipients in the Union;

(d) data recipients in the Union to whom data are made available;

(e) public sector bodies, the Commission, the European Central Bank and Union bodies that request data holders to make data available where there is an exceptional need for those data for the performance of a specific task carried out in the public interest and to the data holders that provide those data in response to such request;

(f) providers of data processing services, irrespective of their place of establishment, providing such services to customers in the Union;

(g) participants in data spaces and vendors of applications using smart contracts and persons whose trade, business or profession involves the deployment of smart contracts for others in the context of executing an agreement.


9 November 2023 - the European Parliament adopted the text of the European Data Act.

The European Parliament formally adopted during a plenary vote (by a majority of 481 votes in favor, 31 votes against and 71 abstentions), the text of the European Data Act. Next step: It must be approved by the Council.

In Article 2, we have some interesting new definitions:

‘Product data’ means data generated by the use of a connected product that the manufacturer designed to be retrievable, via an electronic communications service, physical connection or on-device access, by a user, data holder or a third party, including, where relevant, the manufacturer.

‘Related service data’ means data representing the digitisation of user actions or of events related to the connected product, recorded intentionally by the user or generated as a by-product of the user’s action during the provision of a related service by the provider.

‘Readily available data’ means product data and related service data that a data holder lawfully obtains or can lawfully obtain from the connected product or related service, without disproportionate effort going beyond a simple operation.

'Metadata’ means a structured description of the contents or the use of data facilitating the discovery or use of that data.

‘Personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679 (General Data Protection Regulation).

‘Non-personal data’ means data other than personal data.

‘Smart contract’ means a computer program used for the automated execution of an agreement or part thereof, using a sequence of electronic data records and ensuring their integrity and the accuracy of their chronological ordering.

According to the updated text (preamble 104), to promote the interoperability of tools for the automated execution of data sharing agreements, it is necessary to lay down essential requirements for smart contracts which professionals create for others or integrate in applications that support the implementation of agreements for data sharing.

In order to facilitate the conformity of such smart contracts with those essential requirements, it is necessary to provide for a presumption of conformity of smart contracts that meet harmonised standards or parts thereof in accordance with Regulation (EU) No 1025/2012.

The notion of ‘smart contract’ in this Regulation is technologically neutral. Smart contracts can, for example, be connected to an electronic ledger. The essential requirements should apply only to the vendors of smart contracts, although not where they develop smart contracts in-house exclusively for internal use.

The essential requirement to ensure that smart contracts can be interrupted and terminated implies mutual consent by the parties to the data sharing agreement. The applicability of the relevant rules of civil, contractual and consumer protection law to data sharing agreements remains or should remain unaffected by the use of smart contracts for the automated execution of such agreements.


27 June 2023, European Data Act - The Council and the Parliament strike a deal on fair access to and use of data

With a view to making the EU a leader in data-driven societies, the Council and the European parliament representatives reached a provisional agreement on harmonised rules on fair access to and use of data.

The data act will give both individuals and businesses more control over their data through a reinforced portability right, copying or transferring data easily from across different services, where the data are generated through smart objects, machines, and devices. The new legislation will empower consumers and companies by giving them a say on what can be done with the data generated by their connected products.

The political agreement clarifies the scope of the regulation allowing users of connected devices, ranging from smart home appliances to smart industrial machinery, to gain access to data generated by their use which is often exclusively harvested by manufacturers and service providers.

Regarding Internet of Things (IoT) data, in particular, the focus was moved to the functionalities of the data collected by connected products instead of the products themselves.

The text contains measures to prevent abuse of contractual imbalances in data sharing contracts due to unfair contractual terms imposed by a party with significantly stronger bargaining position.

Moreover, the text provides additional guidance regarding the reasonable compensation of businesses for making the data available, as well as adequate dispute settlement mechanisms.

The agreement also ensures an adequte level of protection of trade secrets and intellectual property rights, accompanied by relevant safeguards against possible abusive behaviour of data holders.


Which is the nest step?

The provisional agreement must now be endorsed by the Council and the European Parliament. It will then be adopted by both institutions following legal-linguistic revision. From the Council’s side, the upcoming Spanish presidency intends to submit the text to member states’ representatives (Coreper) for endorsement as soon as possible.


Understanding the European Data Act.

The volume of data generated by humans and machines has been increasing exponentially. Unfortunately, most data are unused, or are collected by a few large companies. Low trust, conflicting economic incentives and technological obstacles impede the full realisation of the potential of data-driven innovation. It is crucial for the EU to unlock such potential by providing opportunities for the reuse of data, and removing barriers to the development of the European data economy. This is in line with the mission of the EU to reduce the digital divide, so that everyone benefits from these opportunities. Ensuring greater balance in the distribution of the value from data in step with the new wave of non-personal industrial data and the proliferation of products connected to the Internet of Things means there is enormous potential for boosting a sustainable data economy in Europe.

The Data Act was the next logical step after the European Data Governance Act. It is the second main legislative initiative following the February 2020 European strategy for data, which makes the EU a leader in the data-driven society.

The Data Governance Act, presented in November 2020 and agreed by co-legislators in November 2021, creates the processes and structures to facilitate data sharing by companies, individuals and the public sector. The Data Act clarifies who can create value from data and under which conditions. The Data Act removes barriers to access data, for both the private and the public sector, while preserving incentives to invest in data generation by ensuring a balanced control over the data for its creators.

When we buy a ‘traditional' product, we acquire all parts and accessories of that product. However, when we buy a connected product (e.g. a smart home appliance or smart industrial machinery) generating data, it is often not clear who can do what with the data. Or it may be stipulated in the contract that all data generated is exclusively harvested and used by the manufacturer.

The Data Act gives individuals and businesses more control over their data through a reinforced data portability right, copying or transferring data easily from across different services, where the data are generated through smart objects, machines and devices. For example, a car or machinery owner could choose to share data generated by their use with its insurance company. Such data, aggregated from multiple users, could also help to develop or improve other digital services, e.g. regarding traffic, or areas at high risk of accidents.

It will be easier to transfer data to and between service providers and this will encourage more actors, including SMEs, to participate in the data economy.





For example, aftermarket service providers will be able to improve and innovate their services and compete on an equal footing with comparable services offered by manufacturers. Therefore, users of connected products (including consumers, farmers, airlines, construction companies or owners of buildings) could opt for a cheaper repair and maintenance provider (or maintain and repair themselves) and benefit from lower prices on that market. This could extend the lifespan of connected products, thereby contributing to the Green Deal objectives.

Also, availability of data about the functioning of industrial equipment will allow factories, farms or construction companies to optimise operational cycles, production lines and supply chain management, including based on machine-learning.

In precision agriculture, IoT analytics of data from connected equipment can help farmers analyse real time data like weather, temperature, moisture, or GPS signals and provide insights on how to optimise and increase yield, improve farm planning and make smarter decisions about the level of resources needed.

Increased business and manufacturing efficiency should lead to a reduction of waste, energy consumption and CO2 emissions.

The Data Act unlocks the value of data from private companies in exceptional situations of high public interest, such as floods or wildfires. The current data access mechanisms by the public sector are inefficient or non-existent in public emergency situations. With the new rules, there will be an obligation on businesses to provide certain data, under key conditions (which businesses can enforce in case of abuse).

If the data is necessary to address a public emergency, it will be provided for free. In other situations: to prevent or recover from a public emergency, or to fulfil a public-interest mandate imposed by law -- the data holder may request compensation. It should greatly improve evidence-based decision-making, in particular effective and rapid response to crises, such as floods and wildfires.

For example, during the COVID-19 pandemic, aggregated and anonymised location data from mobile network operators was essential for analysing the correlation of mobility and the spread of the virus, including informing early warning systems for new outbreaks and taking the right measures to combat the crisis.

The Data Act also improves the conditions under which businesses and consumers can use cloud and edge services in the EU. It becomes easier to move data and applications (from private photo archives to entire business administrations) from one provider to another without incurring any costs, because of new contractual obligations that the proposal presents for cloud providers, and a new standardisation framework for data and cloud interoperability.

In addition, the Data Act raises trust by introducing mandatory safeguards to protect data held on cloud infrastructures in the EU. This will avoid unlawful access by non-EU/EEA governments. With these measures, the Data Act supports cloud adoption in Europe, which in turn stimulates efficient data sharing within and across sectors.


8 December 2022 - New compromise text on the Data Act.

The new compromise text on the Data Act, circulated on Thursday (8 December), introduces significant changes to the part intended to facilitate the switching from one cloud provider to the other.

The Czech presidency of the EU Council did not manage to broker a common position on the file at a ministerial meeting on Tuesday but worked on a new compromise text to address some of the outstanding issues.


23 February 2022 - We have the text of the Proposal on harmonised rules on fair access to and use of data (Data Act).

The proposal’s objectives are:

1. Facilitate access to and the use of data by consumers and businesses, while preserving incentives to invest in ways of generating value through data. This includes increasing legal certainty around the sharing of data obtained from or generated by the use of products or related services, as well as operationalising rules to ensure fairness in data sharing contracts. The proposal clarifies the application of relevant rights under Directive 96/9/EC on the legal protection of databases (the Database Directive) 9 to its provisions.

2. Provide for the use by public sector bodies and Union institutions, agencies or bodies of data held by enterprises in certain situations where there is an exceptional data need. This primarily concerns public emergencies, but also other exceptional situations where compulsory business-to-government data sharing is justified, in order to support evidence-based, effective, efficient, and performance-driven public policies and services.

3. Facilitate switching between cloud and edge services. Access to competitive and interoperable data processing services is a precondition for a flourishing data economy, in which data can be shared easily within and across sectoral ecosystems. The level of trust in data processing services determines the uptake of such services by users across sectors of the economy.

4. Put in place safeguards against unlawful data transfer without notification by cloud service providers. This is because concerns have been raised about non-EU/European Economic Area (EEA) governments’ unlawful access to data. Such safeguards should further enhance trust in the data processing services that increasingly underpin the European data economy.

5. Provide for the development of interoperability standards for data to be reused between sectors, in a bid to remove barriers to data sharing across domain-specific common European data spaces, in consistency with sectoral interoperability requirements, and between other data that are not within the scope of a specific common European data space. The proposal also supports the setting of standards for 'smart contracts’. These are computer programs on electronic ledgers that execute and settle transactions based on pre-determined conditions. They have the potential to provide data holders and data recipients with guarantees that conditions for sharing data are respected.


The European Data Act and its connection to other directives and regulations.

The European Data Act is consistent with existing rules on the processing of personal data, including the General Data Protection Regulation (‘GDPR’), and protecting the private life and the confidentiality of communications, as well as any (personal and non-personal) data stored in and accessed from terminal equipment (the ePrivacy Directive), that will be replaced by the ePrivacy Regulation currently the subject of legislative negotiations. This proposal complements existing rights, specifically rights regarding data generated by a user’s product connected to a publicly available electronic communications network.

The Free Flow of Non-Personal Data Regulation put in place a key building block of the European data economy, by ensuring that non-personal data can be stored, processed and transferred anywhere in the Union. It also presented a self-regulatory approach to the problem of ‘vendor lock-in’ at the level of providers of data processing services, by introducing codes of conduct to facilitate switching data between cloud services (the industry-developed ‘Switching Cloud Providers and Porting Data (SWIPO)’ Codes of Conduct). The European Data Act further builds on this, helping businesses and citizens to make the most of the right to switch cloud providers and port data. It is also fully consistent with the Unfair Contract Terms Directive as regards contract law. With regard to cloud services, as the self-regulatory approach seems not to have affected market dynamics significantly, this proposal presents a regulatory approach to the problem highlighted in the Free Flow of Non-Personal Data Regulation.

The Database Directive protects databases that have been created as a result of a substantial investment, even if the database itself is not an original intellectual creation protected by copyright. Building on the substantial amount of case-law interpreting the provisions of the Database Directive, the European Data Act addresses ongoing legal uncertainties about whether databases containing data generated or obtained by the use of products or related services, such as sensors, or other types of machine-generated data, would be entitled to such protection.

The Platform to Business Regulation imposes transparency obligations, requiring platforms to describe for business users the data generated from the provision of the service.

The Open Data Directive sets out minimum rules on the re-use of data held by the public sector and of publicly funded research data made publicly available through repositories.

The Interoperable Europe initiative seeks to introduce a cooperative interoperability policy for a modernised public sector.

The European Data Act complements the Data Governance Act, which aims to facilitate the voluntary sharing of data by individuals and businesses and harmonises conditions for the use of certain public sector data, without altering material rights on the data or established data access and usage rights.

The European Data Act complements the proposal for a Digital Markets Act, which requires certain providers of core platform services identified as ‘gatekeepers’ to provide, inter alia, more effective portability of data generated through business and end users’ activities.


Cyber Risk GmbH, some of our clients