An Overview of the European Data Act

1. Introduction

If Sara rents a car from Sunny Wheels, which in turn bought the car from Omni Motors, both Sunny Wheels (as owner) and Sara (as temporary user) have co-created some kind of data through the rented car. This data may include machine-readable information, including driving patterns, route preferences, location data, and vehicle performance (“Data”) that can be used to create value for Sunny Wheels and Sara in addition to the data holder, Omni Motors. The EU Data Act applies to such Data, co-created by users’ use of Connected Products and Related Services.

A ‘Connected Product’ is any product that can collect data about its use or environment and can communicate that data via some means; electronic, physical, or on-device. A ‘Related Service’, on the other hand, is a digital service connected with a Connected Product such that its absence would prevent the Connected Product from performing one or more functions, or which is subsequently added by the manufacturer or third party to update or enhance the functions of the Connected Product.

The rapid growth of Connected Products and Related Services on the European market has significantly increased the volume of data generated by their use. To harness the potential of this data, the European Commission has introduced the Data Act, which officially entered into force on January 11, 2024. The Data Act creates new rules on who can access and use data generated in the EU across all economic sectors. It aims to ensure fairness in the allocation of value from data, stimulate a competitive data market, open opportunities for data-driven innovation, and make data more accessible to all users. It focuses primarily on industrial, non-personal data, but is relevant to data protection where personal data may form part of the generated data. The Data Act complements the Data Governance Act (DGA), which became applicable in September 2023. Both legislations form part of the broader European Strategy for Data (2020), which aims to make the EU a leader in a data-driven society while safeguarding individual rights and promoting fair competition in data markets.

2. Key Terms

1. User: A natural or legal person that owns a connected product, or has temporary rights to use under a contract (e.g., through rent or lease), or receives a related service(s).
2. Data Holder: A natural or legal person that has the right or obligation under the Data Act, or any other applicable law, to use and make available the product data or related services data. A manufacturer is typically a data holder but can outsource this role. A related service provider can also be a data holder.
3. Data Recipient: A natural or legal person (other than the user) to whom the data holder makes data available, including a third party following a user's request or a legal obligation.
4. Product Data: Data generated by the use of a connected product that the manufacturer designed to be retrievable by a user, data holder, or a third party. This includes raw and pre-processed data.
5. Related Service Data: Constitutes the data obtained by digitisation of user actions or events related to the connected product, recorded intentionally by the user or generated as a by-product of the user's action. This also includes raw and pre-processed data.
6. Data Processing Service: A digital service that provides customers with on-demand access to shared computing resources over the internet. Users can access and adjust computing power, storage, and software applications as required without having to purchase or maintain the underlying technology infrastructure. This includes Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) models.

3. Scope of the Data Act

A. Data in Scope

The Data Act applies primarily to non-personal data, specifically:

1. Generated Data: Data created through the use of connected products or related services, including necessary metadata for interpreting the generated data and of a related virtual assistant.
2. Processing Service Data: Data handled by cloud and edge computing services.
3. Public Emergency Data: Private sector data required for emergency response or public interest tasks. Non-emergency cases only cover non-personal data.

B. Entities Within Scope

1. Manufacturers and Service Providers: Entities placing Connected Products or Related Services on the EU market, regardless of location.
2. EU Users: Users within the Union utilizing Connected Products or Related Services.
3. Data Holders: Data holders worldwide making data available to EU recipients.
4. Data Recipients: Recipients in the Union receiving data under the Act.
5. Public Sector Bodies: EU institutions and public bodies requesting data for exceptional needs.
6. Providers of Data Processing Services: including cloud services serving Union customers.
7. Data Space Participants: Smart contract vendors and deployment facilitators executing agreements within this framework.
8. Cross-Border Application: Products placed on the EU market will generate coverage for all data, including that generated outside the EU.

4. Key Objectives of the Data Act

The main objective of the Data Act is to regulate the use of and access to data (and metadata) generated through connected products and related services and impose general requirements on cloud computing providers to facilitate switching between providers. The Act also aims to ease the switching between providers of data processing services by giving both individuals and businesses more control over their data through a reinforced portability right, copying or transferring data easily from across different services, where the data is generated through smart objects, machines, and devices.

5. Key Requirements

The key requirements under the Data Act are:

A. Data Holders Must:

1. Enable Access, Portability, and Third-Party Sharing: Provide users and their chosen third parties with direct access to product-generated data and the right to data portability while designing products for accessibility by default.
2. Protect Trade Secrets: Disclose protected data only when confidentiality is maintained by all parties.
3. Invalidate Unfair Terms: Avoid contractual terms restricting data access or use.
4. Serve Public Needs: Provide data to public bodies during exceptional circumstances, including emergencies and public interest tasks.
5. Allow Research Sharing: Permit public bodies to share data for non-commercial scientific research and statistical purposes under specific conditions.
6. Apply Fair Pricing: Provide data free to users and public emergencies; charge reasonable compensation to other recipients based on collection costs, enterprise size, and Commission guidelines.
7. Respect Commercial Boundaries: Refrain from using product data to analyze user economics or undermine commercial positions.

B. Users’ Rights and Obligations:

1. Maintain Security: Avoid using data in ways that compromise connected product or service security.
2. Prevent Competition: Refrain from using or sharing data to develop competing products.
3. Respect Gatekeeper Restrictions: Do not share data with Digital Markets Act gatekeepers.
4. Monetization: Users may receive compensation for granting access to their non-personal data.
5. Transparency: Users must receive clear information about data generation before purchasing the product.
6. Unfair Terms Protection: Users are protected from unfair contractual terms imposed by data holders.
7. Redress: Users can lodge complaints with authorities or initiate legal proceedings for violations.
8. Historical Data: Second-hand product users can access historical data while respecting previous users' rights.

C. Third Parties Must: (when receiving data at the user's request)

1. Purpose Limitation: Process data only for the purposes and under the conditions agreed upon with the user.
2. No Competing Product Development: Not use the received data to develop a connected product that competes with the connected product from which the data originates, or share data for that purpose.
3. No Sharing with Gatekeepers: Be prohibited from making the data they receive available to undertakings designated as 'gatekeepers' under the Digital Markets Act (DMA).
4. No Profiling (unless necessary): Should refrain from using data to profile individuals unless strictly necessary to provide the service requested by the user, respecting GDPR.
5. Data Erasure: Erase the data when it is no longer necessary for the agreed purpose, unless otherwise agreed for non-personal data.
6. Confidentiality: Implement agreed-upon measures to preserve the confidentiality of trade secrets.
7. No Abuse: Not use coercive means or abuse gaps in the data holder's technical infrastructure to obtain data.

6. Important Dates

1. Most provisions of the Data Act will apply on September 12, 2025. The Connected Products already on the market or newly placed on it must allow Users to access their data, and rules on unfair business-to-business contract terms will apply to contracts concluded thereafter.
2. On September 12, 2026, specific design obligations will take effect, requiring new Connected Products and Related services to be built so that data, by default, is easily, securely, and freely accessible to the Users.
3. By January 12, 2027, providers of Data Processing Services will no longer be allowed to impose any switching charges (including data egress fees), with limited exceptions for multi-cloud usage.
4. Furthermore, from September 12, 2027, the rules on unfair contractual terms will extend to older contracts that were made on or before September 12, 2025, if they are of indefinite duration or set to expire at least 10 years from January 11, 2024.
5. By 12 September 2025, Member States must inform the European Commission about national rules concerning penalties for non-compliance with the Data Act.

7. Relationship with Other Legal Frameworks

The Data Act is a horizontal piece of legislation designed to interact with and complement existing EU legal frameworks, particularly in the digital domain.

1. General Data Protection Regulation (GDPR): GDPR fully applies to all personal data processing under the Data Act. While the Data Act enhances data sharing within the EU’s data economy, it does not regulate personal data protection directly. In any conflict, GDPR rules prevail (Article 1(5) of the Data Act), and no Data Act provision should diminish personal data protection rights. Data protection authorities retain full competence to enforce personal data protection under the Data Act framework. Article 37(3) empowers DPAs to monitor Data Act compliance using their existing GDPR powers, including assessing data portability requests, qualifying personal data, and verifying legal bases for data sharing. This ensures data subjects can address all personal data grievances through a single authority rather than navigating between multiple enforcement bodies. The Commission promotes collaboration between data enforcement authorities, including through EDPS and EDPB membership in the European Data Innovation Board, integrating personal data protection into broader EU data governance policy.
2. Data Governance Act (DGA): The Data Act complements the DGA. While the DGA regulates processes and structures that facilitate voluntary data sharing, the Data Act clarifies who can create value from data and under which conditions. Data intermediation services, regulated by the DGA, can support users in exercising their data rights under the Data Act.
3. Trade Secrets Directive: The Data Act does not modify the legal protections for trade secrets provided by this Directive. Instead, it provides a framework that balances data sharing with the need to preserve confidentiality, introducing mechanisms like the “trade secrets handbrake”.
4. Digital Markets Act: The Data Act and Digital Markets Act work together as complementary components of the EU’s digital strategy, where the DMA prevents large tech gatekeepers from abusing their market dominance through anti-competitive data practices while the Data Act provides the broader cross-sectoral framework for data portability and sharing rights that reduces user dependencies on dominant platforms and supports overall market contestability in the digital economy.

8. Implementation Scenarios

The Data Act is expected to have a significant impact across various sectors, enabling new services and improving existing ones. Here are some practical scenarios:

1. Trade Secrets "Handbrake": When a data holder receives a request to share data containing trade secrets, they must identify them and agree on confidentiality measures with the user/third party. If no agreement is reached or measures are breached, the data holder can withhold or suspend sharing. In exceptional cases, they can refuse if serious economic damage is highly likely despite safeguards.
2. Manufacturer as Data Holder: While manufacturers are typically data holders, their role can be outsourced. For example, a manufacturer might contract another entity to be the data holder for all or part of its connected products. The key determinant of who is the data holder is who controls access to the readily available data, not who produced the hardware or software.
3. Data Enrichment and Privacy: Applying privacy-enhancing technologies (PETs) like anonymization or pseudonymization to data does not automatically transform it into inferred or derived data, which would exclude it from Chapter II obligations. PETs are investments made for privacy protection, not to assign values or derive insights. These technologies can be useful when a data holder needs to respond to a request under Article 4 or 5 and there are multiple data subjects or the requesting user is not the data subject (e.g., a rented car).

9. Exclusions

The Data Act includes numerous exclusions balancing data availability with intellectual property and business considerations. Key exemptions include:

1. IP-Protected Content: Textual, audio, or audiovisual material with intellectual property rights.
2. Proprietary Algorithms: Highly enriched data from proprietary algorithms and prototypes.
3. Infrastructure Data: Infrastructure-generated data, unless users hold ownership rights.
4. Jurisdictional Limits: The Act excludes data pertaining to public security, defense, criminal matters, customs, taxation, and other areas outside Union law.
5. Micro/Small Enterprise Relief: Micro and small enterprises are exempt from Chapter II obligations unless partnered with larger entities.
6. Medium Enterprise Transition: Medium enterprises receive a one-year transition period for compliance.
7. SME Public Sector Protection: SMEs are exempt from non-emergency public sector data requests, with compensation limited to direct costs.
8. Custom Services: Custom-built and testing versions of data processing services are exempt from switching obligations.
9. Emergency Compensation: SMEs can claim compensation even in emergencies.

10. Conclusion

The Data Act establishes a comprehensive framework for mandatory data sharing from connected devices. It empowers users with enforceable data portability rights. The Act addresses market imbalances that favor SMEs over dominant platforms. It eliminates technical, financial, and contractual barriers that prevent customers from switching cloud service providers. This includes phasing out switching fees and mandating data portability. The Act creates competitive dynamics in data-dependent markets. It operates harmoniously within the EU's broader data governance ecosystem alongside GDPR and the DGA. This advances a unified, competitive single market for data.