In today’s digital age, data is the new currency. The European Union recognises this and has introduced the European Data Act, a set of new rules that will revolutionise the way data generated by connected devices is shared and used. Consumers and businesses will be able to access their devices’ data and use it for aftermarket and value-added services. Business and industrial players will have more data available and will benefit from a competitive data market. Aftermarket services providers will be able to offer more personalised services – and compete on equal footing with comparable services offered by manufacturers – while industrial data can be combined to develop entirely new digital services as well.

Summary

  • The European Data Act: The Data Act is a new EU law that aims to create a fair and competitive data market by facilitating data sharing and reuse across sectors and stakeholders.
  • Data sharing obligations: The Data Act imposes obligations on manufacturers of connected devices and providers of related services to make data accessible to users and third parties, under certain conditions and exceptions.
  • Unfair contractual terms: The Data Act prohibits contractual terms that are unilaterally imposed and grossly deviate from good commercial practice, and it provides examples of such terms.
  • Making data available to public sector bodies: The Data Act sets out the framework for making data available, free of charge, to public sector bodies where there is an exceptional need for the data to be used for a specific public interest task.
  • Switching between cloud and edge services: The Data Act includes new rules allowing customers to switch between different data processing providers without undue delay or cost, and to port their data and digital assets to another provider or their own infrastructure.
  • International transfers of nonpersonal data: The Data Act extends the obligations for international data transfers under the General Data Protection Regulation (GDPR) and the Schrems II ruling to providers of data processing services, and it requires them to implement appropriate safeguards to prevent incompatible or unlawful access by third governments.

In order to be able to adhere to any data sharing requests, companies should ensure they have appropriate mechanisms and policies in place to quickly, securely, and in a comprehensive and structured manner extract any data (including the metadata necessary to interpret such data) from their connected devices. Companies also should review their contracts to ensure there are no terms which could be deemed unfair pursuant to the Data Act.

Part of EU’s data strategy

Being a key element of the EU’s data strategy, the Data Act intends to lead to new, innovative services and more competitive prices for aftermarket services. According to the European Commission, the Data Act will make more data available for reuse, and it is expected to create 270 billion euros of additional gross domestic product by 2028.

Complementing the Data Governance Act, which sets out the processes and structures to facilitate data sharing by companies across the EU and between sectors, the Data Act clarifies who can create value from industrial data and under which conditions. The Data Act also aims to put users and providers of data processing services on more equal footing in terms of access to data.

The Data Act goes beyond current restrictions regarding the processing of personal data, particularly under the GDPR, extending the new regulations to nonpersonal data.

Phased applicability

The Data Act will come into force on 11 January 2024, following its publication in the Official Journal on 22 December 2023. From 12 September 2025 onwards, most of its rules will begin to apply, though some rules will take effect later.

Whom it applies to

The Data Act will apply to the stakeholders outlined in the table below.

StakeholdersDescription
Manufacturers and providersManufacturers of connected products placed on the market in the EU and providers of ‘related services’, irrespective of the place of establishment of those manufacturers and providers.
UsersUsers in the EU of connected products or related services.
Data holdersData holders, irrespective of their place of establishment, that make data available to recipients in the EU.
Data recipientsData recipients in the EU to whom data are made available.
Public sector bodiesPublic sector bodies, the European Commission, the European Central Bank and EU bodies that request data holders make data available where there is an exceptional need for those data for the performance of a specific task carried out in the public interest and to the data holders that provide those data in response to such request.
Cloud and edge providersProviders of data processing services, irrespective of their place of establishment, providing such services to customers in the EU.
Other stakeholdersParticipants in data spaces and vendors of applications using smart contracts, as well as persons whose trade, business or profession involves the deployment of smart contracts for others in the context of executing an agreement.

Data sharing

Historically, data generated by connected products were exclusively harvested by the manufacturers of those products, providing those manufacturers with a competitive advantage and leaving consumers with little choice with respect to aftermarket services. By imposing obligations on organisations to make product data and related services data accessible to its users, the Data Act aims to create a more competitive market and to give consumers the benefit of choice.

The Data Act includes specific measures to allow users to gain access to the data their connected products generate (including the relevant metadata necessary to interpret such data) and to share such data with third parties to provide aftermarket or other data-driven innovative services. The Data Act further sets out that such data should be accessible in an easy, secure, comprehensive and structured manner, and it should be free of charge and provided in a commonly used machine-readable format. The Data Act outlines that data holders should not make a user’s exercise of its choices with respect to their data unduly difficult by, for example, offering choices to the user in a non-neutral manner or by subverting or impairing the autonomy, decision-making, or choices of the user via the structure, design, function or manner of operation of a user digital interface.

The Data Act imposes certain obligations on third parties receiving data at the request of a user, including:

  1. Only using the data received for those purposes agreed with the user and to erase the data when it is no longer needed for those purposes.
  2. Not to make the data available to an organisation deemed to be a gatekeeper pursuant to the Digital Markets Act.
  3. Not to use the data in a manner which has an adverse impact on the security of the connected product or related services.
  4. Not to prevent the user who is a consumer from making the data available to other parties.

Note: Large online platforms designated as gatekeepers under the Digital Markets Act are not eligible third parties.

Micro and small companies have been excluded from the data sharing obligations. The same applies to data generated through the use of connected products manufactured by, or related services provided by, an enterprise that has qualified as a medium-sized enterprise for less than one year and to connected products for one year after the date on which they were placed on the market by a medium-sized enterprise.

While the concept of data sharing forms a fundamental part of the Data Act, there are limited circumstances where users and data holders may restrict or prohibit the access to data, use of data, or sharing of data. These limited circumstances include where the processing could undermine security requirements of the connected product, resulting in a serious adverse effect on the health, safety or security of natural persons.

Obligations for data holders that must make data available pursuant to EU law

Chapter III of the Data Act sets out the conditions – and compensation – under which data holders make data available to data recipients. In certain circumstances in business-to-business relations, the data holder shall agree with the data recipient on the arrangements for making data available and shall do so under fair, reasonable and nondiscriminatory terms and in a transparent manner. It further sets out that a data holder shall not discriminate regarding arrangements for making data available between comparable categories of data recipients. Where a data recipient considers the conditions pursuant to which data has been made available to them discriminatory, a data holder shall provide the data recipient with information to show there was no discrimination.

Unfair contractual terms

The Data Act sets out that any contractual terms concerning the access to and use of data or the liability and remedies for a breach or termination of data-related obligations that are unilaterally imposed on a micro, small- or medium-sized organisation will not be binding if that unilaterally imposed term grossly deviates from good commercial practice and is therefore deemed to be unfair.

Examples of contractual terms that will automatically be deemed to be unfair are laid out in Article 13 and include, where the objective or effect of the term is to:

  1. Exclude or limit liability of the party unilaterally imposing such excluded or limited liability for intentional acts or gross negligence.
  2. Give the party imposing the term an exclusive right to determine whether the data supplied are in conformity with the contract.
  3. Inappropriately limit the remedies in case of nonperformance of contractual obligations, limit liability in case of a breach of those obligations or extend the liability of the enterprise upon which the term has been unilaterally imposed.

Making data available to public sector bodies on exceptional need

Chapter V of the Data Act sets out the framework for making data available, free of charge, to public sector bodies where there is an exceptional need for the requested data to be used. The circumstances where an exceptional need arises are outlined in Article 15 and include:

  • Where the data is necessary to respond to a public emergency and the public sector body, European Commission, European Central Bank or EU body is unable to obtain such data by alternative means in a timely and effective manner under equivalent conditions.
  • Where the public sector body, European Commission, European Central Bank or EU body has exhausted all other means at its disposal to obtain such data, including purchase of nonpersonal data on the market by offering market rates, by relying on existing obligations to make data available, or by the adoption of new legislative measures which could guarantee the timely availability of the data.

Switching between data processing services

The Data Act includes new rules allowing customers to effectively switch between different cloud and edge service providers. The intention is to remove any obstacles – whether pre-commercial, commercial, technical, contractual or organisational – which inhibit customers from:

  1. Terminating the contractual agreement after the maximum notice period and the successful completion of the switching process.
  2. Concluding a new contract with a different service provider covering the same types of services.
  3. Porting the customer’s exportable data and digital assets to another provider of data processing services or to an on-premises information and communication technologies (ICT) infrastructure.
  4. Achieving functional equivalence in the use of the new data processing service in the ICT environment of a different provider of data processing services covering the same service type.
  5. Unbundling, where technically feasible, data processing services from other data processing services provided by the provider of data processing services.

The Data Act intends to tackle these issues by providing for contractual requirements that will need to allow the switching by a customer to another service provider or porting all exportable data and digital assets without undue delay – and in any event within 30 days after the expiry of a notice period of maximum two months – with full support and continuity of service during the transition.

In addition to these contractual measures, the Data Act sets out information obligations imposed on providers of data processing services, as well as a framework for gradually reducing the charges associated with switching to another service provider, ensuring that after three years of entry into force of the Data Act, the so-called exit service would have to be provided to the customer for free.

International transfers of nonpersonal data

Adopting a similar regime as the GDPR, the Data Act will extend the obligations for international data transfers under the GDPR and the Schrems II ruling by the Court of Justice of the European Union on providers of data processing services, who will need to implement appropriate safeguards to prevent international transfers of industrial data or access by a third government that would not be compatible with EU or national legislation.

Interoperability

The Data Act provides for the development of interoperability standards for industrial data to be reused between sectors, defining and setting out the essential requirements to facilitate interoperability of industrial data, data sharing mechanisms and services, as well as essential requirements regarding smart contracts for data sharing. It also regulates open interoperability specifications – such as architectural models and technical standards implementing rules and arrangements between parties fostering data sharing regarding matters such as rights to access and technical translation of consent or permission – and European standards for the interoperability of cloud service providers to promote a seamless multivendor cloud environment.

At Cooley, we will continue to unpack the Data Act via blog posts on the individual chapters in the law, so stay tuned for more.

Authors

Patrick Van Eecke

Yasmin Roland

Posted by Cooley