8 minute read | February.01.2024
This Essential Guide to the European Data Act is part of Orrick's Cybersecurity & Privacy Compass Series. The Cybersecurity & Privacy Compass is your global guide to the evolving cybersecurity and privacy regulatory landscape.
In this guide, we answer pressing questions about the European Data Act, including what the Data Act covers, who is impacted, the law's objectives, rights and obligations created by the act, legislative status and recommended next steps for companies.
The Data Act is the European Union regulation on harmonised rules on fair access to and use of data ("Data Act"). It is one of the key measures intended to make more data available to the private and public sectors. The Data Act complements the Data Governance Act adopted in 2022, which was the first deliverable under the European strategy for data.
While the Data Governance Act creates the processes and structures to facilitate sharing data, particularly in the public sector, the Data Act sets up new rules for how users of connected products and related services can use the generated data—and how and under which conditions data holders can generate economic value from such data.
The Data Act provides horizontal rules, i.e., rules across all economic sectors and situations. It aims to:
It remains to be seen whether these goals can be achieved, particularly the stimulation of a competitive data market. It also remains to be seen how the economy will adopt and implement the new rules into connected devices.
The Data Act aims to make more data available and remove barriers to a functioning market for data. It should allow users of connected products to access data the devices generate while in use and to share the data with third parties providing aftermarket or other data-driven services. By regulating switching between data processing services and developing interoperability standards, the act aims to avoid vendor lock-ins.
The Data Act sets out numerous provisions that concern personal and non-personal data. Most importantly, the regulation:
The Data Act applies to a wide range of people and organizations, including:
Because the term "user" includes natural and legal persons, the Data Act's obligations apply to business-to-consumer as well as business-to-business relationships and to public entities.
Micro-, small- and medium-sized enterprises ("MSMEs") are partially exempted from the obligations of the Data Act.
The rights and obligations under the Data Act include:
Obligation to Inform, Share Data and Provide Data in Standard Formats
Where a user cannot directly access data from the connected product or related service, the Data Act requires data holders to make data accessible or have data shared upon request without undue delay, in a common and machine-readable format, free of charge and, where relevant and feasible, continuously and in real-time.
Along with this obligation, the provider of a connected product or related service must provide information so the user better understands in advance to what extent data can be provided. In specific circumstances, data recipients have a right to receive data from the data holder. Where a data holder is obliged to disclose data to a recipient, either under the terms of the Data Act or other EU or national law, the data holder must do so on terms that are fair, reasonable and non-discriminatory (FRAND). Any compensation for making data available shall also be reasonable. Where the data recipient is a MSME or non-profit research organization, under certain circumstances, compensation must not exceed the costs directly related to making the data available.
By requiring data to be provided in a comprehensive, structured, commonly used and machine-readable format, the Data Act removes barriers to use data and promotes the implementation of technical standards.
Incentives for Investing in Data
The Data Act maintains incentives for data holders to continue to invest in high-quality data generation by covering their transfer-related costs and excluding direct competitors from the ability to access and use data.
Public Sector Entities' Right to Access Data
Public sector entities have the right to request and obtain data stored by a data holder where they can demonstrate an exceptional need. A data holder receiving a request for access to data is required to make the data available at no cost and without undue delay (exceptions apply to MSME). Among other things, the entity must specify the data required, the duration of use and the purpose for which the data is requested.
Facilitating Data Portability
The Data Act requires providers of data processing services to enable customers to switch to another data processing service, covering an equivalent service, which is provided by a different provider of data processing services. The Data Act thus complements the right of data portability provided in Art. 20 of the General Data Protection Regulation ("GDPR"). Providers of a data processing service shall not impose and shall remove commercial, technical, contractual and organisational obstacles that inhibit customers from terminating, concluding new contractual agreements, porting the customer’s exportable data and achieving functional equivalence in the use of the new service in the IT environment of the different provider. For example, the Data Act requires covered entities to allow customers to switch data with a maximum transitional period of 30 days.
Rebalancing Rights of MSMEs
The Data Act contains measures to rebalance the negotiation powers for MSMEs in contracts concerning access to and use of data. These measures include provisions according to which contractual terms shall not be binding where access and use of data or the liability and remedies for a breach have been unilaterally imposed on another entity if these terms are deemed to be unfair. A contractual term will be deemed unfair if its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing. These requirements will be particularly relevant to data licensing agreements and essential to developing certain forms of AI models.
The Data Act was enacted on 11 January 2024. While some of the rules will apply 32 or 44 months after it was enacted, most rules of the Data Act will apply 20 months from the date of its passing. This means most rules of the Data Act will start to apply in the EU on 11 September 2025.
Companies should consider:
This Essential Guide was first published in June 2023. It was updated after the European Data Act was passed on 11 January 2024. If you have questions about the European Data Act, reach out to our authors (Julia Apostle, Christian Schröder, Robert Weinhold, and Yumiko Olsen) or other members of the Orrick team.