European Data Act: Harmonised Rules on Fair Access to and Use of Data

8 minute read | February.01.2024

This Essential Guide to the European Data Act is part of Orrick's Cybersecurity & Privacy Compass Series. The Cybersecurity & Privacy Compass is your global guide to the evolving cybersecurity and privacy regulatory landscape.

In this guide, we answer pressing questions about the European Data Act, including what the Data Act covers, who is impacted, the law's objectives, rights and obligations created by the act, legislative status and recommended next steps for companies.

What are the objectives of the Data Act?
Who is impacted?
What rights and obligations are created under the Act?
What is the legislative status?
What are the action items?

What are the objectives of the Data Act?

The Data Act is the European Union regulation on harmonised rules on fair access to and use of data ("Data Act"). It is one of the key measures intended to make more data available to the private and public sectors. The Data Act complements the Data Governance Act adopted in 2022, which was the first deliverable under the European strategy for data.

While the Data Governance Act creates the processes and structures to facilitate sharing data, particularly in the public sector, the Data Act sets up new rules for how users of connected products and related services can use the generated data—and how and under which conditions data holders can generate economic value from such data.

The Data Act provides horizontal rules, i.e., rules across all economic sectors and situations. It aims to:

ensure fairness in allocating value in the digital environment;
stimulate a competitive data market;
open opportunities for data-driven innovation; and
make data more accessible.

It remains to be seen whether these goals can be achieved, particularly the stimulation of a competitive data market. It also remains to be seen how the economy will adopt and implement the new rules into connected devices.

The Data Act aims to make more data available and remove barriers to a functioning market for data. It should allow users of connected products to access data the devices generate while in use and to share the data with third parties providing aftermarket or other data-driven services. By regulating switching between data processing services and developing interoperability standards, the act aims to avoid vendor lock-ins.

The Data Act sets out numerous provisions that concern personal and non-personal data. Most importantly, the regulation:

creates a data access and sharing regime for data generated by connected devices;
stipulates contractual requirements for data sharing agreements;
creates a regime for public entities;
creates rights for customers and obligations for providers of data processing services (e.g., cloud service provider) regarding the ability to switch to another service provider;
introduces safeguards against unlawful third-party access to non-personal data (e.g., by requiring the implementation of technical protective measures); and
provides a framework to develop interoperability standards for data to be accessed.

Who is impacted?

The Data Act applies to a wide range of people and organizations, including:

manufacturers of connected products (Internet of Things, e.g., connected cars, smart-home devices, medical devices and smart and connected consumer goods as well as industrial machinery), and providers of related services, where such products and services are placed in the market in the European Union ("EU") (e.g., platform services related to connected products, e.g., smartwatch providers),
users of connected products or related services in the EU,
data holders defined as natural or legal persons (e.g., people and companies) with the right or obligation to use and make data available,
data recipients, defined as natural or legal persons to whom data holders make data available to non-users for commercial purposes,
public sector bodies of EU member states or institutions, agencies or bodies of the EU that request data holders to make data available in case of exceptional needs (e.g., public emergencies),
providers of data processing services (in particular cloud-services such as SaaS, PaaS, IaaS as governed by the EU Cloud Strategy and edge service providers as included in the European strategy for data) providing such services to customers in the Union, and
participants in data spaces, vendors of applications using smart contracts and persons whose trade, business or profession involves the deployment of smart contracts for others.

Because the term "user" includes natural and legal persons, the Data Act's obligations apply to business-to-consumer as well as business-to-business relationships and to public entities.

Micro-, small- and medium-sized enterprises ("MSMEs") are partially exempted from the obligations of the Data Act.

What rights and obligations are created under the Act?

The rights and obligations under the Data Act include:

Obligation to Inform, Share Data and Provide Data in Standard Formats

Where a user cannot directly access data from the connected product or related service, the Data Act requires data holders to make data accessible or have data shared upon request without undue delay, in a common and machine-readable format, free of charge and, where relevant and feasible, continuously and in real-time.

Along with this obligation, the provider of a connected product or related service must provide information so the user better understands in advance to what extent data can be provided. In specific circumstances, data recipients have a right to receive data from the data holder. Where a data holder is obliged to disclose data to a recipient, either under the terms of the Data Act or other EU or national law, the data holder must do so on terms that are fair, reasonable and non-discriminatory (FRAND). Any compensation for making data available shall also be reasonable. Where the data recipient is a MSME or non-profit research organization, under certain circumstances, compensation must not exceed the costs directly related to making the data available.

By requiring data to be provided in a comprehensive, structured, commonly used and machine-readable format, the Data Act removes barriers to use data and promotes the implementation of technical standards.

Incentives for Investing in Data

The Data Act maintains incentives for data holders to continue to invest in high-quality data generation by covering their transfer-related costs and excluding direct competitors from the ability to access and use data.

Public Sector Entities' Right to Access Data

Public sector entities have the right to request and obtain data stored by a data holder where they can demonstrate an exceptional need. A data holder receiving a request for access to data is required to make the data available at no cost and without undue delay (exceptions apply to MSME). Among other things, the entity must specify the data required, the duration of use and the purpose for which the data is requested.

Facilitating Data Portability

The Data Act requires providers of data processing services to enable customers to switch to another data processing service, covering an equivalent service, which is provided by a different provider of data processing services. The Data Act thus complements the right of data portability provided in Art. 20 of the General Data Protection Regulation ("GDPR"). Providers of a data processing service shall not impose and shall remove commercial, technical, contractual and organisational obstacles that inhibit customers from terminating, concluding new contractual agreements, porting the customer’s exportable data and achieving functional equivalence in the use of the new service in the IT environment of the different provider. For example, the Data Act requires covered entities to allow customers to switch data with a maximum transitional period of 30 days.

Rebalancing Rights of MSMEs

The Data Act contains measures to rebalance the negotiation powers for MSMEs in contracts concerning access to and use of data. These measures include provisions according to which contractual terms shall not be binding where access and use of data or the liability and remedies for a breach have been unilaterally imposed on another entity if these terms are deemed to be unfair. A contractual term will be deemed unfair if its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing. These requirements will be particularly relevant to data licensing agreements and essential to developing certain forms of AI models.

What is the legislative status?

The Data Act was enacted on 11 January 2024. While some of the rules will apply 32 or 44 months after it was enacted, most rules of the Data Act will apply 20 months from the date of its passing. This means most rules of the Data Act will start to apply in the EU on 11 September 2025.

What are the action items?

Companies should consider:

Conducting an assessment as soon as possible regarding whether and how the Data Act rules apply to their business.
If the Data Act applies, companies providing connected products and/or related services should assess:
- The consequences for their businesses.
  - This is particularly true for data holders who will be obligated to develop the technical means to allow data access in a comprehensive, structured, commonly used and machine-readable format.
  - This may require updating standards for data storage and structure, and companies may also have to consider developing connected products in a way that allows users to access data directly.
  - Implementing new functions into products and converting production processes often takes time. Hence, this assessment should be a high priority.
  - Companies will need to consider the effects with the responsible product owners and product development teams.
- The need to prepare a comprehensive data notice and consider including the requirements of the Data Act and the GDPR.
- Whether contractual terms provide for any terms that might be deemed unfair or void according to the Data Act.
- Whether its technical protection measures are sufficient against unauthorised use and disclosure of data.
Companies outside the EU that provide connected products and/or related services should determine whether they are required to appoint a legal representative in the EU.

This Essential Guide was first published in June 2023. It was updated after the European Data Act was passed on 11 January 2024. If you have questions about the European Data Act, reach out to our authors (Julia Apostle, Christian Schröder, Robert Weinhold, and Yumiko Olsen) or other members of the Orrick team.

Authors

Julia Apostle Partner, Technology Transactions, Cyber, Privacy & Data Innovation

Paris

See my bio

D:+33153537500
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Transactions
Cyber, Privacy & Data Innovation
Technology & Innovation

vCard

See full bio

Julia Apostle Partner

Paris

Julia counsels on compliance issues in relation to European and French tech and data regulations, including the GDPR, the Digital Services Act, the regulation of AI, the Data Act and other new and emerging legislation impacting online platforms, technology developers, and eCommerce businesses. She advises companies of all sizes on a wide range of compliance matters, ranging the drafting of internal policies, to assisting with regulatory investigations, and product counseling.

In the context of strategic transactions covering significant and complex technological issues, she is involved in the drafting and negotiation of agreements relating to data transfer, IT, software, content and brand licensing.

Qualified to practice in the UK and France, Julia is deeply familiar with the commercial considerations’ clients face, having practiced in-house at Twitter, Financial Times and CBS for more than a decade prior to joining Orrick.

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Robert Weinhold Senior Associate, Technology Companies Group, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7158
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Companies Group
Technology Transactions
General Data Protection Regulation
Intellectual Property
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Robert Weinhold Senior Associate

Düsseldorf

Robert has always been fascinated by new technologies and digitization. Pursuing his fascination, he focused his legal studies on media law, intellectual property law and data protection law. Prior to working at Orrick, he also gained experience by founding a company that provided a software as a platform solution and working for a German venture capital investor. His legal advice on technology transactions—in particular, SaaS and IP agreements, e-commerce-related topics, related assistance in mergers and acquisitions or core data privacy—thus reflects not only his legal experience but also his experience and fascination with new technology. Being an IT and IP lawyer with a very commercial mindset, Robert drafts and negotiates all sorts of IT and IP agreements, for small to medium companies and large multinationals. He advises on privacy compliance—in particular drafts, privacy policies, and national as well as international data processing agreements—or provides his knowledge with the assessment of the IP/IT and privacy matters in M&A transactions.

He joined Orrick in 2017 after working as a scientific researcher in the field of Data Privacy.