On 9 November 2023, the European Parliament adopted the final text of the Data Act, which will introduce a new regulatory regime that applies to data, including non-personal data.

The Data Act, first introduced in February 2022, noting that while “data is a core component of the digital economy”, most data remain unused, or their value is concentrated in the hands of relatively few large companies. Therefore, the Data Act aims to remove barriers to a well-functioning European data economy, specifying who is entitled to use data generated by products and services, under which conditions and on what basis.

Application

The Data Act applies to manufacturers or providers of connected products or related services (the “Regulated Services“), offered in the EU, as well as to European users of the Regulated Services.

Regulated Services include (a) products that obtain, generate or collect data in a digital manner, capable of communicating that data (often referred to as Internet of Things); and (b) digital services inherent to the function of the products.

Additionally, the act applies to data holders making data available to data recipients in the EU, as well as to said data recipients. The data holder is the entity who has the right to use and make available data received during the provision of the Regulated Services.

Moreover, the Data Act applies to providers of data processing services (mainly, infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS)), provided to customers in the EU.

Under the act, ‘user’ means both natural and legal persons, therefore most provisions of the act apply to both B2B and B2C relationships.

Main obligations and duties under the Data Act

1. Access to Data by design and by default: Manufacturers and providers of the Regulated Services must ensure that they are designed and provided, in such a manner that data produced by them, including the relevant metadata necessary to interpret and use those data (collectively, “Data“), are by default, always easily and securely accessible to a user, free of charge, in a comprehensive, structured, commonly used and machine-readable format.

2. Transparency: The Data Act provides, that the basis for using non-personal data by the data holder is a contract between the data holder and the user, as opposed to the legal bases for using personal data which are determined under the provisions of the General Data Protection Regulation (“GDPR“). Consequently, according to the act, a contract for the provisions Regulated Services to users must include, inter alia, the following details: the type, format and volume of Data generated by the Regulated Services, and which will be available to data holder; the intended duration of retention of the Data; how the user may access, retrieve or erase the Data; the purposes for which the data holder intends to use the Data (such purposes could include improving the functioning of the Regulated Services, or developing new products or services); and the identity of the prospective data holder and its’ means of communication.

3. User’s right to access Data: Data holders shall allow users to access the Data directly from the Regulated Services. If such access is not feasible, then the data holder shall make the Data available to the user, on the basis of simple request mechanism, without undue delay, of the same quality as is available to the data holder, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and feasible, continuously and in real-time.

4. User’s right to share Data with third parties: Data holders shall make Data available to third parties, upon a user’s request, without undue delay, ensuring the same quality as is available to the data holder, easily, securely and free of charge to the user.

A third party shall process the Data made available to it only for the purposes and under conditions agreed with the user. Processing of personal data generated by the Regulated Services shall be in accordance with the principles of the GDPR.

5. Data sharing agreement with data recipient: In B2B relations, data holders must make data available to others based on fair, transparent, reasonable, and non-discriminatory contracts.

The act outlines terms considered (or presumed to be) unfair, and therefore not binding, for example, terms which exclude the remedies available to the party upon whom the term has been unilaterally imposed in the case of non-performance of contractual obligations.

6. Switching between data processing services: Providers of data processing services (mainly, infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS) – not only related to Regulated Services) must allow customers to switch to other providers while maintaining a minimum functionality of service and without downtime of services, and to use the services of several providers simultaneously without undue obstacles and data transfer costs.

7. Making Data available to public sector bodies: Data holders shall provide Data to public sector bodies and EU bodies in cases of ‘exceptional need’ to carry out statutory duties in the public interest. The ‘exceptional need’ is limited in time and scope and arises under specific circumstances defined in the Act, such as responding to a public emergency when no alternative means of obtaining data are available.

8. Penalties: Administrative fines for infringing the act shall be up to EUR 20M or 4% of the total worldwide annual turnover.

It should be noted that some of the main obligations under the Data Act (e.g., access to data by design and by default; transparency; and user’s right to access and share data) do not apply to Regulated Services provided by microenterprises or small enterprises. Similar exclusions apply to certain medium-sized enterprises for one year following the placement of the Regulated Services on the market.

The relationship of the Data Act with existing laws on privacy

The Data Act is without prejudice to the GDPR and Directive 2002/58 on Privacy and Electronic Communications (the ePrivacy Directive). The Act complements the rights of access and data portability under Articles 15 and 20 of the GDPR. In the event of a conflict between the Act and EU or national law on the protection of personal data or privacy, the law on the protection of personal data or privacy will prevail.

Next steps

The Data Act is pending a final vote in the Council of the EU, which is expected shortly. Then, it will come into effect on the 20th day following its publication in the Official Journal of the European Union, with most of its provisions applying 20 months thereafter.

Companies offering IoT products (or related services) in Europe, through which users’ Data is generated, as well as data processing service providers, should evaluate their exposure to the Act.

Feel free to contact us if you have any questions regarding the Data Act and its practical implications.