DATA ACT: A FIRST ANALYSIS TO PREPARE IN TIME FOR ITS ENTRY INTO FORCE
/in Innovation/by Giovanni GaetaThe Data Act. Introduction.
The Data Act was created to improve the European Union’s data economy and promote a competitive market by making data, especially industrial data, more accessible and usable.
The legislation aims to ensure fairness in the distribution of the value of data among the players in this economy by clarifying who can use what data and under what conditions.
The Data Act gives users of network-connected products (companies or individuals who own or lease such products) more control over the data they generate by providing incentives for those who invest in data technology. It also sets the general conditions for situations in which a company has a legal obligation to share data with another company.
In addition, the Data Act includes measures to increase fairness and competition in the European cloud market and to protect companies from unfair contractual clauses, imposed by contractually stronger parties, in relation to data sharing. It also establishes a mechanism through which, in cases of exceptional need, public bodies can request data from a company; providing clear rules on how such requests should be made. Furthermore, the Data Act introduces safeguards to prevent third country government bodies from accessing non-personal data where this would be contrary to EU or national law.
On the issues raised by the Data Act, it is also very important to note the presence of the European Commission’s FAQs, which, although they are not regulatory documents, are an excellent interpretative tool to navigate this topic.
The Data Act. Analysis of the legislation.
Following the general provisions (Chapter I) defining the scope of the regulation and key terms, the Data Act is structured in nine main chapters:
- Chapter II: Business-to-business and business-to-consumer data sharing in the context of IoT.
- Chapter III: Enterprise-to-Enterprise Data Sharing.
- Chapter IV: Protection against unfair contract terms.
- Chapter V: Data sharing between businesses and public administrations
- Chapter VI: Switching between data processing services
- Chapter VII: Protection against unlawful access to data by third country governments
- Chapter VIII: Interoperability in data flows
- Chapter IX: Enforcement through designated competent authorities
Chapter II: Business-to-business and business-to-consumer data sharing in the context of the IoT marketplace
A key objective of the Data Act is to create equity in the data economy and enable users to derive value from the data generated using the connected products they own or lease. This provision aims to ensure that users have access to their data generated through the daily use of IoT objects.
The standard allows users of connected products (such as connected cars, medical devices and industrial machinery) and related services (e.g. apps for managing product functionality) to access data co-created through the use of the product itself. The availability of such data will have a significant impact on the economy, as it can be used to develop after-sales services or new innovative services.
Connected products include:
- Consumer products: connected cars, wearable devices for health monitoring.
- Other products: aircraft, industrial robots.
Connected services may include applications that provide detailed analysis on the use of the product or assistance in managing its functionalities.
Chapter II applies to all types of data generated by the use of the related product or related service. This includes both personal data and non-personal data, such as metadata and information collected by sensors (e.g. temperature or location). However, derived or highly processed content is outside the scope of the law.
Users can access their own data generated through the connected product and decide whether to share it with third parties. The owner of the data must provide clear information about the rights to access and share their data.
It is not permitted to use this data to develop competing products. The rule also ensures that micro-businesses are not subject to the same obligations as large companies.
Chapter III: Rules on mandatory data sharing between companies
The Data Act introduces specific rules for cases in which a company has a legal obligation to share its data with another company. This is particularly relevant in the context of the increasing digitisation and interconnection of economic activities as well as the significant rise of the IoT sector.
Chapter III applies to all types of data held by an enterprise and is designed to ensure that the terms of sharing are fair and reasonable. Data owners may request reasonable compensation for making information available.
Compensation may include costs incurred in preparing and disseminating the requested data sets. Micro-enterprises and SMEs may not be charged higher costs than those incurred in making the data sets available.
The law provides for specific measures in the event of unlawful access or misuse of the information shared with the aim of protecting the rights holders of their data sets. This includes the possibility for the rights holder to request corrective measures such as ceasing production of the unlawfully used product or financial compensation.
Chapter IV: Protection against Unfair Contract Terms
Chapter IV of the Data Act is designed to protect all companies, in particular small and medium-sized enterprises (SMEs), from unfair contractual terms that might be imposed by stronger players in the market. This protection is key to ensuring a fair and competitive ecosystem where SMEs can operate without being subjected to undue pressure from larger companies.
The provisions of this chapter stipulate that contractual terms and conditions must be fair, clear and reasonable. It establishes specific criteria for identifying unfair terms, which may include terms that excessively restrict the rights of SMEs or impose obligations that are disproportionate to the benefits received.
In addition, the law requires that contractual terms be drafted in a comprehensible and accessible manner so that all parties involved can easily understand their rights and obligations. This approach aims to ensure that SMEs are not forced to accept disadvantageous conditions simply because they need access to certain services or data.
The law provides specific measures to deal with situations where unfair contractual terms are suspected. SMEs can challenge such clauses before the competent authorities or through dispute resolution mechanisms. In addition, the law encourages transparency in contracts by requiring larger companies to provide detailed information on contractual terms and the implications of proposed clauses.
These measures are intended to strengthen the position of SMEs in the market, enabling them to negotiate more favourable terms and compete more fairly with large players in the sector.
Chapter V: Data Sharing between Business and Government
Chapter V of the Data Act focuses on data sharing between the private sector and public administrations. This chapter is particularly relevant in situations of emergency or exceptional need, where timely access to data can improve the response of public authorities to critical events such as health crises or natural disasters.
Public administrations will be able to access certain data sets held by the private sector in order to make informed data-driven decisions. The law stipulates that such access must take place while respecting the rights of data owners and must be justified by a clear and urgent need.
Public administrations must follow specific procedures to request access to data, thus ensuring transparency and accountability in the process. Requests must be reasoned and documented, and data subjects must be informed of the purposes for which their data are requested.
To protect the rights of data owners, the law stipulates that access requests must respect the principles of proportionality and necessity. In addition, a redress mechanism is provided for data controllers if they consider that the request is unjustified or does not comply with the applicable regulations.
These provisions aim to ensure a balance between the need of public authorities to access data for legitimate purposes and the right of citizens to privacy and protection of their personal data.
Chapter VI: Transition from one data processing service to another
Chapter VI of the Data Act establishes minimum requirements for providers of cloud and edge computing services to facilitate users’ switching from one service to another. This chapter is crucial for promoting competition in the digital services market and ensuring that users have control over their data.
Providers of the above-mentioned services must implement practices that allow users to easily transfer their data sets between different providers without incurring costly penalties or significant technical difficulties. This includes the adoption of open standards to ensure interoperability between different systems.
The law also requires providers to inform users about how the data will be transferred, including any associated costs and timeframes for completing the transfer. Users must have access to clear information on how to manage the process of migrating their data.
To ensure a smooth transition, the law provides for specific measures in case of problems during data transfer. Users are entitled to receive assistance from providers during the process and can lodge complaints if they encounter unjustified obstacles to the transfer.
These provisions are designed to reduce user lock-in with a single provider and encourage greater competition in the digital services market.
Chapter VII: Illegal access to data by the government of third countries
Chapter VII of the Data Act aims to protect European citizens from unlawful requests by external government authorities for their non-personal data sets stored in the EU. This protection is crucial to ensure the security of European users’ data and to maintain trust in the digital marketplace.
The law stipulates that any request from foreign governments must comply with EU regulations and cannot violate the fundamental rights of individuals. Competent EU bodies are responsible for overseeing access to non-personal data and must ensure that such access is justified on legitimate grounds.
In addition, the law requires IT service providers to take proactive measures to protect their data sets from unauthorised access by foreign governments. These measures may include advanced encryption and regular audits of security practices.
In the event of unlawful requests, users have the right to be informed and can challenge such requests through the competent authorities. The law also provides for severe penalties for those who attempt to illegally access non-personal data sets stored in the EU.
These provisions aim to ensure a high level of personal data protection and to maintain the integrity of the European digital market.
Chapter VIII: Interoperability
Chapter VIII focuses on interoperability between different information systems so that there is smooth communication between different information spaces. Interoperability is essential to ensure that data can flow freely between different economic actors without technical or regulatory obstacles.
Participants in common spaces will be required to comply with specific technical standards so that information flows smoothly and efficiently between different operating systems and cloud platforms. The law lays down clear requirements regarding the technical standards needed to facilitate interoperability between different digital service providers.
Furthermore, an EU directory will be created that will define relevant standards for cloud interoperability, thus ensuring a common basis on which interoperable solutions can be built.
To ensure the effectiveness of interoperability, competent bodies will have to continuously monitor the implementation of the standards laid down in the law. Any shortcomings in interoperability will have to be addressed through appropriate corrective measures.
These provisions are designed to promote an integrated digital ecosystem where data can be easily shared between different platforms and sectors, thus contributing to the overall economic efficiency of the EU.
Chapter IX: Enforcement
Chapter IX sets out the responsibilities of Member States in enforcing the provisions of the Data Act through designated competent authorities.
Each Member State must appoint at least one competent authority responsible for supervising enforcement; if more than one authority is designated, a ‘data coordinator’ must be appointed as the national single point of access.
The Data Act. Roadmap.
The European Data Strategy defines the roadmap for the EU to become a leader in the data economy. This will be achieved through the creation of a single European data market in which data can flow between sectors and Member States securely and reliably for the benefit of the economy and society. Within this scenario, the Data Act is a key element in achieving fairness in the allocation of the value of data between stakeholders.
This new legislation will be applicable on 12 September 2025.
To help companies navigate these new rules, the Commission will recommend a set of model contract terms to facilitate fair, reasonable and non-discriminatory data sharing contracts (Chapters II and III of the Data Act). These terms will also provide guidance on reasonable compensation and protection of trade secrets.
The Commission will also recommend a set of non-binding standard contractual clauses for cloud computing contracts between users and cloud service providers. An expert group has also been set up to help the Commission draft such terms and clauses; these recommendations are expected to be published by autumn 2025.
Within three years of the Data Act coming into force, the Commission will conduct an assessment of the impact of the data regulation. On this basis, it may, if necessary, propose an amendment to the Act.