The digital economy thrives on data, but accessing and utilizing it effectively can be a complex and often imbalanced endeavor. Enter the EU Data Act, a landmark regulation designed to reshape how data is shared and used across the European Union. Officially known as Regulation (EU) 2023/2854 (the original legal text can be found here), this legislation, adopted on December 13, 2023, aims to establish harmonised rules on fair access to and use of data.

What is the EU Data Act About and Which Issues Does it Address?

At its core, the Data Act is about empowering individuals and businesses by giving them greater control over the data generated by their connected products and related services. It seeks to foster a well-functioning internal market for data and unlock its potential for innovation and economic growth.

The regulation tackles several critical barriers to data sharing:

  • Lack of Incentives: Data holders often lack motivation to voluntarily share data.
  • Uncertainty of Rights: There’s ambiguity surrounding rights and obligations related to data.
  • High Costs & Fragmentation: Contracting and technical interface costs, along with data silos and poor metadata management, hinder sharing.
  • Interoperability Gaps: A lack of standards for semantic and technical interoperability creates bottlenecks.
  • Contractual Imbalances: The abuse of contractual power restricts fair data access and use.
  • SME Challenges: Micro, small, and medium-sized enterprises (SMEs) often lack the digital capacity and skills to leverage data, and face restricted access.
  • Vendor Lock-in: Especially in data processing services, obstacles hinder customers from switching providers, limiting competition.
  • Unlawful International Access: The Act introduces safeguards against governmental access to non-personal data from third countries that conflicts with EU law.

The Data Act specifically ensures that users of connected products or related services in the Union can access, in a timely manner, the data generated by the use of that product or service. Furthermore, it allows these users to use the data, including by sharing them with third parties of their choice.

What is the Timeline?

The journey of the Data Act through the EU legislative process involved significant input from various bodies:

  • Proposal from the European Commission: The process began with a proposal from the European Commission.
  • Opinions from Key Institutions: The European Central Bank provided its opinion on October 19, 2022. The European Economic and Social Committee and the Committee of the Regions also gave their opinions on September 23, 2022, and September 30, 2022, respectively.
  • Parliament and Council Decisions: The European Parliament adopted its position on November 9, 2023, followed by the Council’s decision on November 27, 2023.
  • Publication and Entry into Force: The regulation was published in the Official Journal of the European Union on December 22, 2023. It entered into force on the twentieth day following its publication, which would be around January 11, 2024.

The Data Act is a key piece of the EU’s broader digital strategy, complementing and interacting with existing regulations:

  • [GDPR (General Data Protection Regulation - Regulation (EU) 2016/679](https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng)): The Data Act complements and is without prejudice to Union law on the protection of personal data and privacy, particularly the GDPR. It explicitly states that no provision of the Data Act should diminish or limit the rights to personal data protection or privacy. Any processing of personal data under the Data Act must comply with GDPR’s legal basis requirements. It extends data subjects’ rights by ensuring technical feasibility for third-party access to all data, not just that “provided by the data subject” as in GDPR’s portability right.
  • Digital Markets Act (DMA - Regulation (EU) 2022/1925): To prevent concentration of power, the Data Act prohibits “gatekeepers” (undertakings designated under the DMA) from being eligible third parties for receiving data from users or data holders under this Regulation. They cannot solicit or commercially incentivize users to share data under the Data Act.
  • Digital Services Act (DSA - Regulation (EU) 2022/2065): The Data Act is without prejudice to Union legal acts providing for data sharing for purposes like prevention or investigation of criminal offenses, which includes the DSA.
  • Data Governance Act (DGA - Regulation (EU) 2022/868): The Data Act builds on the DGA, especially concerning data intermediation services which can facilitate a data economy. The European Data Innovation Board (EDIB), established by the DGA, will also play a key advisory role for the Data Act.
  • ePrivacy Directive (Directive 2002/58/EC): This directive protects private life and the confidentiality of communications, including data storage and access from terminal equipment. The Data Act complements these protections.
  • Trade Secrets Directive (Directive (EU) 2016/943): The Data Act is interpreted to preserve the protection of trade secrets, allowing data holders to require confidentiality measures from users and third parties.
  • Sui Generis Database Right (Directive 96/9/EC): Significantly, the Data Act clarifies that the sui generis right for databases does not apply to data obtained from or generated by connected products or related services falling within its scope, preventing it from hindering user data access rights.

Which Companies and Services Have the Obligation to Share Data?

The Data Act imposes obligations on several key actors:

  • Manufacturers of Connected Products placed on the market in the EU.
  • Providers of Related Services offered in the EU.
  • Data Holders: Any natural or legal person with the right or obligation to use and make data available, including those who retrieve or generate product data or related service data.
  • Providers of Data Processing Services: These include cloud and edge services, which must remove obstacles to effective switching and enhance interoperability.
  • Participants in Data Spaces and Vendors of Smart Contracts: Those offering data or data services within common European data spaces, or deploying smart contracts for others, must comply with interoperability requirements.

Exemptions:

  • Microenterprises and Small Enterprises are generally exempt from new design obligations for products/services they manufacture or provide, unless they are part of a larger group or are subcontracted.
  • Medium-sized Enterprises benefit from a one-year transitional period for connected products placed on the market.

The obligations primarily concern product data (generated by connected products) and related service data (generated during the provision of related services), specifically what is termed “readily available data” (data lawfully obtainable without disproportionate effort).

Which Parties Are Entitled to Consume Data?

The Data Act empowers various entities to access and use data:

  • Users: This is a broad category encompassing natural or legal persons (e.g., consumers, businesses, public sector bodies) who own a connected product, have temporary usage rights (like rental), or receive related services. Users are entitled to derive benefit from the data generated by their products and services.
  • Third Parties: Users can request data holders to make data available to third parties of their choice for commercial and non-commercial purposes. These third parties can be enterprises, research organizations, or non-profits.
  • Public Sector Bodies, the European Commission, the European Central Bank, and Union Bodies: These entities can request data from data holders when there is an exceptional need to carry out statutory duties in the public interest. This includes responding to public emergencies (e.g., public health crises, natural disasters) or fulfilling specific public interest tasks explicitly provided by law (e.g., producing official statistics).

How Can Data Be Shared?

The Data Act outlines several mechanisms for data sharing:

  1. Direct User Access: Connected products and related services should be designed so that product and related service data are easily, securely, free of charge, in a comprehensive, structured, commonly used, and machine-readable format, and, where relevant and technically feasible, directly accessible to the user by default.
  2. Data Holder to User (upon request): If data isn’t directly accessible, data holders must make readily available data accessible to the user without undue delay, of the same quality as available to the data holder, via a simple electronic request.
  3. Data Holder to Third Party (at user’s request): Upon a user’s request, data holders must make readily available data accessible to a designated third party without undue delay, free of charge to the user, and in a high-quality, structured, machine-readable format.
  4. Data Holder to Public Sector Bodies/EU Institutions (exceptional need): Data holders must make data available to public sector bodies, the Commission, the European Central Bank, or Union bodies upon a duly reasoned request, in cases of exceptional need.
  5. Voluntary Arrangements: The regulation does not prevent lawful data sharing contracts on a voluntary basis.

How Close to Real-Time Should Data Be Shared?

The Data Act emphasizes timely access to data:

  • For users and third parties, data should be made available “without undue delay,” and “where relevant and technically feasible, continuously and in real-time”.
  • Manufacturers and service providers must inform users if connected products can generate data continuously and in real-time.
  • Technical means for data access, such as APIs, should be described to enable automatic access and transmission of data between parties, “including continuously, in bulk download or in real-time” where technically feasible.

When Does it Take Effect?

While the regulation entered into force around January 11, 2024 (20 days after publication), its provisions will largely apply from September 12, 2025.

The EU Data Act marks a significant step towards a more equitable and innovative data economy, ensuring that data serves the interests of all participants.