Nowadays, we increasingly hear that data is the new gold. In our current digital economy, data has become the most sought-after (digital) object because of the insights and knowledge that can be gained from it. By analyzing data, organizations can make better decisions, stimulate research and innovation on behalf of their products and services, and improve operational efficiency. However, much data remains untapped or is not freely accessible.
The European Commission therefore presented its proposal for the European Data Regulation ("Data Act") on February 23, 2022. The Data Act should contribute to the further completion of a unified (industrial) digital market in which data from government, business and individuals can be optimally shared and used. The proposal is an important pillar of the European Data Strategy, which aims to make the European Union a leader in a data-driven society. The Data Act measures complement the Data Governance Regulation proposed in November 2020. This regulation creates the processes and structures to facilitate data, the Data Act clarifies who can create value from data under what circumstances.
Although the Data Governance Act has now gone into effect, on Sept. 24, 2023, the effective date of the Data Act is likely still several months away. Still, it is good if organizations become aware now of what rights and obligations the Data Act entails and what the consequences will be within the organization. It is also wise for organizations to make preparations in advance in order to eventually be able to comply with all the measures of the Data Act.
Article 2 of the Data Act defines the term "data," from which it follows that the proposal covers both personal and non-personal data. The regulation thus has a broader scope than the AVG and also regulates non-personal data. The Data Act establishes rules regarding the use of data generated by Internet of Things (IoT) devices. This could include all kinds of smart devices, such as smart watches and smart meters, but also cars and machines, for example. In addition, the Data Act should regulate the use of cloud services and make it easier to switch between different cloud service providers.
The Data Act applies to the following organizations:
manufacturers of products and suppliers of related services marketed in the EU and users of such products or services;
data holders who make data available in the EU and data recipients of that data;
public authorities and EU institutions requesting data holders to make data available when there is an exceptional need to use that data for the performance of a public interest task and data holders providing that data in response to such a request; and
providers of data processing services in the EU.
The Data Act sets the ground rules for the exchange of data between businesses and consumers, between businesses, and between businesses and government in the single European data market. The proposal includes the following specific measures, among others.
Data sharing between businesses and consumers and businesses themselves is mandatory for IoT products and related services. Such products and services should be designed with data access by default.
Data holders of data from IoT products are required to make that data available on fair, reasonable and non-discriminatory terms and transparency.
Unfair contractual terms regarding access to data and its use are prohibited. This should prevent parties with significantly stronger market positions from abusing them by imposing unfair contractual terms on small and medium-sized enterprises to impede fair data exchange.
Government agencies are given access to data held by the private sector in cases necessary for specific public interest purposes. One example might be an emergency such as a natural disaster, where data is needed to act as quickly and appropriately as possible. Another example is a case such as the corona pandemic, where the government wanted access to data to better combat the virus.
Switching between different data processing service providers should be made more accessible. Providers should remove barriers that prevent customers from switching.
On June 28, 2023, the European Parliament and the Council of the European Union reached a political agreement on the Data Act. It is expected to be formally adopted before the end of this year. The Data Act will enter into force 20 days after its publication in the Official Journal of the European Union, but then the rights and obligations under the Data Regulation will not actually apply until 20 months after its entry into force, i.e., in the third or fourth quarter of 2025.
Although this still seems very far away, it is wise for an organization to make the necessary preparations now. After all, it may take some time to fully comply with all the new measures under the Data Act. It is therefore advisable to make an inventory of where in the organization IoT products are used or which cloud service providers are used. It is also possible to start thinking about the data strategy. What processes are currently in place and is data from IoT products already being used, or will it be in the future? In doing so, it is also best to immediately consider legal aspects, such as the question of which contracts need to be adjusted or which information facilities need to be expanded as a result of the new data regulation. After all, one had better be prepared for when the Data Act will actually apply.
