European Data Act - Key Provisions and their implications
European Data Act - Key Provisions and their implications
The European Union (EU) entered a historic, new era of data governance by enacting the Data Act. Effective from 11 January 2024, this legislative milestone introduces transparent and equitable rules governing data access within the European data economy and has been developed to be compatible with other pieces of legislation, including, the General Data Protection Regulation (GDPR). It is a crucial component of the EU's broader Strategy for Data.
The Data Act also closely aligns with the Data Governance Act implemented in September 2023, which focuses on the rules for reusing data and introduces processes and structures to facilitate data-sharing. Collectively, these acts are aimed at achieving the EU’s Digital Decade objective of advancing digital transformation.
We provide an overview of key provisions of the Data Act and its implications for organisations and consumers.
Overview of the EU Data Act
Addressing the surge in Internet of Things (IoT) products, the Data Act ensures that users retain control over data generated by their connected devices. For context, IoT refers to a network of physical devices that can transfer data to one another without human intervention in real time, such as computers, machinery, wearable technologies and devices.
The Data Act requires manufacturers and service providers to ensure that individuals or organisations (users) are able to reuse the data that was created through the use of their services and/or products. Moreover, it gives users the leverage to share this data with third parties. For example, the owner of a coffee machine sharing data with the company providing repair services. Manufacturers are mandated to design products in a way that allows both businesses and consumers fully to utilise IoT-generated data, promoting fair distribution and access.
Key elements of the Data Act, including the available rights and penalties for non-compliance
Both personal and non-personal data fall within the scope of the Data Act. It applies to “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording”.
If personal data is being processed, the GDPR will also apply which means that organisations must be aware of their obligations under the GDPR as well. The Data Act aims to make data more accessible to all, provide standards for the reuse of data and facilitate access to and the use of data by consumers and businesses.
Below we provide a summary of the Data Act’s key elements, including new rights that it introduces.
Why is the EU Data Act significant and what does it mean for my business?
The Data Act will apply fully 20 months from the date of its entry into force (which is 11 January 2024). Although the Data Act constitutes EU legislation, it will have wider implications for organisations beyond the EU, including businesses in the UK. We expect that the Data Act will have at least some impact on the following organisations:
- UK manufacturers and providers of connected products (for example IoT devices) that will be placed on the EU market;
- UK data holders who make data available to the users in the EU; and
- Organisations that provide data processing services (for example, cloud services) to EU clients, whether based in the EU or outside the UK.
Moreover, it is possible that the Data Act will set a new global standard in the field, similar to the GDPR. This means that, even when not caught by the Act, UK organisations may seek to differentiate themselves in the UK market by choosing to comply with the “Golden Standard”. While we have not seen any declared plans by the UK government to enact a similar piece of legislation, it is possible that we may see that similar standards are mirrored in the UK’s domestic regulatory environment in the future.
If you have any queries or would like further information, please visit our data protection services section or contact Christopher Beveridge.