EU Data Act: getting acquainted with the coming legislation (and challenges)

It is now almost six years since the GDPR became applicable across the European Union, which of course at the time included the United Kingdom. Notwithstanding the UK's ongoing project to rebrand its data protection law as a Data Protection and Digital Information Act (that sounds far enough removed from 'GDPR' to appease Brexit evangelists without actually moving the needle much), it's probably fair to say that data protection law is pretty settled across the EU and UK right now. As such, attention has turned to other aspects of Europe's digital strategy.

Both the UK and EU are keen to ensure that they remain at the forefront of the global digital economy, with the EU equally keen to ensure a well-functioning digital single market. In view of this, the EU has been particularly active of late in developing laws that focus on discrete aspects of the evolving digital world. The most high-profile has been the AI Act, with a leaked copy of the apparently final version currently doing the rounds. Others include the Digital Services Act, Digital Markets Act, and the Data Governance Act. In this post, we take a look at the Data Act, the final text of which was published in the European Union's Official Journal in December 2023.

What does the Data Act do?

The European Commission has explained that the measures in the Data Act are intended to complement the provisions of the Data Governance Act. While the Data Governance Act regulates the processes and structures enabling voluntary data sharing, the Data Act establishes who can create value from data, primarily from connected devices, and the conditions in which they can do so. The aim is for the two Regulations to ensure reliable and secure access to data, allowing it to be used in key economic sectors and areas of public interest.

The Data Act is said by the Commission to ensure that users of a connected product or a related service within the EU can gain access to data generated through using the connected product or service in a timely manner, and use the data themselves (including by sharing them with third parties). It also requires that holders of the data make data available to recipients under fair, reasonable and non-discriminatory terms and conditions, and in a transparent manner.

It is hoped that the legislation will help foster competition and innovation across the EU's relevant industries. Key aspects of the Act include:

1. data accessibility: companies must ensure that non-personal data generated by connected devices and services can be accessed and used by third parties, enabling seamless transfer between holders and users while upholding confidentiality. This will require connected products and services to be designed and built or provided with accessibility in mind;

2. data sharing with third parties: where requested, a company must share non-personal data with third parties, provided that the data is necessary for the provision of a service, and subject to compensation under fair, reasonable and non-discriminatory terms;

3. fair data usage: mitigating the abuse of contractual imbalances that impede equitable sharing, including safeguarding against unjust contractual terms imposed by the party with the stronger bargaining position, establishing guidelines for sharing agreements and fair access to data;

4. public use of private sector data: rules enable public authorities to access and use data collected and held by the private sector for specific public interest purposes, such as where the data is necessary to help an authority respond quickly and securely to a public emergency;

5. security and confidentiality: strict requirements are imposed to ensure security and confidentiality of data, ensuring that sharing does not compromise trade secrets, personal data, or cybersecurity;

6. exceptions for SMEs: small and medium-sized enterprises may be exempted from certain obligations under the Act, in recognition of the significant potential burden of many of the requirements for smaller-scale businesses;

7. primacy of data protection: the Data Act aligns with the GDPR to ensure that personal data remains protected, and in the event of conflict between the requirements of data use and those regarding the protection of personal data, data protection obligations take precedence.

What are the implications for businesses?

The obvious and less-than-completely-helpful answer is that it depends on the nature of the businesses. Those not involved in the relevant data-focused activities will not be affected by the legislation at all, while SMEs are not required to comply with all requirements. Those falling within scope of the Data Act will be impacted in myriad ways, some more welcome than others:

1. increased access to data: businesses, particularly those relying on the Internet of Things (IoT) and connected devices, will have much greater access to data. The rise in open source software has fuelled the acceleration of tech innovation, and it may be anticipated that the freer sharing of connected data will spur similar leaps forward;

2. yet more strategy rethinks and compliance audits: over the past decade, businesses - particularly large multinationals - have become used to data protection audits and related projects to improve compliance measures. The advent of the Data Act (and the EU's other new digital laws) signals a need for new projects, with companies needing to reassess their digital strategies, considering the increased availability of external data and new opportunities for data sharing, and invest in compliance measures to meet the new requirements. These measures must not undermine or even conflict with the data protection regime.

3. competitive dynamic: the Data Act has the potential to level the playing field somewhat by reducing the data advantage large industry incumbents have and enhancing the competitive position of smaller firms and market entrants. Whether this is a positive or negative will depend on which camp you fall into;

4. legal and contractual adjustments: while some will treat this as an element of the wider compliance project, it is worth emphasising that businesses will need to review and potentially adjust contracts and practices around data sharing and handling. There are echoes here of the GDPR's introduction necessitating review of third-party contracts, and many will consider holding off on this aspect of Data Act compliance until internal controls are in place and guidance or standard clauses have been published; and

5. more potential for disputes: several aspects of the Data Act give rise to potential disputes. More generally, however, the exemptions around trade secrets and the need to comply with data protection laws ahead of the Data Act gives rise to the potential for base disagreements over what can be withheld (where provisions allow) either as personal data (not always easy to discern in the sphere of IoT and connected devices) or what comprises a genuine trade secret.

The Data Act will have a major impact on those for whom data processing and connected device services have become core business elements. With the majority of provisions coming into effect on 12 September 2025, most affected enterprises would be advised to begin considering how the Act impacts on their operations and developing the blueprints for compliance measures that not only protect against breaches of the Data Act but also enable them to capitalise on the opportunities it provides.