The European Data Act is a European regulation that entered into force on 11.01.2024 and will take effect from 12.09.2025 after the expiry of its current implementation period for economic operators falling within the regulation’s personal scope of application.
Guided by the realization that data is a crucial resource for digital transformation in today’s constantly digitizing world, the European legislator has recognized data as an important economic asset that can only be used effectively through comprehensive access. This fundamental idea underlies the European Data Act, which defines which business stakeholders in the market can create value from data and provides harmonized rules for fair access to and use of data in an economic sense.
Table of Contents
Objectives of the European Data Act
Promoting data access and use
First and most important, the Data Act aims to ensure that more data is available for private and public actors to promote innovation and competition.
Creating legal clarity and trust
The Data Act is further intended to establish clear rules for the access and use of data, eliminating uncertainties and strengthening companies’ and consumers’ trust in the data economy.
Promoting fairness and competition
The Data Act aims to create a fairer competitive landscape by removing barriers to data access and use, especially for small and medium-sized enterprises (SMEs).
The European Commission also targets to reduce barriers to practical switching between data processing services. Facilitating data transfer is intended to increase competition between providers and enable new market participants.
The regulation is comprehensive in this area and is intended to cover all SaaS, IaaS, and PaaS providers. In the future, data processing service providers will be prohibited from charging a switching fee for switching to another service provider. They will also be required to inform the user about the switching procedure and data collection.
A mandatory clause must be included in the contract with the customer regarding the rights of the customer and the obligations of the provider of data processing services. This should ensure that the user is fully informed.
Facilitating interoperability and data exchange
The European Data Act also strives to promote technical standards and protocols that facilitate the exchange and use of data across different systems and sectors.
Ensuring data sovereignty
As per the new regulations of the Data Act mechanisms are to be created to ensure that users retain control over their data and can determine how it is used.
Promoting innovation and economic growth
Last, but not least, the Data Act seeks to boost economic growth and innovation in the EU by improving access to data and promoting new data-driven business models.
The European Commission’s main objectives are to promote data access and use, facilitate data transition, and reduce barriers to practical switching between data processing services.
Facilitating data transfer is intended to increase competition between providers and enable new market participants.
Scope of application
In a personal perspective, the new data regulation is aimed at manufacturers and retailers of networked products, providers of connected products and data processing services.
Only so-called small and micro-enterprises are excluded from the personal scope of application of the Data Act. In this sense, a small enterprise is a company with fewer than 50 employees, and an annual turnover or annual balance sheet of no more than €10 million, and a microenterprise is a company with fewer than 10 employees and an annual turnover or annual balance sheet of no more than €2 million.
The Data Act grants a one-year grace period for medium-sized companies (companies with fewer than 250 employees and either an annual turnover of no more than €50 million or an annual balance sheet total of no more than €43 million) and products that were placed on the market less than one year ago.
The Data Act regulates access to personal and non-personal data generated through the use of a networked connected product. For the purposes of Art. 2 No. 1 DA, data means any digital representation of acts, facts, or information and any compilation of such acts, facts, or information, including in the form of sound, visual, or audiovisual material.
A connected product is a physical object that collects, generates, or receives data about its use or environment and is capable of
- via a physical connection,
- via on-device access or
- via an electronic communication service
The product’s primary function must not be storing, processing, or transmitting data on behalf of a party other than the user. This includes the following products, among others:
- Vehicles, ships, airplanes
- Household appliances and consumer goods
- Medical and lifestyle devices
Data subjects under the European Data Act and their rights
The European Data Act gives the so-called “user” several rights to improve data access and control.
The term “user” is legally defined in Art. 2 No. 12 DA. Accordingly, users are all natural or legal persons who own a so-called “connected product,” to whom rights of use have been contractually transferred or who make use of a “connected service.”
Right of access to data
Users have the right to access the data generated by devices they own, lease, or rent. This includes both personal and non-personal data.
Right to data portability
Users shall receive their data in a structured, commonly used, machine-readable format and transfer it from one provider to another without hindrance.
Right to fair contractual conditions
The Data Act is intended to ensure that contracts for access to and use of data are fair and transparent, especially for small and medium-sized enterprises (SMEs).
Right to data transfer
Users can share data with third parties to promote services and innovation, provided privacy and confidentiality are maintained.
Right to control the use of data
Users can determine how their data is used, including the option to object to the use of their data for specific purposes.
Right to protection from unfair competition
The Data Act further stipulates measures designed to prevent dominant market players from abusing access to data and thereby promoting unfair competition.
Obliged parties under the Data Act
Within the framework of the Data Act, various groups of obliged parties are subject to different regulatory obligations. These obligations are designed to ensure that access to data is fair, transparent, and secure while promoting users’ interests and the economy’s competitiveness. In the light of these considerations, the Data Act will pose new challenges for the stakeholders concerned, making proactive and early information about the forthcoming obligations crucial.
Data holder (Data Controller)
Data holders, also known as data controllers, are obliged to make the data generated by their devices accessible to users. This means they must ensure that users have easy and direct access to the data collected while using the devices.
Furthermore, they are obliged to create transparent and fair contractual conditions that regulate the access and use of this data. This includes not imposing unfair terms that restrict access to the data or create unreasonable barriers to its use.
The Data Act promotes a fair and open data market by ensuring that data holders do not unlawfully control or restrict access to valuable data sources.
Data holders may only use any readily available data that is non-personal and is generated by their devices based on a license agreement with the user (Art. 4 para. 13 Data Act). A data holder shall not use such data to derive insights about the economic situations, assets and production methods of, or the use by, the user in any other manner that could undermine the commercial position of that user on the markets in which the user is active.
Manufacturer of connected products
Manufacturers of connected products are responsible for ensuring that users have access to the data generated by their devices. This obligation includes making the data available free of charge in a format that is interoperable and can, therefore, be easily used by different systems and applications. This should ensure that users have the opportunity to use their data for other purposes and benefit from various service providers.
By promoting interoperability, the Data Act helps to create an open and competitive market for data-driven services and innovation, where proprietary systems do not restrict users. For the manufacturers’ obligation to provide data, it is irrelevant whether it is B2C or B2B data. However, this creates a more significant challenge for manufacturers in the B2B sector, since the European Data Act stipulates that the generated data belongs to the product user. Accordingly, a product manufacturer cannot make the data obtained its own through general terms and conditions. This now requires a separate contractual arrangement. The user’s consent will be mandatory for working with data in the future.
Dealers of networked devices
Dealers of networked devices have a duty to inform the user about how and what data is collected. This obligation must be fulfilled before a purchase/rental or leasing contract is concluded so the future user can make an informed purchase decision.
The obligations to provide information about the data must be extensive and precise, including access and influence options and data format.
The information on asserting the right to access data should be similar to a privacy policy. Only the product manufacturers can provide such in-depth information.
Early cooperation with the manufacturer is, therefore, essential for the retailer. In particular, it should be noted that this information obligation also covers networked products that are older but still being placed on the market.
Retailers must consider which products in their range could be affected. Smart home products, for example, should be considered here.
Data recipients (Third Parties)
Data recipients, i.e., third parties who receive access to data for purposes that are related to their trade, business, craft of profession, other than the user of a connected product or related service, are subject to strict data protection and data security obligations. They must ensure that the data obtained is used exclusively for the agreed purposes and that the privacy and confidentiality of the data are maintained. This means that data recipients must implement clear and transparent policies and processes to ensure responsible data handling. In addition, they must comply with high-security standards to protect data against unauthorized access and misuse. These obligations are intended to strengthen trust in the data economy and protect users’ rights.
Public sector bodies
Under the Data Act, public sector bodies have the right to request access to data if it is in the public interest, for example, to ensure public safety or health. However, they are obliged to ensure that the data requested is only used to the extent necessary and in strict compliance with data protection and confidentiality. This obligation is intended to prevent sensitive information from being disclosed or used inappropriately. These regulations create a balance between the public interest and, the protection of privacy and the rights of data owners.
Data intermediaries (Data Processors)
Data intermediaries, who take on an intermediary role in data traffic, are obliged to act neutrally and transparently. This means they must not derive any one-sided advantages from their position and must offer all parties equal opportunities when accessing and using data. They must create transparent data transfer conditions and comply with high-security standards to ensure data protection.
These measures ensure that data intermediaries act as trustworthy players in the data ecosystem and help to promote an open and fair market for data traffic.
Consequences and sanctions for non-compliance with the Data Act
The obliged parties under the Data Act can be held accountable for non-compliance with their obligations arising out of the Data Act regulations.
The supervisory authorities responsible for monitoring the application of Regulation (EU) 2016/679 may impose fines for breaches of the obligations under Chapters II, III, and V of the Data Act within the sense of Art. 83 GDPR.
The European Data Protection Supervisor can impose fines under Art. 66 of Regulation (EU) 2018/1725 for breaches of Chapter V of the Data Act. Although the Federal Republic of Germany has not yet developed a sanction, the possibility is included in Art. 40 I DA. It can be assumed that this will happen before the Regulation enters into force.
In general, even without state sanctions, a lack of information or incorrect provision could lead to warranty claims by the end customer and trigger a rescission of the contract. Furthermore, there is the possibility of violating the Unfair Competition Act in the event of non-compliance with Art. 3 and 4 of the Data Act regulation.
Conclusion:
Business stakeholders affected or bound by the Data Act must take it into account without any delay and implement it in order to comply with legal requirements arising from it and to reap the full benefits of data use. The Data Act promotes transparency, data accessibility, and the free flow of data within the EU, which boosts competitiveness and innovation. By complying with the Data Act, companies can build trust with their customers and partners and avoid legal consequences. Therefore, implementing the Data Act is not only a legal obligation but also a strategic decision to strengthen one’s own market position.