Another milestone was reached yesterday in EU legislation on "data law". The European Parliament adopted the Data Act, which, once formally approved also by the Council, could be published in the Official Journal of the EU and enter into force on the 20th day following publication. (The text adopted by the Parliament is available here.)
The Data Act will be applicable after 20 months from its publication (there will be even more time to prepare for some obligations, e.g. in connection with sharing of data generated by connected products and related services). Depending on the exact time of publication, the regulation is therefore likely to apply from the second half of 2025.
The main topics covered by the Data Act are the followings:
- B2C and B2B data sharing: Connected products and related services shall be designed to make data generated during use easily accessible, secure and, where relevant, directly accessible to users by default. The data sharing encouraged by the Regulation could lead to access to important data sources also in connection with the development of artificial intelligence solutions. (The Regulation will provide 32 months to prepare for data-sharing obligations related to connected products and related services.)
- Data holders' obligations regarding data sharing: The Data Act sets requirements to avoid restrictive or discriminatory agreements, and also addresses the criteria for determining the remuneration to be paid for making data available. In this context, particularly compared to the original proposal, much greater emphasis has also been placed on provisions on the protection of trade secrets, preventing competitors from exploiting the rules of the Data Regulation as loopholes to essentially 'reverse-engineer' the characteristics of products and services offered by competitors through the data they can obtain.
- Unfair business-to-business terms: The Data Act sets out in which cases unilateral contract terms for business-to-business data sharing are considered unfair if the contracting party against which the terms in question are applied is a microenterprise or an SME.
- B2G data sharing: In specific circumstances (such as a public health emergency), the Regulation also creates an obligation to make data available to government bodies and EU institutions. The data is provided free of charge in connection with emergency response. (In cases beyond this, cost-based accounting will in principle be possible.)
- Facilitating switching between data management services: The Regulation aims to avoid lock-in situations. This may apply, e.g. in the case of cloud services, but the applicability of these provisions may also arise in connection with other data processing services. The regulation also lays down rules on interoperability and transparency.
- International transfers of non-personal data: The Regulation also regulates international transfers of non-personal data. These rules are less elaborate and detailed than the ones in the GDPR, but they reflect the EU's need for data sovereignty, which has been increasingly reflected in regulation and enforcement in recent years (e.g. by limiting governmental access to data by third countries governments).
- Data protection authority (DPA) powers: DPAs (and the European Data Protection Supervisor (EDPS) concerning EU institutions) are empowered to supervise activities under the Data Act in relation to processing of personal data.
- European Data Innovation Board (EDIB): The European Data Innovation Board established under the Data Governance Act will also be entrusted with tasks under the Data Act, mainly in relation to standardising the application of the Regulation and in an advisory role.
With the adoption of the Data Act, another building block from the EU strategy for data will be put in place and preparation for its application will give stakeholders tasks for the coming years.
