The EU Data Act[1] aiming to regulate fair access to and use of data has entered into force in January 2024 following its publication in the Official Journal of the European Union. The Act is set to become applicable across the bloc as of September 2025.
Setting out rules for the use, access, availability and sharing of generated personal and non-personal data, the Act targets manufacturers of connected products and providers of related services irrespective of their place of establishment – all grouped under the umbrella term of ‘data holders’ either in the form of a natural or legal person.
In this context, ‘connected product’ is defined as “an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user”. In addition, the term ‘related services’ refers to “a digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the connected product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected product”.
Distinguished from the term ‘user’, ‘data recipient’ means “a natural or legal person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a connected product or related service, to whom the data holder makes data available, including a third party following a request by the user to the data holder.”
The following elements set out in the Act carry significance:
- Introduction of data access by design and by default;
- Where direct access may not be possible, data holders shall grant access to products and related services data including metadata, upon users’ requests, both in B2B and B2C settings – save for stricter conditions for security reasons and when sharing data constituting trade secrets;
- Data holders shall make data available to data recipients, upon users’ requests, on fair, reasonable and non-discriminatory terms while maintaining transparency;
- Data holders shall make data available to EU public sector bodies, upon request, on the grounds of public interest;
- Data processing service providers such as cloud computing services shall adopt necessary measures to enable effective interoperability for data access, transfer and use among different providers, and shall put in place contractual terms concerning switching services;
- Data processing service providers shall implement technical, organisational and legal measures to prevent unlawful cross border transfers of and access to non-personal data, retained in the bloc, from third countries;
- Introduction of data licence agreements between data holders, i.e. manufacturers and users;
- Introduction of a set of requirements for smart contract applications in the context of executing data sharing agreements;
- The Commission’s introduction of non-binding model contractual terms on data access and use, reasonable compensation and protection of trade secrets, alongside standard contractual clauses for cloud computing services based on fair, reasonable and non-discriminatory contractual rights and obligations.
The Data Act shall be read without prejudice to the EU GDPR, whereby those data access rights granted under the former shall be treated separately from the access rights granted to individuals under the latter.
Lastly, the Act’s inherent extraterritoriality shall carry direct consequences for manufacturers and providers outside the bloc, including Swiss based entities. In other words, any commercial activity falling under the scope of the Act with products and services being offered to the EU market, respectively any engagement in data sharing with stakeholders within the EU would need to undergo necessary due diligence within the set timeframe in order to ensure timely compliance.
[1] See here https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32023R2854&qid=1707924358044.
