EU Releases Data Act to Facilitate Access and Use of Data
On 22 December 2023, the Regulation on harmonized rules on fair access to and use of data ("Data Act") was published in the EU's Official Journal.
The Data Act lays down rules on fair access to and use of personal and non-personal data across all economic sectors generated by connected products and digital related services.
In a nutshell, the Data Act:
- Lays down rules on B2B and B2C data access. Manufacturers and providers are obliged to design products and services in such a manner that generated data are directly accessible to users, and to provide information to users on generated data, its accessibility, and users' rights. At the users' requests, data holders are required to make the data available to users or to third parties without undue delay, free of charge and, where applicable, continuously and in real time. These obligations apply to connected products and related services placed on the EU market, irrespective of the place of establishment of the manufacturers and providers.
- Establishes a ban on unfair contractual terms on data sharing and introduces non-binding model contractual terms.
- Provides for a harmonized framework for the access and use of data held by the private sector, by public sector bodies, the Commission, the European Central Bank, and EU bodies.
- Introduces restrictions to non-EU governmental access and international transfers of non-personal data, by requiring providers of data processing services to take technical, organizational and legal measures to prevent unlawful access and transfers.
- Introduces requirements to enable switching between providers of cloud services and of other data processing services, by requiring providers to take all reasonable measures to facilitate the process of achieving functional equivalence in the use of the new service. Costs arising from the switching process can only be charged to the customers until 12 January 2027.
- Introduces interoperability requirements for participants in data spaces that offer data or data services, data processing service providers, and vendors of applications using smart contracts.
- Includes an obligation for EU Member States to lay down rules on penalties for infringements of the Data Act, and EU supervisory authorities may impose administrative fines as provided in the EU GDPR for certain infringements of the Data Act.
The Data Act enters into force on 11 January 2024. Most of its rules will apply from 12 September 2025.