New regulation on fair access to and use of data (Data Act)

The Data Act has recently entered into force. The regulation aims to make it easier for different actors to access and create value from data and will strengthen the EU’s data economy. Among other things, the regulation sets out requirements for making data from connected products and related services available and contains rules to simplify switching between data processing services such as cloud services. The regulation will apply from 12 September 2025.

Background

On 11 January 2024, Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data (also known as the “Data Act”) entered into force. The regulation is part of the European data strategy and aims to strengthen the EU’s data economy. Furthermore, it aims to ensure that everyone can benefit from the digital revolution.

The European data strategy also includes Regulation (EU) 2022/868 on European data governance (also known as the “Data Governance Act”). The Data Governance Act aims to establish processes and structures to facilitate data sharing between businesses, individuals, and the public sector. The Data Act on the other hand aims to clarify who can create value from data and under what conditions. However, the two regulations will work together to increase accessibility and transparency.

The Data Act will apply from 12 September 2025. However, parts of the regulation will become applicable later.

Summary of the Regulation

The Data Act sets out a range of requirements for the availability and processing of data, including the following:

• Requirements for making data from connected products and associated services available. Several requirements are introduced regarding connected products and associated services. For example, there is an obligation to make product data and related service data accessible to a user, which should be considered e.g. when designing a product. Furthermore, a user will have the right to access, use and make available product data and data from associated services. There are also requirements regarding the disclosure of data to third parties and the receiving of such data, at the user’s request.
• Protection against unfair contract terms related to access and use of data between entities. The regulation also states that unfair contractual terms may not be unilaterally imposed on another entity. It aims to prevent suppliers with a strong position in the market from unilaterally imposing contractual terms that the other party is not in a position to negotiate. Examples of terms that may be unfair are certain limitations of liability, the exclusion of remedies in case of non-performance of contractual obligations under certain conditions, or preventing a party from using data that it has provided or generated during the term of the contract under certain conditions.
• A requirement to make data available to a public authority, the Commission, the European Central Bank or another EU institution demonstrating an exceptional need. Provided that such institutions can demonstrate that there is an exceptional need, such as a threat to public health, an emergency due to natural disasters or a major cyber incident, these institutions may, under certain conditions, be entitled to access certain data to address the situation.
• Regulations related to switching between data processing services. Suppliers of data processing services, such as cloud services, should take measures to enable customers to easily switch to another data processing service.
• Unlawful international government access to and transfer of data not containing personal data. The regulation contains requirements for suppliers of data processing services, such as cloud services, to take measures to prevent the transfer of non-personal data held in the Union outside the Union, if such transfer or access would be contrary to Union law or the national law of the Member State concerned.
• Interoperability requirements. The regulation sets out interoperability requirements to make it easier to move data and switch between data processing services. These requirements apply to the interoperability of, among other things, data, data sharing mechanisms and data sharing services, as well as to data processing services.

Relation to the General Data Protection Regulation (GDPR)

The Data Act covers both data containing personal data and data not containing personal data. However, the Data Act shall not affect the applicability of the GDPR, meaning that in case of a conflict between the Data Act and the GDPR, the GDPR shall have precedence.

What does the Data Act mean for your organisation?

As explained above, the Data Act may be applicable to a wide range of actors, such as manufacturers of connected products, suppliers of related services and data processing services (e.g. cloud services). The Data Act also contains more generally applicable requirements, for example for organisations holding data that may be relevant for exceptional needs or that may be transferred outside the EU in breach of the regulation. Therefore, we recommend that you review the legislation and consider the requirements that may be applicable to your organisation, and then assess what measures need to be taken to ensure compliance.

The Data Act also provides a range of opportunities for actors to access data, for example in relation to connected products. It is therefore useful to review the legislation and assess how your organisation can benefit from the right to data provided by the Data Act.

It is also relevant to consider how the requirements, and any data you intend to request to access under the Data Act, relate to other legislation, such as the GDPR. For example, if you request to access data on the basis of the Data Act and such data contains personal data, it must be ensured that the processing is in accordance with the GDPR, e.g. that there is a legal basis for the processing and that you do not process more personal data than necessary.

If you have any questions or want to know more about the Data Act and what the regulation can mean for your organisation, you are welcome to contact us.