Introduction
The EU Data Act, which came into force on January 11, 2024, aims to revolutionize data governance across all economic sectors within the European Union (EU). While primarily focusing on industrial, non-personal data, it also has implications for data protection considerations. It seeks to address the complexities arising from the burgeoning digital economy, particularly in handling data generated by the Internet of Things (IoT) and related services.
This article explores the Data Act in detail, discussing its general requirements, specific provisions, alignment with existing regulations like GDPR, NIS 2 Directive, and the proposed Cyber Resilience Act, its applicability across various sectors, and the implications of non-compliance including potential fines.
Scope of Application
The EU Data Act applies to various entities, including:
Manufacturers of Connected Products: This includes companies producing connected cars, smart-home devices, medical devices, and related services that are placed in the EU market.
Users of Connected Products or Related Services: Individuals or businesses using connected products or related services within the EU.
Public Sector Bodies: EU member states’ public sector bodies, as well as EU institutions, agencies, or bodies, can request data holders to make data available in exceptional cases (e.g., public emergencies).
Data Processing Service Providers: Cloud service providers (such as SaaS, PaaS, IaaS) and edge service providers offering services to customers in the Union.
Participants in Data Spaces and Smart Contract Vendors: Entities involved in data spaces and those deploying smart contracts for others.
General Requirements of the Data Act
The Data Act sets forth a series of general requirements designed to ensure fair, transparent access to data and foster a competitive digital market:
Data Accessibility: Ensuring that users and businesses have access to data generated from the products and services they use.
Data Sharing: Facilitating the sharing of data across different sectors, emphasizing fairness and innovation.
Data Sharing with Third Parties: Data holders are obligated to make data available to third parties under data sharing contracts.
Data Sharing with Public Sector Bodies: In case of public emergencies, data holders must make data available to public bodies.
Data Interoperability: Promoting technical standards that ensure data can be easily exchanged and used across various platforms and services.
Design Requirements and Transparency: Manufacturers must design their products so that data generated or captured by those products are available to users for free and ideally directly.
Specific Provisions of the Data Act
The Data Act includes several specific provisions:
Data Usage Rights: It defines clear guidelines on who can use data and under what conditions, focusing on protecting the rights of data creators and consumers.
IoT Device Data: The Act addresses data generated by IoT devices, granting consumers and businesses access to their data, and, in some instances, the ability to share this data with third-party providers.