On November 9, 2023, the European Parliament has adopted the final version of the Data Act, marking a significant milestone in the evolving landscape of digital regulation. The Data Act is part of the European Commission’s broader strategy to shape Europe’s digital future (see our earlier posts here and here).

The widespread use of internet-connected products (the so-called Internet of things or “IoT”) has notably increased the volume and potential value of data for consumers, businesses, and society at large. Recognizing that barriers to data sharing hinder optimal data allocation for societal benefit, led to the drafting of the Data Act. Initially proposed by the European Commission in February 2022, the Data Act is designed to regulate data sharing and usage within the EU.

The Data Act, which applies to both personal and non-personal data, encompasses several key elements designed to foster an efficient, fair, and innovative data economy:

  • It facilitates data sharing, particularly data generated by connected devices and used by related services. This spans all sectors, underscoring the significance of non-personal data sharing for societal and economic benefits;
  • Itestablishes mechanisms for data transfer and usage rights, with a special focus on cloud service providers and data processing services. This facilitates a more fluid and secure data sharing environment;
  • It introduces interoperability standards to ensure data can be accessed, transferred, and used across different sectors, which is crucial for innovation and competitive markets;
  • It reinforces the right to data portability, allowing users to move their data across different service providers, which enhances user autonomy and promotes competition;
  • It mandates that providers of data processing services, such as cloud and edge services, implement reasonable measures against unauthorized third-party access to non-personal data, thereby fostering trust in data;
  • It aims to balance the availability of data with the protection of trade secrets;
  • It recognizes the need for public sector bodies, the Commission, the European Central Bank or Union bodies to use existing data to respond to public emergencies or in other exceptional cases; and
  • It provides protections against unfair contractual terms that are unilaterally imposed.

These elements collectively aim to enhance data accessibility and utility, protect individual and business interests, and foster a more competitive and innovative digital market in the EU.

The adopted text now needs formal approval by the Council to become law. Once finalized, the Data Act will enter into force on the 20th day following its publication in the Official Journal of the European Union and will apply from 20 to 32 months from the date of entry into force. The timeline for complete enforcement is thus expected to span several years, allowing businesses and stakeholders adequate time to adapt to the new requirements.

As always, we will continue to monitor the developments in this matter and keep you informed of any further updates.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yung Shin Van Der Sype Yung Shin Van Der Sype

Yung Shin Van Der Sype is a counsel at Crowell & Moring’s Brussels Office and a member of the firm’s Privacy & Cybersecurity and IP Group. She focuses on IT law, such as privacy and data protection and IT contracts and cybersecurity, particularly…

Yung Shin Van Der Sype is a counsel at Crowell & Moring’s Brussels Office and a member of the firm’s Privacy & Cybersecurity and IP Group. She focuses on IT law, such as privacy and data protection and IT contracts and cybersecurity, particularly in relation to HR-related matters. Yung Shin advises national and international clients from different sectors ranging from social media to esports. She has more than 10 years’ experience providing services across the spectrum of IT law and has built up an impressive reputation in this area. She is also widely respected for her pragmatic and creative approach to solving business disputes.

Photo of Sari Depreeuw Sari Depreeuw

Sari Depreeuw is a partner in Crowell & Moring’s Brussels office and a member of the firm’s Technology & Brand Protection Group. She focuses on copyright and digital law, with more than 15 years of experience advising and representing a wide range of…

Sari Depreeuw is a partner in Crowell & Moring’s Brussels office and a member of the firm’s Technology & Brand Protection Group. She focuses on copyright and digital law, with more than 15 years of experience advising and representing a wide range of Belgian, European, and international clients on copyright, neighboring rights, software and database rights, and on all issues relating to the access to, acquisition and use of digital assets.

Photo of Maarten Stassen Maarten Stassen

Maarten Stassen is a partner in the Brussels office of Crowell & Moring, where he is a member of the firm’s Privacy & Cybersecurity Group. His practice focuses on privacy and data protection, including the General Data Protection Regulation (GDPR) and cross-border data…

Maarten Stassen is a partner in the Brussels office of Crowell & Moring, where he is a member of the firm’s Privacy & Cybersecurity Group. His practice focuses on privacy and data protection, including the General Data Protection Regulation (GDPR) and cross-border data transfers solutions, as well as on the legal and operational aspects of the digital ecosystem, including Internet of Things (IoT), MedTech, and upcoming technologies such as Distributed Ledger Technology (e.g. Blockchain).

Before joining Crowell & Moring, Maarten was a director in Deloitte’s Cyber practice, as well as the Faculty Leader of the European Privacy Academy. He has been focusing on privacy and data protection law for many years, first as a lawyer in both Spain and Belgium, and later as European Privacy Officer of an international health insurance company.