On November 9, 2023, the European Parliament has adopted the final version of the Data Act, marking a significant milestone in the evolving landscape of digital regulation. The Data Act is part of the European Commission’s broader strategy to shape Europe’s digital future (see our earlier posts here and here).

The widespread use of internet-connected products (the so-called Internet of things or “IoT”) has notably increased the volume and potential value of data for consumers, businesses, and society at large. Recognizing that barriers to data sharing hinder optimal data allocation for societal benefit, led to the drafting of the Data Act. Initially proposed by the European Commission in February 2022, the Data Act is designed to regulate data sharing and usage within the EU.

The Data Act, which applies to both personal and non-personal data, encompasses several key elements designed to foster an efficient, fair, and innovative data economy:

  • It facilitates data sharing, particularly data generated by connected devices and used by related services. This spans all sectors, underscoring the significance of non-personal data sharing for societal and economic benefits;
  • Itestablishes mechanisms for data transfer and usage rights, with a special focus on cloud service providers and data processing services. This facilitates a more fluid and secure data sharing environment;
  • It introduces interoperability standards to ensure data can be accessed, transferred, and used across different sectors, which is crucial for innovation and competitive markets;
  • It reinforces the right to data portability, allowing users to move their data across different service providers, which enhances user autonomy and promotes competition;
  • It mandates that providers of data processing services, such as cloud and edge services, implement reasonable measures against unauthorized third-party access to non-personal data, thereby fostering trust in data;
  • It aims to balance the availability of data with the protection of trade secrets;
  • It recognizes the need for public sector bodies, the Commission, the European Central Bank or Union bodies to use existing data to respond to public emergencies or in other exceptional cases; and
  • It provides protections against unfair contractual terms that are unilaterally imposed.

These elements collectively aim to enhance data accessibility and utility, protect individual and business interests, and foster a more competitive and innovative digital market in the EU.

The adopted text now needs formal approval by the Council to become law. Once finalized, the Data Act will enter into force on the 20th day following its publication in the Official Journal of the European Union and will apply from 20 to 32 months from the date of entry into force. The timeline for complete enforcement is thus expected to span several years, allowing businesses and stakeholders adequate time to adapt to the new requirements.

As always, we will continue to monitor the developments in this matter and keep you informed of any further updates.