EU’s new data act sets rules for data sharing and access to data
Main contact
Regulation (EU) 2023/2854 of the European Parliament and of the Council on harmonized rules on fair access to and use of data (the “data act”) has entered into force on 11 January 2024, revolutionizing the access to data and introducing new obligations for companies to share data. The regulation is directly applicable in the member states of the union and will apply from 12 September 2025. The data act is part of the European Data Strategy (2020), which aims to make the EU a pioneer in a data-driven society.
The data act harmonizes the rules for the use of data generated by IoT devices. IoT devices include devices that are connected to the internet, such as smartphones and watches, smart refrigerators, locks, smoke alarms and cars. The definition of data is broad in the regulation: data refers to, among other things, any digital representation of information or compilations of information, including sound, visual or audio-visual recordings. The data referred to in the data act may also include personal data, which requires compliance with the provisions of the EU General Data Protection Regulation (the GDPR, 2016/679) in data sharing. The requirements of the GDPR and other applicable personal data and privacy legislation take precedence over the data act, which obliges data holders to puzzle out how they can simultaneously meet the requirements of the data act and the legislation on the protection of personal data.
The key purpose of the data act is to enable the users of IoT devices or a related service to have the data generated as a result of the use of the device for themselves and to share the data to the service providers of their choice for value-added services, such as repair. For example, an X-brand smartwatch user may request that repair service provider Y gets access to the data so that repair service provider Y can repair the smartwatch. The changes introduced by the data act are essential for manufacturers of cars and machinery, for example. The regulation applies to both the public and private sectors.
The data act takes as a starting point the position that the user of the device must have control over the data generated on their device before the data can be further processed. The manufacturer of the device must ensure that the data generated by the device can be easily made available to the user. The manufacturer is not allowed to collect or use data on its own without a contract with the user. The user can oblige the manufacturer to share data with third parties. However, the data act allows the manufacturer not to disclose data containing trade secrets. Potential challenges to practical situations may arise from keeping confidential information separate from the other data being shared and demonstrating that all the criteria of a trade secret are met regarding the data being requested to be shared.
These changes brought by the data act require companies to react to the new regulation, and to develop new data-sharing contracts. Companies must ensure that they have clear internal processes and contracts for collecting and sharing data, considering the requirements of the data act and the applicable data protection legislation. The EU intends to publish model contract clauses for implementing the data act to contract terms before the data act becomes applicable, but many case-by-case issues remain to be assessed by the companies themselves.
More insights
Lauri Saarelainen Appointed as Associate
News – 21.11.2024