ENG
speaker

EU Data Act

A brief guide to the new legislation that aims to improve data sharing, governance, and innovation in the European Union.

What is the EU Data Act and how does it affect your organisation?

The Data Act is a regulation that will set the rules and standards for data sharing and reuse in the European Union. This aims to create a single market for data, where data can flow freely across borders and sectors, and where data holders and users can benefit from fair and transparent conditions for data access and use. Furthermore, the Data Act will foster innovation and competitiveness, and protect the rights and interests of users and data providers.

The Data Act is part of the EU's broader data strategy, which aims to make the EU a leader in the data economy while maintaining European values. The EU's Data Strategy includes other data economy initiatives. The first notable initiative is the creation of European Data Spaces, which are sector-specific data platforms and ecosystems that enable data sharing and collaboration among public and private actors. Another part of the EU Data Strategy is the Data Governance Act, a regulation that establishes the legal framework and mechanisms for data governance and data intermediaries. The strategy is further supplemented by cybersecurity initiatives. 

 
Data access and data sharing
  • Connected products and related services must be designed and manufactured in such way that users (consumer as well as corporate users) have free and easy access to data generated by such products or services. 
  • If not readily accessible, users are able to request access to such data, or may ask the data holder to share that data with a third-party data recipient.
  • Data holders can generally request compensation for third-party data access, though this must be under ‘Fair Reasonable and Non-Discriminatory’ terms.

How could this be applied in practice? 

  1. Market service providers will be able to improve and innovate their services and compete on an equal footing with comparable services offered by manufacturers. Therefore, users of connected products (including consumers, farmers, airlines, construction companies or owners of buildings) could opt for a cheaper repair and maintenance provider (or maintain and repair themselves) and benefit from lower prices on that market. According to the European Commission, this could extend the lifespan of connected products, thereby contributing to the Green Deal objectives.
  2. More data increases productivity: Availability of data relating to the functioning of industrial equipment will allow factories, farms or construction companies to optimise operational cycles, production lines and supply chain management. More available data also means that AI solutions work more efficiently. 
  3. In precision agriculture, IoT analytics of data from connected equipment can help farmers analyse real time data like weather, temperature, moisture, or GPS signals and provide insights on how to optimise and increase yield, improve farm planning and make smarter decisions about the level of resources needed.
  4. Increased business and manufacturing efficiency should lead to a reduction of waste, energy consumption and CO2 emissions.
 
Unfair terms

The Data Act prohibits businesses from unilaterally imposing “unfair” contractual terms concerning access and use of data: 

  • The rules cover all data, both personal and non-personal, held by a private entity that is accessed and used based on a contract between businesses.
  • Clauses that do not pass the “unfairness test” will not be binding on European enterprises including SMEs.
  • Such provisions also apply when a company is required to make data available to another company under EU or Member State law.

Here are some examples that might be considered as unfair contract terms if used in the context of data access and use: 

  1. Exclusion or limitation of remedies.
  2. Exclusion or limitation of liability.
  3. Excessive modalities of termination of a data sharing contract.
  4. A contributor generating the data is not entitled to use the value of the contributed data.
 
Making data available to EU and public sector bodies in case of exceptional need

EU and member state public sector bodies are granted certain rights of access to data held by companies where there is an exceptional need. 

  • All data is in scope, with a focus on non-personal data.
  • Exceptional need refers to a situation which is unforeseeable and limited in time, where the data held by a private entity is necessary for the performance of the public interest task, notably to improve evidence-based decision making. 
  • Situations of exceptional need include both public emergencies (such as major natural or human-induced disasters, pandemics and cybersecurity incidents) and non-emergency situations (for example, aggregated and anonymised data from drivers’ GPS systems could be used to help optimise traffic flows).

As an example provided by the European Commission:

During the COVID-19 pandemic, aggregated and anonymised location data from mobile network operators was essential for analysing the correlation of mobility and the spread of the virus, including informing early warning systems for new outbreaks and taking the right measures to combat the crisis.

 
Switching between data processing services

The switching obligations have a notably broad scope and apply to providers of cloud and similar data processing services, including IaaS, PaaS and SaaS providers. 

  • They aim to make it easier for users to switch between these services or take certain operations in-house by imposing requirements meant to remove obstacles to effective switching between providers.
  • The Data Act contains minimum requirements for the content of cloud contracts. Such requirements include data portability assurances, standardisation and interoperability measures, and contractual safeguards with regard to the switching process and a gradual elimination of switching fees by 2027.

Examples:

Reasons for businesses to switch between data processing services include cost optimisation, performance improvements and mitigation of vendor lock-in effects. 

 
Transfer of non-personal data and unlawful international governmental access

Similar to the GDPR, the Data Act ensures that the protection afforded to data in the EU travels with any data transferred outside the EU. Therefore, it includes provisions on the transfer of non-personal data. 

  • Providers of data processing services must implement safeguards to prevent unauthorised access to non-personal data stored in the EU by non-EU government bodies.
Other

Further to the above, the Data Act contains stipulations regarding standardisation and interoperability, notably in the context of European Data Spaces.

  • European Data Spaces are envisioned as a network of secure environments where businesses and organisations can share data relevant to specific sectors like healthcare, finance or manufacturing. 
  • The Data Act is meant as a blueprint for further and more specific legislation that aims to facilitate data sharing.
 

The Data Act in practice

As previously mentioned the Data Act is relevant for almost any company, but often in different ways: 

  • Manufacturers of connected devices: whether it is connected fridges, cars, jet engines or advanced machinery, manufacturers will have to take the Data Act’s data access obligations into due account. This will be required both when designing their products, and with regard to additional services related to their products that rely on such data. Business models for selling services to customers using their data will come under scrutiny.
  • Customers and third-party data recipients (with some exceptions): can rely on the Data Act to get access to data generated by connected products, for example to improve their own services or to develop new services. Airlines can leverage the Data Act to get access to engine data to plot more fuel-efficient routes, and third parties can get access to hardware data to provide maintenance services in addition to the manufacturer.
  • Companies offering cloud solutions (such as SaaS) will have to review and often amend their contracts, operations and software products to comply with the Data Act’s switching obligations.

The Data Act is a piece of legislation that creates both challenges and opportunities for various stakeholders in the data ecosystem. As a firm that focuses not only on legal practice groups but also on industry sectors, we see that this can play out differently in different industries. For example, the automotive industry has been very active around the topic of data sharing and the Data Act, whereas some other industries such as the airline industry seem to be more at the start of what opportunities the Data Act can bring (see here, for example).

The Data Act is very much interdisciplinary: it is a new regulation in its own right, with new concepts that will no doubt lead to conflict amongst parties, case law, and regulatory guidance and enforcement. At the same time, it is very strongly interwoven with other notable areas of law, such as data protection, intellectual property, trade secrets, competition law and IT law, all of which are explicitly mentioned in the Data Act. To properly navigate the Data Act, it often requires interdisciplinary advice. Bird & Bird has top tier rankings in all of these practices, and through the involvement of an active and diverse internal community on the Data Act, ensures that all of that expertise and knowledge finds its way into the advice that we provide to our clients.

 

View All View Less

Staying up to date with the Data Act

The Data Act was formally adopted on 27 November 2023 and most of its obligations will apply from September 2025 onwards. Still, there are going to be a lot of legislative projects in this area, as the Act identifies various explicit deliverables for the European Commission, such as Delegated Acts (monitoring of switching charges), Implementing Acts (interoperability for data processing services) and Guidelines on the calculation of reasonable compensation for making data available.

Moreover, the Data Act introduces a blueprint for future data sharing legislation, as evidenced by the reference to the Data Act by the Payment Service Regulation and Financial Data Access regulation, the European Health Data Space and the Proposal on access to in-vehicle data. With a dedicated Regulatory and Public Affairs team, we make sure to stay on top of any and all developments related to the Data Act.

There are parts of the Data Act where Member States need to nominate authorities, need to lay down rules on penalties for infringements, or need to notify the Commission about developments. Having offices with local experts across Europe means that wherever you operate, we can support you in navigating the local nuances of how the Data Act will apply. 

Reach out to our Bird & Bird contacts for support in your compliance journey.

 

View All View Less

Why Bird & Bird?

We advise multinational companies on a range of Data Act matters, and almost always in the context of multi-jurisdictional projects. 

A snapshot of our recent experience

  • We provided a mobility company with a scoping exercise on the initial impact assessment of the potential applicability of the proposed EU Data Act on the connected products and services offered by a leading European company in the mobility sector. 
  • Provided a German footwear company with high-level assessment of how the proposed Data Act may apply to business.
  • Provided advice to an American multinational telecommunications conglomerate with regard to the applicability of the Data Act on its services, with a focus on Data Processing Services and switching.
  • Providing ongoing strategic and operational advice to a leading US tech company in relation its suite of hard and software products and their compliance with the Data Act.
 

Data Act Tracker

Read More

Data Act Flyer

Read More

European Digital Strategy Developments

Read More

What's on TwoBirds TV?

More Videos
More Videos

Related capabilities

Digital Rights & Assets Privacy and Data Protection Regulatory & Public Affairs Commercial Technology & Communications

Contacts

See the full team
berend vandereijk Module
Berend Van Der Eijk

Partner
Netherlands

francine cunningham Module
Francine Cunningham

Regulatory and Public Affairs Director
Belgium Ireland

tobias brautigam module
Tobias Bräutigam

Partner
Finland

lennart schuessler module
Lennart Schüßler

Partner
Germany

See the full team

Accolades

The practice combines a high level of data protection knowledge with knowledge of our business model and develops practical solutions. Communication with our business areas works very well, something that other law firms often find difficult.

Legal 500, EMEA - Tier 1

The team provides seamless coordination even when cross-border. It applies strong commercial and market awareness, it is quick to respond and a pleasure to work with.

Chambers, Europe-wide TMT – Band 1

Bird & Bird have a lot of experience advising technology companies and good regional coverage.

Chambers, Europe-wide Data Protection – Band 1

They have a fantastic reputation and a global impact which is very helpful for our international clients.

Chambers, Europe-wide IP – Band 1