Topic : Privacy & Data Protection
Authors : Georgi Sulev, Violetta Kunze
The Data Act enters into force on 11 January 2024 and applies from 12 September 2025
Background information
The Data Act (Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828) aims to harmonise the rules on fair access to and use of data. According to the European Commission this Regulation is a key pillar of the European strategy for data that will make important contribution to the digital transformation objectives.
The Data Act clarifies who can create value from data and under which conditions and complements the Data Governance Regulation (Regulation (EU) 2022/868). The Data Act applies to both personal and non-personal data while the GDPR and Directive 2002/58/EC will continue applying as lex specialis. Personal Data Protection Authorities will be responsible to monitor the application of the Data Act insofar as the protection of personal data is concerned.
The Data Act applies to manufacturers of connected products, also called the "Internet of Things" (IoT), and providers of related services placed and provided on the market in the EU, users, data holders, and data recipients in the EU. The Data Act applies to providers of data processing services, i.e., cloud services offering services to customers in the EU. This Regulation has extraterritorial scope and applies to the manufacturers of connected products and providers of related services that operate in the EU, regardless of their place of establishment.
Manufacturers and providers are obliged to make connected product data and related service data accessible to the user. The obligation applies to connected products and the services related to them placed on the market after 12 September 2026. Sellers (renters) and service providers should ensure a minimum level of transparency of the data the product or service is capable of generating. “Connected products” is a broad category that includes any device that generates or collects data concerning its use or environment and can communicate product data via an electronic communications service, physical connection, or on-device access. “Related services” are digital services, other than electronic communications services, including software, which is connected with the product and its absence would prevent the connected product from performing its functions, or which is subsequently connected to the product to update or adapt the functions of the connected product.
Data holders are required to share data under FRAND and transparent conditions. The Data Act prohibits the sharing of data with designated gatekeepers under the Digital Markets Act. The Regulation also lists contractual terms concerning access to and the use of data and liability and remedies for the breach or the termination of data-related obligations, which are deemed or presumed as unfair and therefore prohibited. These prohibitions apply to contracts concluded after 12 September 2025. For contracts concluded on or before that date, the provision on unfair terms applies from 12 September 2027 provided that the contracts are of indefinite duration or due to expire at least 10 years from 11 January 2024.
The Data Act impacts providers of private and public data processing services, i.e., cloud service providers, by requiring providers to enable customers to switch to a data processing service, covering the same service type, which is provided by a different provider. In this regard, the Regulation lays down specific requirements for contractual terms concerning switching as well as commercial and technical requirements facilitating the transfer of data between competing cloud services. Switching charges will be fully abolished from 12 January 2027 after a three-year transitory period of cost-based charges.
Cloud service providers shall take technical, organisational, and legal measures to prevent international and third-country governmental access and transfer of non-personal data held in the Union where such transfer or access would create a conflict with European Union law or national law. Furthermore, cloud service providers will be subject to interoperability obligations between data processing services.
What comes next? The Data Act enters into force on 11 January 2024 and becomes applicable from 12 September 2025 by which date Member States must adopt the rules on penalties applicable to infringements and appoint one or more competent authorities to be responsible for the application and enforcement of the Regulation. Manufacturers and importers of connected products and providers of related services should begin reviewing their products design and contracts. Cloud service providers should begin their compliance exercise by immediately reviewing their switching charges and prepare to align the contractual and technical aspects of switching with the requirements of the Regulation.
The authors are DGKV's Partner Violetta Kunze and Senior Associate Georgi Sulev.
More on the Data Act:
The EU Data Act and the manufacture and supply of AI-driven products and AI services