The Data Act is one of five new regulations that have been or will be enacted by the EU as part of the European Data Protection Strategy. Its main aim is to make data more usable by enabling and optimising the (joint) use and exchange of data in the economic value chain. The Data Act is intended to regulate the exchange and use of data between companies (B2B), between companies and consumers (B2C) and between companies and public authorities (B2G). As with all EU regulations, the focus is on strengthening the rights of consumers/affected parties – the “sacred cow” of European legislation.
When does the Data Act come into force?
The Data Act was adopted by the Commission in February 2022 and formally approved by the European Parliament and the Council of the EU in June 2023. The Data Act will then come into force in 2025.
What is the Data Act supposed to achieve?
Currently, users of IoT devices in particular are often unclear about their own rights in relation to the data generated by the devices or, if rights already exist, it is difficult to enforce them. The Data Act is intended to create more fairness here and generate a legally secure breeding ground for a more extensive use of data.
Who is affected by the provisions of the Data Act?
Users, data owners and data recipients are affected by the provisions of the Data Act.
- Users within the meaning of the Data Act are natural or legal persons who own, rent or lease a product or utilise a service (see Art. 2 No. 5 DA).
- Data controllers within the meaning of the Data Act are legal or natural persons who are authorised or obliged, or in the case of non-personal data and through control over the technical design of the product and associated services, are able to provide certain data (see Art. 2 No. 6 DA).
- Data recipients within the meaning of the Data Act are legal or natural persons who are acting for purposes relating to their trade, business, craft or profession, without being users of a product or related service, and who are provided with data by the data controller (see Art. 2 No. 7 DA).
In addition, natural and legal persons have the right to lodge a complaint with the competent authority (see Art. 32 DA) if they believe that their rights under the Data Act have been violated. Each member state decides for itself who the competent authority or authorities are. According to Art. 31 DA, each Member State shall designate one or more competent authorities responsible for the application and enforcement of the DA. The member states can either set up new authorities or rely on existing authorities.
What sanctions does the Data Act provide for?
With regard to the sanctions to be imposed for violations of the provisions of the Data Act, Art. 33 DA stipulates that the Member States must issue provisions on sanctions that must be effective, proportionate and dissuasive. The Member States must notify the EU Commission of the provisions and measures adopted by the date of application of the Data Act. Secondly, Art. 33(3) and (4) DA refer to the GDPR’s sanction regulations for certain violations of the DA.
What are the key regulatory contents?
The Data Act aims to make data more usable in the EU and, in particular, increase legal certainty for companies and consumers. Against this background, the central regulatory content of the Data Act is:
- Obligation of data owners to share data with users or data recipients.
- Users should have access to the data generated by their use.
- Prohibition of unfair data access and use clauses in B2B contracts.
- Protective regulations to prevent unlawful data transfers and to increase reliability and security in the data processing environment.
- Regulations regarding the international transfer of data to prevent unlawful access to non-personal data by foreign state authorities.
Is the Data Act a curse and/or a blessing?
The EU means well with the Data Act. It is intended to help develop and improve innovative data-driven services in the EU by simplifying access to data. The aim is to encourage companies and individuals to make their data available for the common good.
However, the Data Act is already being criticised by consumer advocates and business associations. Even under the Data Act’s regulatory regime, the exchange of data would remain difficult to delimit and manage. This could lead to consumers being overburdened, which could potentially be exploited by companies. The business organisations fear that the obligations imposed by the Data Act on data transparency and data control will torpedo the Data Act’s own core objectives. The new requirements could restrict companies in their contractual freedom; business secrets could possibly no longer be protected efficiently.