Data Act: These Changes Will Be Introduced By the European Data Law
Meaning and Aim Of the Data Act
The Data Act is intended to strengthen and improve the use of data in many different areas and contribute to value creation. This makes it the second pillar of the EU data strategy alongside the Data Governance Act. The latter regulates the processes and structures that should enable the exchange of data. The Data Act, on the other hand, is dedicated to a different question: Who can create value from data and under what conditions?
- The Data Act therefore regulates the following important points:
- Transfer of data between companies or between companies and consumers
- Obligations of data holders who are obliged to provide data according to the EU
- Prohibition of unfair contract terms for data access and use between companies
- Provision of data to public authorities (B2G)
- Contractual regulations and technical implementation when switching between processing services (‘cloud switching’)
When it comes to the handling of personal data, the General Data Protection Regulation (GDPR) contains important requirements. We have compiled the most important judgements and risks for you in our GDPR Fact Check.
When Does the Data Act Come Into Force?
The Council of the European Union adopted the regulation on 27 November 2023. The law then came into force on 11 January 2024. After a transitional period of 20 months, the new regulation will apply directly from 12 September 2025.
These Parties Are Affected
The Data Act brings new requirements for various parties. These include manufacturers, users and data owners of networked devices such as household appliances, machines and cars. New obligations also await providers of data processing services (cloud providers). The Data Act aims to strengthen the rights of third parties. For example, the provision of data to public authorities is highly likely to affect all companies - the only exceptions are for smaller businesses. These are regulated in Chapter 2, which primarily deals with the transfer of data between companies or from companies to consumers.
Please note: Users can be both legal entities (companies) and natural persons (consumers). The decisive factor is always whether someone has purchased, rented or leased a suitable product.
The regulations apply regardless of where the respective company is based, as the market location principle applies. If an offer is aimed at the European market, it must be subject to the regulations of the Data Act.
Scope Of Application
The new regulation relates to data that is generated when using networked products or connected services. This also applies to data that is not personal data. The scope of application of the Data Act therefore goes beyond that of the GDPR. Article 2 defines a number of important terms in order to precisely delimit the scope of application. This affects IoT (Internet of Things) or IIoT (Industrial Internet of Things) devices. These products automatically obtain, generate and collect data about the environment due to their networked functionality. Tablets, smartphones, cameras, webcams and text scanners, on the other hand, are not covered by the new regulation, as they require human input to generate data.
The Most Important Points Of the Data Act
The Data Act contains many new regulations. We take a look at the most interesting points:
Sovereignty Of Use Over Your Own Data
In future, users of networked devices will have sole control over how the data they have contributed to is handled. The Data Act aims to make it possible to analyse such data in future and pass it on to third parties in a regulated manner. To make this technically feasible, manufacturers must structure their offers in a way that allows access to this data.
Example Of Data Exchange in B2B: Machine Data
Machines generate a lot of data that can be of interest to various parties. If, for example, the manufacturer of a computer component wants access to the operating data of its product, this could previously be freely organised in contracts. However, depending on the market power of the parties involved, these contracts were very one-sided. The Data Act aims to counteract this imbalance. It only gives users the right to determine how their data is used and to pass it on to third parties.
Change Of Data Processing Service
In addition, it should be easier for users to switch data processing services. This means new obligations for data infrastructure providers: they must support the migration of users by removing commercial, technical, contractual and organisational obstacles that may prevent a smooth transition. In addition, migration fees are to be reduced step by step.
Access Rights Of Public Institutions
The Data Act gives public organisations extended access rights. Data owners must make data available to public organisations upon request if there is an ‘exceptional need’ for the use of the data. This applies, for example, to combating natural disasters. In such a situation, a public organisation can demand that companies provide data free of charge. However, if the state ‘only’ wants to fulfil its obligations but has no chance of obtaining the necessary data elsewhere, the data owners concerned can demand compensation for expenses.
Regulations For Companies
The following new provisions of the Data Act will be particularly relevant for companies:
Making Data Accessible:
Chapter 2 of the Data Act (data transfer from companies to consumers and between companies) is particularly relevant for B2B and B2C. Article 3 regulates the obligation to make data that is generated when using networked products or services accessible.
Information Obligations:
Article 3(2) deals with the pre-contractual information obligation prior to the conclusion of a purchase, rental or leasing contract for an IoT product. Relevant information should be presented transparently to ensure fairness for users. Relevant information includes, for example, the type of contract and the scope of the data. It is also important to provide information on the question of whether a connected product generates data continuously and in real time and whether it is possible to make this data available in a comprehensible manner.
Access To Product Data:
Article 4 governs the right of users and data owners to access their product data. Associated service data and the right to use it are also included in this area. In general, users should become more aware of their rights in this way. At the same time, the Data Act aims to ensure fair competition.
According to Article 4(13), data controllers may only process data that is readily available and not personal data if there is a contractual agreement with the users. The term ‘readily available data’ means product data and related service data that data holders can obtain without disproportionate effort. It may then be necessary to conclude data licence agreements.
Data Traffic:
Article 5 of the Data Act regulates data traffic, including the disclosure of data to third parties. This must take place at the request of the user.
Change Of Data Processing Service:
Chapter 6 describes the customer's right to change data processing service free of charge and to transfer exportable data to the new service. There must be no obstacles that make this change unnecessarily difficult. Data processing services must also actively help consumers to switch - for example by adapting contractual clauses and complying with information obligations.
Interoperability:
Regulations on interoperability can be found in Chapter 8. The term interoperability describes the ability of different systems, networked products or applications to exchange and use data in order to fulfil their function. In future, services must work with open interfaces and standards in order to strengthen this interoperability. This regulation is also intended to make it easier to switch between cloud services.
Prohibition Of Unlawful Terms:
Article 13 contains a ban on unfair terms with regard to data use and data access. A clause is generally considered unfair if it is too one-sided. The Data Act also includes a competition and antitrust law component to ensure a fair data economy.
All of these regulations can be enforced contractually by the customer or by the state through sanctions. Violations can result in fines of up to 20 million euros or four per cent of annual global turnover.
Your Coverage In the Event Of Data Protection Breaches
New laws naturally raise many questions for affected companies. These include the threat of unintentional violations and whether these consequences can be mitigated in any way.
With Professional Indemnity Insurance through exali, you not only have a reliable partner at your side for classic financial losses. You are also covered for fines, for example due to data protection violations, as long as this is possible under applicable law. If you receive a written warning from a competitor, for example, the insurer will check the legality of this warning and, if necessary, pay the amount of the damage. If the claims prove to be unfounded, they will be defended on your behalf.
If you have any questions, our customer service is there for you from Monday to Friday from 09:00 am to 06:00 pm (CET). You can reach us on + 49 (0) 821 80 99 46 0 or simply use our contact form - we will call you back.
Why the Rules Of the Data Act Are Needed
The sensible use of data is important to drive the growth of companies. For this to succeed, existing data needs to be used democratically - according to the Data Act, no party should decide on this alone. If someone has contributed to the creation of data, they are entitled to use it in their own legitimate interests. At the same time, there needs to be sufficient protection for sensitive data. This creates incentives to promote data-driven innovation.
Data Act and GDPR
The GDPR remains fully applicable even after the Data Act comes into force. When collecting personal data that also falls under the Data Act, both laws must be observed. According to the Data Act, the processing of personal data still requires a legal basis and must be carried out in accordance with the GDPR. However, the Data Act itself is not a basis for this - consent is therefore still likely to be required under the GDPR. The provisions of the AI Act should also be observed in this context. You can find the regulations in detail here: AI Act: These Innovations Will Be Introduced By the New Law.
Data Act: Europe's Data Policy Of the Future
The Data Act will expand the possibilities for data utilisation and be forward-looking for the handling of data. In order to include various addressees in the regulation, many new regulations are necessary. If you want to implement them correctly, it is best to familiarise yourself with the new requirements as early as possible. This will allow you to make the most of the opportunities offered by the regulation.