On November 27, 2023, the Council of the EU formally adopted the Data Act, following the European Parliament’s endorsement of November 9, which concludes the EU legislative process. As noted below, the Data Act will shortly be published in the Official Journal and become enforceable in 2025.
The Data Act is designed to require entities to make data, including non-personal data, accessible to other parties, so that it can be re-used for new purposes. The Data Act’s obligations are broad and may require significant engineering work to re-design products to ensure compliance.
We provide below a brief overview of key takeaways and timelines.
As previously reported in our blog posts (here and here), the Data Act covers both personal and non-personal data that is obtained, generated, or collected by connected products and/or their components, and related digital services. It will apply to a variety of entities, including (i) manufacturers of connected products (i.e., physical products capable of collecting or generating data concerning their use or environment, and of communicating product data), (ii) suppliers of related services (i.e., digital services, including software, integrated into or associated with a connected product); (iii) “data holders” that have the right or obligation to use or make data available; and (iv) providers of data processing services.
The Data Act sits alongside a growing cast of existing and planned EU data-related laws, such as the GDPR (especially in relation to the right of access and data portability), the Data Governance Act (see our previous blog post here), the proposed European Health Data Space (see our previous blog post here), and the Digital Markets Act (see our previous blog post here).
The Data Act imposes a range of obligations, including:
- Obligations for manufacturers to design their products so that data generated or captured by those products are available to users of the product for free and ideally directly;
- Measures regulating contractual terms in data sharing contracts between parties, such as data holders and users or third parties;
- Rights to access and share data generated through the use of connected products and related services;
- Measures to promote the development of interoperability standards; and
- Mechanisms for public bodies to access private sector data in case of public emergencies.
The new obligations may require organization to consider that they will make previously proprietary data accessible to users and roll out new contracts that are Data Act compliant. They will also apply to a broad range of products generating “non-personal data” – for example, industrial and commercial machines sold business-to-business – which were previously largely unregulated under EU data laws but will now need to be re-assessed.
The Data Act will enter into force on the twentieth day after its publication in the Official Journal of the European Union, which is expected in the coming weeks. The regulation will then become enforceable 20 months after its entry into force – i.e., in mid-2025.
The access requirement will apply to connected products and related services placed on the market after 32 months from the Act’s date of entry into force – i.e., in mid-2026.
Although the regulation will not be enforceable for some time, organizations should begin assessing their compliance strategies well in advance of the enforcement deadline, as the new obligations may require significant time to plan and roll out technical solutions.
Covington’s Data Privacy and Cybersecurity Practice Group has deep experience advising clients on European data-related and privacy regulations, including on the implementation of the Data Act, Data Governance Act and data spaces such as the EHDS. If you have any questions on how the Data Act and other upcoming EU legislation will affect your business, our team is happy to assist.