At the end of November 2023, the European Council adopted the wording of the proposal for a regulation on harmonised rules on fair access to and use of data (Data Act). The Data Act will enter into force on the twentieth day following that of its publication in the Official Journal of the European Union and shall apply 20 months from then.
What does the Data Act aim to do?
The Data Act aims to:
- Ensure fairness in the allocation of value from data among actors in the digital environment
- Stimulate a competitive data market
- Open opportunities for data-driven innovation
- Make data more accessible to all
It will allow users of connected devices to gain access to data generated by their use which is often exclusively harvested by manufacturers and service providers. The Data Act provides for both personal and non-personal data.
What is a “product” for the purposes of the Data Act?
The Data Act provides that a product means an item which:
- Obtains, generates or collects data concerning its use or environment
- Is able to communicate data via a publicly available electronic communications service
- Does not store and process data as its primary function
Examples include smart household appliances to intelligent industrial machines.
The act also defines a related service as a digital service, including software, which is incorporated in or inter-connected with a product in such a way that its absence would prevent the product from performing one of its functions.
Which businesses are potentially impacted by the Data Act?
The Data Act applies to:
- Manufacturers of products and suppliers of related services (i.e. incorporated in or inter-connected with a product) placed on the market in the Union and the users of such products or services
- Data holders that make data available to data recipients in the Union
- Data recipients in the Union to whom data is made available
- Public sector bodies and Union institutions, agencies or bodies that request data holders to make data available where there is an exceptional need to that data for the performance of a task carried out in the public interest and the data holders that provide that data in response to such request
- Providers of data processing services offering such services to customers in the Union
What are the key requirements?
- Data access. There is an obligation on the data holders to grant users (i.e. natural or legal person that owns, rents or leases a product or receives a service, therefore applicable in both business-to-consumer and business-to-business relationships) access to data generated by the use of a product or related service. This includes upon request of the user, sharing the data with third parties. There are some restrictions on the access and uses of the data, for example, preventing the user or third party from utilising the data to develop a product that competes with the product from which the data originates.
- Product design and manufacture. Products must be designed and manufactured to ensure data generated by their use is accessible to the user.
- Provision of data. Where a data holder is obliged to make data available, it shall do so under fair, reasonable and non-discriminatory terms and in a transparent manner. The parties may agree compensation for the data holder for making the data available.
- Prohibition of unfair contract terms. In business-to-business relationships, unfair contract terms which have been unilaterally imposed concerning the access to and use of data shall not be binding. A term is unfair if it deviates from good commercial practice in data access and use, contrary to good faith and fair dealing.
- Making data available to public sector bodies. Where there is an exceptional need (e.g. a public emergency), data holders shall make data available to a public sector body.
- Service switching. Data processing service providers must take measures to ensure customers of their service can switch to another data processing service offered by a different service provider, including offering assistance during the switching process. There are also interoperability requirements.
Who oversees compliance?
Member States are required to designate one or more competent authorities. The competent authority (or authorities) will have various tasks and powers, including complaints handling, conducting investigations and imposing fines.
What are the penalties for non-compliance?
There is no fixed penalty under the Data Act; Member States shall lay down the rules and penalties applicable to infringements, provided that the penalties shall be effective, proportionate and dissuasive.
How does the Data Act impact UK business?
Although it is a piece of EU legislation, the Data Act will affect many UK businesses.
The Data Act would apply to a UK business to the extent it:
- Manufacturers products, or is a supplier of a related service in relation to a product, to be placed on the Union market,
- Is a data holder that makes data available to data recipients in the Union, or
- Provides data processing services to customers in the Union.
The information contained in this guide is intended to be a general introductory summary of the subject matters covered only. It does not purport to be exhaustive, or to provide legal advice, and should not be used as a substitute for such advice.