Digital The "Data Act" Key provisions of the Data Act

Key provisions of the Data Act

What concrete changes?

The Data Act introduces new rights and obligations on access to data and their usage. These provisions were designed to make the data economy fairer, more competitive and more innovative.

The main elements are explained below.

Sharing of IoT data (Chapter II)

  • What? The Data Act ensures that users of a connected product or related service in the EU have access to data generated by the use of that connected product or related service and that those users can use the data, including by sharing them with third parties (data recipients) of their choice. Chapter II applies to personal and non-personal data, with the exception of content, concerning the performance, use and environment of connected products and related services (IoT – from smart cars and thermostats to industrial robots and agricultural machinery, etc.).
     
  • How? In principle, connected products and related services must be designed, manufactured and provided in such a manner that (“data access by design and by default”) product data and related service data, including the relevant metadata necessary to interpret and use those data, are, by default, accessible to the user. Users must have access to these data (or have direct access where relevant and technically feasible) easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format. The data holder must also provide the data to a third party (data recipient) at the request of the user and may then ask a reasonable compensation from the third party.
     
  • What are the main limits to the data access rights?
    • It is forbidden for users and/or third parties to develop a connected product that competes with the connected product from which the data originate.
    • It is also forbidden to use data to derive insights about the economic situation, assets and production methods between the user and holder, as well as between the third party and the holder.
    • Specific rules and even exemptions are provided for SMEs (see below). 
    • Enterprises designated as gatekeepers according to Article 3 of Regulation (EU) 2022/1925 (“Digital Markets Act” - DMA) are not third parties entitled to data access. 
    • Where the user is not the data subject whose personal data is requested, any personal data are made available by the data holder to the user and/or third party only where there is a valid legal basis for processing under Article 6 of the GDPR (Regulation (EU) 2016/679) and, where relevant, if the conditions of Article 9 of the GDPR and of Article 5(3) of the Directive on privacy and electronic communications (Directive 2002/58/EC) are fulfilled (for example, the consent of the data subject). 
    • The user and third party shall not use coercive means or abuse gaps in the technical infrastructure of a data holder which is designed to protect the data in order to obtain access to data. 
    • Users and data holders may contractually restrict or prohibit accessing, using or further sharing data for the safety of the connected product (the "safety and security handbrake” mechanism). 
    • Measures to protect the confidentiality of trade secrets must be respected (the “trade secrets handbrake” mechanism).

Obligations in B2B sharing situations (Chapter III)

  • What? In the context of business to business data sharing, i.e. when a data holder (enterprise) has a legal obligation to make data available to a data recipient (enterprise), the Data Act requires compliance with certain rules. Chapter III applies to any private sector data that is subject to statutory data sharing obligations. This opens the door to third parties’ competing services (for example, independent repairers, providers of comparison services, insurers or developers of innovative applications).
     
  • Conditions? In the context of business to business (B2B) data sharing, i.e. when a data holder (enterprise) has a legal obligation to make data available to a data recipient (enterprise), the following rules must be complied with: 
    • The conditions related to data sharing must be fair, reasonable, non-discriminatory and transparent. 
    • Data holders who are required to share data must agree with the data recipient on a compensation (taking into account in particular the cost incurred in making the data available and investments in the collection and production of data) that is non-discriminatory and reasonable and that may include a margin. Where the data recipient is an SME or a not-for-profit research organisation, the compensation shall not exceed the cost incurred in making the data available. 

o    Protection related to the unauthorised use or disclosure of data: Data holders may apply appropriate technical protection measures (smart contracts and encryption) to prevent unauthorised access to or disclosure of data. The Data Act also lists the unauthorised use or disclosure cases (for example when the data recipient: provided false information to a data holder to obtain data, used the data to develop a competing product, unlawfully disclosed the data to another party, removed technical protection measures applied by the data holder without the latter’s consent) following which the third party/recipient must take action (for example remove the data, inform, compensate the aggrieved party) upon request of the holder or user.

Unfair contractual terms related to data access and use between enterprises (Chapter IV)

  • What? To avoid that contractual imbalances between enterprises impend fair access to and use of data, the Data Act provides that contractual terms unilaterally imposed by an enterprise on another enterprise (irrespective of its size) are not binding if they are unfair. Chapter IV is applicable to all data from the private sector that are accessed and used based on agreements between enterprises.
     
  • Conditions?  Unfair terms that meet the following conditions are targeted:
    • They are unilaterally imposed by an enterprise to another enterprise (“take it or leave it”);
    • They concern access to and usage of the data or liability and remedies for the breach or the termination of data related obligations; and
    • They concern contractual terms the use of which grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing.
       
  • Examples: The Data Act establishes a “black” list of contractual terms considered in all cases as unfair (for example: if the object or effect is to exclude or limit the liability for intentional acts or gross negligence...) and a “grey” list of contractual terms presumed to be unfair (for example: if the object or effect is preventing the party upon whom the term has been unilaterally imposed from using the data provided or generated by that party during the period of the contract and/or from terminating the agreement within a reasonable period...).
     
  • Consequences? Unfair contractual terms are null and removed from the contract. The other contractual terms will remain binding if the unfair term can be separated from these other terms.

Access to data by public sector bodies on the basis of an exceptional need (B2G - Chapter V)

In specific and exceptional situations, public sector bodies of the member States and European institutions may request access to data. This chapter is applicable to all private sector data, with a focus on non-personal data as regards cases outside of public emergencies (specific task carried out in the public interest).
 

  • When?
    • Public emergencies: For example: natural disasters, pandemics or other large-scale calamities in which data is needed to respond appropriately (for example: geolocation data to contain a pandemic).
    • Non-emergency situations: If a public sector body needs to use data to fulfil a specific task carried out in the public interest that has been explicitly provided for by law and is unable to obtain such data by alternative means in a timely and effective manner (for example: transport data for urban transport planning).
       
  • Conditions: These requests are accompanied by strict conditions and safeguards. The request must be proportionate, the data necessary and the legitimate interests of the enterprise must be taken into account, particularly trade secrets.
     
  • Compensation: In principle, enterprises are entitled to fair compensation covering the technical and organisational costs incurred to comply with the request including, where applicable, the costs of anonymisation, pseudonymisation, aggregation and of technical adaptation, and a reasonable margin, except in cases where a request is made to respond to a public emergency. In that case, the data are made available free of charge, except for data holders that are micro or small enterprises, which are entitled to fair compensation even following requests made to respond to public emergencies.
     
  • Exception:  This obligation is not applicable to micro and small enterprises, except in cases of public emergencies.

Facilitate the switching between cloud services and other data processing services (Chapter VI)

The Data Act aims to combat vendor lock-in in cloud services and other data processing services and to foster competition.
 

  • Facilitate switching:
    • What? Providers of data processing services (such as IaaS, PaaS, SaaS) must enable their customers (enterprises and consumers), both at the technical and contractual level, to switch their data and applications more easily to another provider or back to their former systems (on site).
    • Withdrawal of switching charges: Any charges that customers have to pay to switch providers must be completely eliminated within a specified period (maximum three years after the Data Act comes into force). Only costs directly incurred during the switching period may still be charged.
    • Contractual clarity: Contracts must provide clear information on the switching process and available assistance.
       
  • Interoperability:
    • Providers must comply with certain open interoperability specifications as well as European standards to improve data and application portability between different services.

International access and transfer of non-personal data (Chapter VII)

The Data Act introduces safeguards to prevent non-personal data stored in the EU from being unlawfully transferred to or accessed from third countries, in a manner comparable to the protection offered by the GDPR with regard to personal data.
 

  • What? Providers of data processing services must take all reasonable and adequate technical, organisational and legal measures to prevent such unlawful access and transfer.
     
  • Transparency: There must be transparency regarding the place where the data are processed.
     
  • Exceptions: Transfer is allowed in case of international agreements (such as an adequacy decision) or if appropriate safeguards are offered.

Foster interoperability (Chapter VIII)

The Data Act includes provisions regarding interoperability in order to optimise the flow of data within the UE and support the development of sectoral data spaces.
 

  • Essential requirements: The European Commission is empowered to lay down essential requirements regarding data interoperability, data sharing mechanisms and services, and tools for automating the execution of data sharing agreements, such as smart contracts.
     
  • Standardisation: The development of European standards supporting this interoperability is encouraged.

Back to top