EU Data Act | Updates, Compliance
What is the European Data Act?
The European Data Act makes more data available for use, and sets up rules on who can use and access what data for which purposes across all economic sectors in the EU.
According to Article 1, Subject matter and scope:
1. This Regulation lays down harmonised rules, inter alia, on:
(a) the making available of product data and related service data to the user of the connected product or related service;
(b) the making available of data by data holders to data recipients;
(c) the making available of data by data holders to public sector bodies, the Commission, the European Central Bank and Union bodies, where there is an exceptional need for those data for the performance of a specific task carried out in the public interest;
(d) facilitating switching between data processing services;
(e) introducing safeguards against unlawful third-party access to non-personal data; and
(f) the development of interoperability standards for data to be accessed, transferred and used.
Consequences of the EU–US clash over the EU Data Act and Data Governance Act (DGA)
On Tuesday 23 December 2025, the United States Department of State announced the imposition of visa restrictions on five European individuals whom it accused of engaging in actions that allegedly undermined freedom of expression and targeted U.S. based digital platforms. According to the U.S. authorities, the measures were adopted under existing immigration powers allowing the denial of entry to foreign nationals whose conduct is deemed contrary to U.S. foreign policy interests. The State Department stated that the affected individuals had been involved in activities described as efforts to pressure or coerce American technology companies into suppressing lawful speech.
This is part of a broader policy position of the U.S. administration, which framed the actions as a response to what it characterised as an expanding pattern of foreign regulatory interference in the operation of U.S. based digital services. The U.S. government asserted that certain European regulatory initiatives, including those linked to the European Union’s Digital Services Act, had the practical effect of restricting lawful expression and imposing extraterritorial constraints on American companies.
Among the Europeans whom the U.S. State Department barred from entering the United States, is Thierry Breton, former European Commissioner for Internal Market, responsible during his term for supervising EU digital regulation including the Digital Services Act. He has also been a prominent figure in public discussions about platform regulation.
The imposition of visa restrictions on European officials should not be viewed as an isolated measure. It must be viewed through the lens of the US policy, clearly explained in the announcement on visa restrictions targeting foreign nationals who censor Americans, as we read below:
We read:
"Free speech is among the most cherished rights we enjoy as Americans. This right, legally enshrined in our constitution, has set us apart as a beacon of freedom around the world. Even as we take action to reject censorship at home, we see troubling instances of foreign governments and foreign officials picking up the slack. In some instances, foreign officials have taken flagrant censorship actions against U.S. tech companies and U.S. citizens and residents when they have no authority to do so.
Today, I am announcing a new visa restriction policy that will apply to foreign nationals who are responsible for censorship of protected expression in the United States. It is unacceptable for foreign officials to issue or threaten arrest warrants on U.S. citizens or U.S. residents for social media posts on American platforms while physically present on U.S. soil. It is similarly unacceptable for foreign officials to demand that American tech platforms adopt global content moderation policies or engage in censorship activity that reaches beyond their authority and into the United States. We will not tolerate encroachments upon American sovereignty, especially when such encroachments undermine the exercise of our fundamental right to free speech.
This visa restriction policy is pursuant to Section 212(a)(3)(C) of the Immigration and Nationality Act, which authorizes the Secretary of State to render inadmissible any alien whose entry into the Unites States “would have potentially serious adverse foreign policy consequences for the United States.” Certain family members may also be covered by these restrictions."
On Wednesday, 24 December 2025, the European Commission responded. This took the form of an official statement, reacting to the U.S. decision announced the previous day. In that statement, the European Commission expressed serious concern about the U.S. action and warned that it could take appropriate measures in response if necessary. The Commission characterised the U.S. move as unjustified, and stated that it was assessing the implications carefully.
The European Commission reaffirmed that the individuals targeted by the U.S. visa restrictions had acted within the scope of their professional and institutional responsibilities, and in accordance with European law. It rejected the assertion that their actions amounted to censorship, emphasising instead that the EU’s digital regulatory framework, including the Digital Services Act, is grounded in democratically adopted legislation and aims to ensure transparency, accountability, and the protection of fundamental rights online.
Commission officials underlined that freedom of expression is a core value of the European Union, and stated that EU digital legislation does not authorise political censorship or discrimination against lawful speech. They stressed that the regulation of online platforms falls within the sovereign competence of the European Union and that external pressure or unilateral measures against European officials were unacceptable.
No immediate retaliatory measures were announced.
The statement marked the formal indication that the dispute evolves beyond a political disagreement, into a broader diplomatic escalation.
This U.S. action does not legally change either the Data Act or the Data Governance Act (DGA), but it materially affects their geopolitical interpretation, enforcement climate, and future evolution.
Strategic consequences (opinion, legal intelligence).
EU regulation vs. First Amendment.
The U.S. State Department’s decision to impose visa restrictions on European individuals is extraordinary for several reasons:
a. It is targeted, not symbolic.
b. It frames regulatory conduct as a free speech challenge, not a trade dispute.
c. It explicitly links EU platform regulation with alleged suppression of lawful speech on U.S. based platforms.
The EU’s emerging digital fairness agenda (including the Digital Fairness Act) is described in consumer protection and market regulation terms, targeting dark patterns and addictive design, not speech.
The U.S. political and legal narrative, treats any state driven pressure that changes platform curation, ranking, reach, or removal decisions as regulation of speech, implicating the First Amendment.
EU position: Democratic legitimacy allows regulation of platforms to protect citizens, elections, and societal cohesion.
U.S. position: Any state action that pressures platforms to remove or deprioritize lawful speech undermines constitutional principles.
Why the U.S. reaction was not routed through trade bodies or WTO mechanisms, but through visa restrictions under foreign policy?
The U.S. sees the DSA, the DMA, and the Digital Fairness Act (DFA) that follows, but also the EU Data Act and Data Governance Act (DGA), as we will see below, as strategic interference.
From a U.S. constitutional and strategic perspective, the EU digital regulation:
a. Shapes speech outcomes on U.S. based platforms.
b. Imposes normative European policy on global platforms.
c. Creates extraterritorial compliance pressure via fines and access restrictions.
d. Blurs the line between content moderation and state sponsored narrative control.
This explains why the U.S. reaction was not routed through trade bodies or WTO mechanisms.
The use of individual sanctions indicates a move toward personal deterrence, and a message to regulators worldwide that they may face personal consequences. This is highly unusual in transatlantic relations, and highly suggests the U.S. sees certain regulatory actions as equivalent to state backed coercive influence operations.
In Moody v. NetChoice, LLC (U.S. Supreme Court, 2024), the Supreme Court made one point unmistakably clear: Content moderation, ranking, and curation can constitute expressive activity protected by the First Amendment.
It is clear that the U.S. Supreme Court has constitutionalized the idea that algorithmic curation and moderation are expressive acts protected by the First Amendment. It means that when the EU regulates digital platforms, U.S. actors can credibly argue that such rules compel or restrict speech, even if the EU frames them as consumer protection or competition law.
This is why the DSA, DMA, and the Digital Fairness Act, though not about speech in the European legal taxonomy, can be reframed in the U.S. as speech regulation.
From a geopolitical and regulatory standpoint, the U.S. constitutional frame treats platform governance as a civil liberties matter. Moody v. NetChoice strengthens the U.S. position that regulatory pressure on platform design implicates fundamental rights.
This doctrinal divergence explains why U.S. officials reacted so sharply to EU actions, why individual regulators may now be targeted politically, but also why future disputes will likely escalate beyond trade or data protection forums.
Data Act, Article 4. An example of the different approach between the EU and the U.S.A.
Article 4 covers the rights and obligations of users and data holders with regard to access, use and making available product data and related service data.
In very simple terms, Article 4 provides that users of a connected product or related service have the right to access the data generated by their use of that product or service. Data holders must make such data available to the user, without undue delay, free of charge.
This provision establishes a default entitlement to data access, reversing traditional assumptions that the manufacturer or platform owns the data.
Article 4 alters the balance of power between users and data controllers. It indirectly constrains global business models dominated by U.S. firms, and embeds European regulatory norms into data governance. Providing data access requires architectural changes that affect global systems, not just EU facing operations. The EU is reshaping global digital governance in ways that challenge existing U.S. models.
Data Governance Act, Article 3-5. An example of the different approach between the EU and the U.S.A.
According to Article 5.1 (Conditions for re-use), public sector bodies which are competent under national law to grant or refuse access for the re-use of data shall make publicly available the conditions for allowing such re-use and the procedure to request the re-use.
The Regulation applies only to specific public sector data, but includes:
1. Commercial confidentiality, including business, professional and company secrets.
2. Intellectual property rights of third parties.
From a U.S. perspective, this normalises state mediated data access mechanisms, and public sector involvement in access decisions. It frames data reuse as a governance matter, not a purely contractual one, and embeds this approach in binding EU law.
DISCLAIMER: The analysis presented here is provided for informational and educational purposes only. It does not express support for, or opposition to, any government, regulatory authority, political position, or policy approach. The objective is to assist risk, compliance, legal, and governance professionals in understanding evolving regulatory, legal, and geopolitical developments that may affect their professional responsibilities.
This content is intended to facilitate informed decision making by highlighting structural trends, regulatory interactions, and potential areas of operational impact. It does not constitute legal advice, policy advocacy, or an endorsement of any particular regulatory framework or political position. The perspectives discussed reflect an analytical assessment of publicly available information, and should be interpreted in the context of risk awareness, compliance preparedness, and strategic foresight only.
19 November 2025 - Digital Omnibus Regulation Proposal
In its Communication on implementation and simplification (‘A simpler and faster Europe’), the Commission presented its approach to adapting the Union’s regulatory framework to a more volatile world: a new drive to simplify, clarify and improve the EU acquis, as a key measure to support the EU’s competitiveness.
This vision reflects the broader plan laid out by Commission President von der Leyen in her political guidelines for the 2024-2029 term. As also highlighted in the Draghi and Letta reports, the accumulation of rules has sometimes had an adverse effect on competitiveness.
Fast and visible improvements are needed for people and businesses, through a more cost effective and innovation friendly implementation.
This is a proposal for amending:
1. Regulation (EU) 2016/679 (General Data Protection Regulation).
2. Regulation(EU) 2018/1724 (establishing a single digital gateway to provide access to information, to procedures and to assistance and problem-solving services).
3. Regulation(EU) 2018/1725 (on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data).
4. Regulation(EU) 2023/2854 (Data Act).
5. Directive 2002/58/EC (Directive on privacy and electronic communications).
6. Directive (EU) 2022/2555 (NIS 2 Directive).
7. Directive (EU) 2022/2557 (Critical Entities Resilience Directive (CER)).
and repealing:
8. Regulations (EU) 2018/1807 (on a framework for the free flow of non-personal data in the European Union).
9. Regulation (EU) 2019/1150 (on promoting fairness and transparency for business users of online intermediation services).
10. Regulation(EU) 2022/868 (Data Governance Act).
11. Directive (EU) 2019/1024 (on open data and the re-use of public sector information).
Right from the title the proposal states that it amends a series of existing instruments, including:
Regulation (EU) 2023/2854, the Data Act.
Regulation (EU) 2022/868, the Data Governance Act (DGA).
19 November 2025 - Digital Omnibus Regulation Proposal
September 2024 - The European Commission publishes Frequently Asked Questions about the Data Act.
How does the Data Act interact with the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is fully applicable to all personal data processing activities under the Data Act. The Data Act does not regulate as such the protection of personal data. Instead, the Data Act enhances data sharing and enables a fair distribution of the value of data by establishing clear rules related to the access and use of data within the EU’s data economy.
In some cases, the Data Act specifies and complements the GDPR (e.g. real-time portability of data from Internet-of-Things (IoT) objects). In other cases, the Data Act restricts the re-use of data by third parties (e.g. Article 6 of the Data Act). In the event of a conflict between the GDPR and the Data Act, the GDPR rules on the protection of personal data prevail (cf. Article 1(5) of the Data Act).
What is a ‘connected product’?
Connected products are items that can generate, obtain, or collect data about their use, performance, or environment and that can communicate this data via a cable-based or wireless connection. This includes communication of data outside the product on an ad hoc basis (e.g. during maintenance operations).
Connected products can be found in all areas of the economy and society. They include smart home appliances, consumer electronics, industrial machinery, medical devices, smartphones, and TVs (cf. recital 14).
Products which primarily fulfil the function of storing, processing, or transmitting data (e.g. servers and routers) are outside the scope of the mandatory data-sharing obligations under Chapter II, unless they are owned, rented, or leased by the user.
Similarly, the fact that a connected product (e.g. a wagon, airplane, or vehicle) must use certain infrastructure (e.g. railways, airports, or highways) to function does not entitle the user of that connected product to access data generated by, for instance, sensors that are part of that infrastructure. Access would only be granted if the user has received ownership or contractual rights over the sensors embedded in the infrastructure.
Finally, the Data Act specifies that prototypes are out of scope, as their manufacturing stage has not been completed.
A connected product falls within the scope of the Data Act if it has been ‘placed on the Union market’ (Article 2(22)). ‘Placing on the market’ concerns the transfer of ownership, possession, or any other property right between two economic actors that occurs after the manufacturing stage.
A connected product is ‘placed on the market’ only once. All subsequent operations are considered as ‘making available on the market’ (Article 2(21)).
The concept of placing on the market refers to each individual product, not to a type of product. The requirements laid out in the Data Act are therefore applicable only to individual products that have been placed on the EU market, and not to all products of that type.
Example:
Sara goes on holiday to Portugal for 2 weeks and needs to rent a car. The rental agency, Sunny Wheels, owns a fleet of cars bought from Omni Motors, a large car manufacturer.
Keen to exercise her rights under the Data Act, Sara asks Sunny Wheels to provide her with a ‘connected car’. Sunny Wheels has a contract with Omni Motors that ensures that Sunny Wheels and its clients can access the data generated by the car. Omni Motors has put in place a data management system that can simultaneously handle data access requests from the thousands of users of their cars.
Sara’s rental agreement contains detailed information on the data generated by the car, including how to access it.
The following are two possible ways of organising access to data generated by Sara’s rented car.
1. ‘Corporate accounts’: Sunny Wheels has a corporate account with Omni Motors. Sunny Wheels provides Sara with the details needed to log in to Omni Motors’ website and access the rented car’s data.
2. ‘Individual accounts’: Sunny Wheels informs Sara that she has to set up her own account and enter into a separate data-sharing contract with Omni Motors. Sunny Wheels notifies Omni Motors that Sara will be using the car for 2 weeks.
In both cases, Omni Motors is the data holder; Sunny Wheels is a user because it owns the rented car and can access the data; and Sara is also a user because she has, by virtue of the rental agreement with Sunny Wheels, received temporary rights over the rented car.
To read the Frequently Asked Questions about the Data Act:
13 December 2023 - Regulation (EU) 2023/2854 (Data Act) was published in the Official Journal of the European Union.
The final text of the European Data Act:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R2854&qid=1704709568425
Following its entry into force, the Data Act will become applicable in 20 months (12 September 2025).
Source: According to Preamble (117): "In order to allow actors within the scope of this Regulation to adapt to the new rules provided for herein, and to make the necessary technical arrangements, those rules should apply from 12 September 2025."
Article 50, Entry into force and application: "This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. It shall apply from 12 September 2025."
By 12 September 2028, the Commission shall carry out an evaluation of this Regulation and submit a report on its main findings to the European Parliament and to the Council, and to the European Economic and Social Committee.
Article 37: Non-EU entities must also comply.
Article 37.11. Any entity falling within the scope of this Regulation that makes connected products available or offers services in the Union, and which is not established in the Union, shall designate a legal representative in one of the Member States.
37.12. For the purpose of ensuring compliance with this Regulation, a legal representative shall be mandated by an entity falling within the scope of this Regulation that makes connected products available or offers services in the Union to be addressed in addition to or instead of it by competent authorities with regard to all issues related to that entity.
That legal representative shall cooperate with and comprehensively demonstrate to the competent authorities, upon request, the actions taken and provisions put in place by the entity falling within the scope of this Regulation that makes connected products available or offers services in the Union to ensure compliance with this Regulation.
37.13. An entity falling within the scope of this Regulation that makes connected products available or offers services in the Union, shall be considered to be under the competence of the Member State in which its legal representative is located. The designation of a legal representative by such an entity shall be without prejudice to the liability of, and any legal action that could be initiated against, such an entity.
Until such time as an entity designates a legal representative in accordance with this Article, it shall be under the competence of all Member States, where applicable, for the purposes of ensuring the application and enforcement of this Regulation. Any competent authority may exercise its competence, including by imposing effective, proportionate and dissuasive penalties, provided that the entity is not subject to enforcement proceedings under this Regulation regarding the same facts by another competent authority.
37.14. Competent authorities shall have the power to request from users, data holders, or data recipients, or their legal representatives, falling under the competence of their Member State all information necessary to verify compliance with this Regulation. Any request for information shall be proportionate to the performance of the underlying task and shall be reasoned.
27 November 2023 - the European Council adopted the European Data Act.
Following the formal adoption by the Council, the European Data Act will be published in the EU’s official journal in the coming weeks and will enter into force the twentieth day after this publication.
It shall apply from 20 months from the date of its entry into force. However, article 3, paragraph 1 (requirements for simplified access to data for new products), shall apply to connected products and the services related to them placed on the market after 32 months from the date of entry into force of the regulation.
A very important (and very difficult) definition: According to Article 2, ‘connected product’ means an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user;
To make thinks easier, another name for connected products is "Internet of Things".
In preamble 14, we read:
Connected products that obtain, generate or collect, by means of their components or operating systems, data concerning their performance, use or environment and that are able to communicate those data via an electronic communications service, a physical connection, or on-device access, often referred to as the Internet of Things, should fall within the scope of this Regulation, with the exception of prototypes.
Examples of such electronic communications services include, in particular, land-based telephone networks, television cable networks, satellite-based networks and near-field communication networks.
Connected products are found in all aspects of the economy and society, including in private, civil or commercial infrastructure, vehicles, health and lifestyle equipment, ships, aircraft, home equipment and consumer goods, medical and health devices or agricultural and industrial machinery.
Manufacturers’ design choices, and, where relevant, Union or national law that addresses sector-specific needs and objectives or relevant decisions of competent authorities, should determine which data a connected product is capable of making available.
This Regulation applies to:
(a) manufacturers of connected products placed on the market in the Union and providers of related services, irrespective of the place of establishment of those manufacturers and providers;
(b) users in the Union of connected products or related services as referred to in point (a);
(c) data holders, irrespective of their place of establishment, that make data available to data recipients in the Union;
(d) data recipients in the Union to whom data are made available;
(e) public sector bodies, the Commission, the European Central Bank and Union bodies that request data holders to make data available where there is an exceptional need for those data for the performance of a specific task carried out in the public interest and to the data holders that provide those data in response to such request;
(f) providers of data processing services, irrespective of their place of establishment, providing such services to customers in the Union;
(g) participants in data spaces and vendors of applications using smart contracts and persons whose trade, business or profession involves the deployment of smart contracts for others in the context of executing an agreement.
9 November 2023 - the European Parliament adopted the text of the European Data Act.
The European Parliament formally adopted during a plenary vote (by a majority of 481 votes in favor, 31 votes against and 71 abstentions), the text of the European Data Act. Next step: It must be approved by the Council.
In Article 2, we have some interesting new definitions:
‘Product data’ means data generated by the use of a connected product that the manufacturer designed to be retrievable, via an electronic communications service, physical connection or on-device access, by a user, data holder or a third party, including, where relevant, the manufacturer.
‘Related service data’ means data representing the digitisation of user actions or of events related to the connected product, recorded intentionally by the user or generated as a by-product of the user’s action during the provision of a related service by the provider.
‘Readily available data’ means product data and related service data that a data holder lawfully obtains or can lawfully obtain from the connected product or related service, without disproportionate effort going beyond a simple operation.
'Metadata’ means a structured description of the contents or the use of data facilitating the discovery or use of that data.
‘Personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679 (General Data Protection Regulation).
‘Non-personal data’ means data other than personal data.
‘Smart contract’ means a computer program used for the automated execution of an agreement or part thereof, using a sequence of electronic data records and ensuring their integrity and the accuracy of their chronological ordering.
According to the updated text (preamble 104), to promote the interoperability of tools for the automated execution of data sharing agreements, it is necessary to lay down essential requirements for smart contracts which professionals create for others or integrate in applications that support the implementation of agreements for data sharing.
In order to facilitate the conformity of such smart contracts with those essential requirements, it is necessary to provide for a presumption of conformity of smart contracts that meet harmonised standards or parts thereof in accordance with Regulation (EU) No 1025/2012.
The notion of ‘smart contract’ in this Regulation is technologically neutral. Smart contracts can, for example, be connected to an electronic ledger. The essential requirements should apply only to the vendors of smart contracts, although not where they develop smart contracts in-house exclusively for internal use.
The essential requirement to ensure that smart contracts can be interrupted and terminated implies mutual consent by the parties to the data sharing agreement. The applicability of the relevant rules of civil, contractual and consumer protection law to data sharing agreements remains or should remain unaffected by the use of smart contracts for the automated execution of such agreements.
27 June 2023, European Data Act - The Council and the Parliament strike a deal on fair access to and use of data
With a view to making the EU a leader in data-driven societies, the Council and the European parliament representatives reached a provisional agreement on harmonised rules on fair access to and use of data.
The data act will give both individuals and businesses more control over their data through a reinforced portability right, copying or transferring data easily from across different services, where the data are generated through smart objects, machines, and devices. The new legislation will empower consumers and companies by giving them a say on what can be done with the data generated by their connected products.
The political agreement clarifies the scope of the regulation allowing users of connected devices, ranging from smart home appliances to smart industrial machinery, to gain access to data generated by their use which is often exclusively harvested by manufacturers and service providers.
Regarding Internet of Things (IoT) data, in particular, the focus was moved to the functionalities of the data collected by connected products instead of the products themselves.
The text contains measures to prevent abuse of contractual imbalances in data sharing contracts due to unfair contractual terms imposed by a party with significantly stronger bargaining position.
Moreover, the text provides additional guidance regarding the reasonable compensation of businesses for making the data available, as well as adequate dispute settlement mechanisms.
The agreement also ensures an adequte level of protection of trade secrets and intellectual property rights, accompanied by relevant safeguards against possible abusive behaviour of data holders.
Which is the nest step?
The provisional agreement must now be endorsed by the Council and the European Parliament. It will then be adopted by both institutions following legal-linguistic revision. From the Council’s side, the upcoming Spanish presidency intends to submit the text to member states’ representatives (Coreper) for endorsement as soon as possible.
Understanding the European Data Act.
The volume of data generated by humans and machines has been increasing exponentially. Unfortunately, most data are unused, or are collected by a few large companies. Low trust, conflicting economic incentives and technological obstacles impede the full realisation of the potential of data-driven innovation. It is crucial for the EU to unlock such potential by providing opportunities for the reuse of data, and removing barriers to the development of the European data economy. This is in line with the mission of the EU to reduce the digital divide, so that everyone benefits from these opportunities. Ensuring greater balance in the distribution of the value from data in step with the new wave of non-personal industrial data and the proliferation of products connected to the Internet of Things means there is enormous potential for boosting a sustainable data economy in Europe.
The Data Act was the next logical step after the European Data Governance Act. It is the second main legislative initiative following the February 2020 European strategy for data, which makes the EU a leader in the data-driven society.
The Data Governance Act, presented in November 2020 and agreed by co-legislators in November 2021, creates the processes and structures to facilitate data sharing by companies, individuals and the public sector. The Data Act clarifies who can create value from data and under which conditions. The Data Act removes barriers to access data, for both the private and the public sector, while preserving incentives to invest in data generation by ensuring a balanced control over the data for its creators.
When we buy a ‘traditional' product, we acquire all parts and accessories of that product. However, when we buy a connected product (e.g. a smart home appliance or smart industrial machinery) generating data, it is often not clear who can do what with the data. Or it may be stipulated in the contract that all data generated is exclusively harvested and used by the manufacturer.
The Data Act gives individuals and businesses more control over their data through a reinforced data portability right, copying or transferring data easily from across different services, where the data are generated through smart objects, machines and devices. For example, a car or machinery owner could choose to share data generated by their use with its insurance company. Such data, aggregated from multiple users, could also help to develop or improve other digital services, e.g. regarding traffic, or areas at high risk of accidents.
It will be easier to transfer data to and between service providers and this will encourage more actors, including SMEs, to participate in the data economy.
For example, aftermarket service providers will be able to improve and innovate their services and compete on an equal footing with comparable services offered by manufacturers. Therefore, users of connected products (including consumers, farmers, airlines, construction companies or owners of buildings) could opt for a cheaper repair and maintenance provider (or maintain and repair themselves) and benefit from lower prices on that market. This could extend the lifespan of connected products, thereby contributing to the Green Deal objectives.
Also, availability of data about the functioning of industrial equipment will allow factories, farms or construction companies to optimise operational cycles, production lines and supply chain management, including based on machine-learning.
In precision agriculture, IoT analytics of data from connected equipment can help farmers analyse real time data like weather, temperature, moisture, or GPS signals and provide insights on how to optimise and increase yield, improve farm planning and make smarter decisions about the level of resources needed.
Increased business and manufacturing efficiency should lead to a reduction of waste, energy consumption and CO2 emissions.
The Data Act unlocks the value of data from private companies in exceptional situations of high public interest, such as floods or wildfires. The current data access mechanisms by the public sector are inefficient or non-existent in public emergency situations. With the new rules, there will be an obligation on businesses to provide certain data, under key conditions (which businesses can enforce in case of abuse).
If the data is necessary to address a public emergency, it will be provided for free. In other situations: to prevent or recover from a public emergency, or to fulfil a public-interest mandate imposed by law -- the data holder may request compensation. It should greatly improve evidence-based decision-making, in particular effective and rapid response to crises, such as floods and wildfires.
For example, during the COVID-19 pandemic, aggregated and anonymised location data from mobile network operators was essential for analysing the correlation of mobility and the spread of the virus, including informing early warning systems for new outbreaks and taking the right measures to combat the crisis.
The Data Act also improves the conditions under which businesses and consumers can use cloud and edge services in the EU. It becomes easier to move data and applications (from private photo archives to entire business administrations) from one provider to another without incurring any costs, because of new contractual obligations that the proposal presents for cloud providers, and a new standardisation framework for data and cloud interoperability.
In addition, the Data Act raises trust by introducing mandatory safeguards to protect data held on cloud infrastructures in the EU. This will avoid unlawful access by non-EU/EEA governments. With these measures, the Data Act supports cloud adoption in Europe, which in turn stimulates efficient data sharing within and across sectors.
8 December 2022 - New compromise text on the Data Act.
The new compromise text on the Data Act, circulated on Thursday (8 December), introduces significant changes to the part intended to facilitate the switching from one cloud provider to the other.
The Czech presidency of the EU Council did not manage to broker a common position on the file at a ministerial meeting on Tuesday but worked on a new compromise text to address some of the outstanding issues.
23 February 2022 - We have the text of the Proposal on harmonised rules on fair access to and use of data (Data Act).
The proposal’s objectives are:
1. Facilitate access to and the use of data by consumers and businesses, while preserving incentives to invest in ways of generating value through data. This includes increasing legal certainty around the sharing of data obtained from or generated by the use of products or related services, as well as operationalising rules to ensure fairness in data sharing contracts. The proposal clarifies the application of relevant rights under Directive 96/9/EC on the legal protection of databases (the Database Directive) 9 to its provisions.
2. Provide for the use by public sector bodies and Union institutions, agencies or bodies of data held by enterprises in certain situations where there is an exceptional data need. This primarily concerns public emergencies, but also other exceptional situations where compulsory business-to-government data sharing is justified, in order to support evidence-based, effective, efficient, and performance-driven public policies and services.
3. Facilitate switching between cloud and edge services. Access to competitive and interoperable data processing services is a precondition for a flourishing data economy, in which data can be shared easily within and across sectoral ecosystems. The level of trust in data processing services determines the uptake of such services by users across sectors of the economy.
4. Put in place safeguards against unlawful data transfer without notification by cloud service providers. This is because concerns have been raised about non-EU/European Economic Area (EEA) governments’ unlawful access to data. Such safeguards should further enhance trust in the data processing services that increasingly underpin the European data economy.
5. Provide for the development of interoperability standards for data to be reused between sectors, in a bid to remove barriers to data sharing across domain-specific common European data spaces, in consistency with sectoral interoperability requirements, and between other data that are not within the scope of a specific common European data space. The proposal also supports the setting of standards for 'smart contracts’. These are computer programs on electronic ledgers that execute and settle transactions based on pre-determined conditions. They have the potential to provide data holders and data recipients with guarantees that conditions for sharing data are respected.
The European Data Act and its connection to other directives and regulations.
The European Data Act is consistent with existing rules on the processing of personal data, including the General Data Protection Regulation (‘GDPR’), and protecting the private life and the confidentiality of communications, as well as any (personal and non-personal) data stored in and accessed from terminal equipment (the ePrivacy Directive), that will be replaced by the ePrivacy Regulation currently the subject of legislative negotiations. This proposal complements existing rights, specifically rights regarding data generated by a user’s product connected to a publicly available electronic communications network.
The Free Flow of Non-Personal Data Regulation put in place a key building block of the European data economy, by ensuring that non-personal data can be stored, processed and transferred anywhere in the Union. It also presented a self-regulatory approach to the problem of ‘vendor lock-in’ at the level of providers of data processing services, by introducing codes of conduct to facilitate switching data between cloud services (the industry-developed ‘Switching Cloud Providers and Porting Data (SWIPO)’ Codes of Conduct). The European Data Act further builds on this, helping businesses and citizens to make the most of the right to switch cloud providers and port data. It is also fully consistent with the Unfair Contract Terms Directive as regards contract law. With regard to cloud services, as the self-regulatory approach seems not to have affected market dynamics significantly, this proposal presents a regulatory approach to the problem highlighted in the Free Flow of Non-Personal Data Regulation.
The Database Directive protects databases that have been created as a result of a substantial investment, even if the database itself is not an original intellectual creation protected by copyright. Building on the substantial amount of case-law interpreting the provisions of the Database Directive, the European Data Act addresses ongoing legal uncertainties about whether databases containing data generated or obtained by the use of products or related services, such as sensors, or other types of machine-generated data, would be entitled to such protection.
The Platform to Business Regulation imposes transparency obligations, requiring platforms to describe for business users the data generated from the provision of the service.
The Open Data Directive sets out minimum rules on the re-use of data held by the public sector and of publicly funded research data made publicly available through repositories.
The Interoperable Europe initiative seeks to introduce a cooperative interoperability policy for a modernised public sector.
The European Data Act complements the Data Governance Act, which aims to facilitate the voluntary sharing of data by individuals and businesses and harmonises conditions for the use of certain public sector data, without altering material rights on the data or established data access and usage rights.
The European Data Act complements the proposal for a Digital Markets Act, which requires certain providers of core platform services identified as ‘gatekeepers’ to provide, inter alia, more effective portability of data generated through business and end users’ activities.
This website is developed and maintained by Cyber Risk GmbH as part of its professional activities in the fields of risk management and regulatory compliance.
Cyber Risk GmbH specializes in supporting organizations in understanding, navigating, and implementing complex European, U.S., and international risk related regulatory frameworks.
Content is produced and maintained under the professional responsibility of George Lekatis, General Manager of Cyber Risk GmbH, a well known expert in risk management and compliance. He also serves as General Manager of Compliance LLC, a company incorporated in Wilmington, NC, with offices in Washington, DC, providing risk and compliance training in 58 countries.
Cyber Risk GmbH, some of our clients
