Last week the European Union officially endorsed the final text of the Data Act, representing a concerted effort to establish a unified, cross-sectoral framework for sharing data.
The Act’s primary objective is to guarantee equitable access to and utilization of data. Embedded within the European Data Strategy Package, the Data Act stands as a key legislation striving to enhance the availability of generated data for reuse. Its overarching aim is to optimize the value of data and foster a competitive data market, thereby creating ample opportunities for data-driven innovations and ensuring increased accessibility to data for all.
What data falls under the purview of the Data Act?
The Data Act encompasses both personal and non-personal data acquired through relevant products or during the provision of applicable services. This includes raw data directly generated by the user interface and the device itself, excluding information inferred or derived from such data. The scope also excludes data generated by sensor-equipped products during the user's recording, transmission, display, or playback of content, as well as the content itself in the context of data sharing.
Key Requirements:
Data Access: Data holders must, upon request by a user, grant access to specific data derived from the relevant products or services.
Data Sharing with Third Parties: Data holders are obligated to provide in-scope data to third parties under fair, reasonable, and non-discriminatory terms, ensuring transparency in the process.
Data Sharing with Public Sector Bodies: In instances of significant public interest, private data holders must make data available to public EU institutions.
Design Requirements and Transparency: In-scope products and services must be designed and provided in a manner that allows users to access data by default, in an easily accessible, secure, and free manner.
Unfair Contractual Terms: Prohibits unfair contractual terms in B2B relationships related to data access and use.
Unlawful International Governmental Access and Transfer: To prevent conflicts with EU or national law, providers of data processing services must implement adequate technical, organizational and legal measures to protect the data.
Service Switching and Interoperability: Data processing service providers must facilitate user switching and encourage interoperability between data processing services.
Restrictions for Gatekeepers: Gatekeepers are prohibited from benefiting from the new user's right to share data with third parties. They cannot share or receive such data, and making data available to designated gatekeepers is expressly forbidden.
Governance Model
Member states retain flexibility in implementing and enforcing tasks at the national level. A coordinating authority, labeled 'data coordinator,' acts as a single point of contact where coordination is required.
Next Steps
The Act will be published in the EU's official journal and take effect 20 days later. It applies 20 months from entry into force, with specific provisions for connected products and related services after 32 months.