EU Data Act: A new era for data regulation

Written By Nicoletta Kouvara

The European Union has taken a significant step in regulating the complex landscape of data collection, data usage and data analysis with the introduction of Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data (the “EU Data Act”). The EU Data Act was adopted on 11 January 2024 and will apply from 12 September 2024. This regulation aims to unlock access to and the sharing of non-personal data, fostering innovation, improving data flow between businesses, consumers, and public bodies, and building a robust framework for the digital economy.

Definition of Data under the EU Data Act

The EU Data Act introduces a broad definition of data, extending beyond personal data typically covered under the EU General Data Protection Regulation (GDPR). According to Article 2(1) of the EU Data Act, data refers to “any digital representation of acts, facts, or information and any compilation of such acts, facts, or information, including in the form of sound, visual, or audiovisual recording.”

This definition encompasses a wide range of non-personal data generated by the use of connected products and services, making it a cornerstone of the digital ecosystem.

Scope of Application of the EU Data Act

The EU Data Act applies to a wide range of entities involved in the generation, collection, and utilization of non-personal data.

This includes manufacturers of connected products (such as IoT devices), providers of related services (such as cloud services or platform operators), and businesses across various industries that collect, analyze, and share data generated through these products and services.

The Act is applicable to both business-to-business (B2B) and business-to-consumer (B2C) contexts, and even includes provisions for public sector access to data in exceptional circumstances. Notably, the Act places obligations on cloud service providers to prevent data lock-in and facilitate data portability.

Small and medium-sized enterprises (SMEs) are also protected from unfair terms in data-sharing agreements with larger companies, making it relevant to companies of all sizes engaged in the European data economy.

Key provisions

Let’s take a closer look at the key provisions of the EU Data Act:

  •  Access to Data by Users

The EU Data Act provides a right of access for users to the data they generate when using connected products. For example, whether it's a fitness tracker worn by an individual or a retail business using a point-of-sale system to track customer transactions, users should have the right to access the data, either directly or through a third party of their choice. This shift enables individuals and businesses to harness the data they generate, offering new opportunities for personalized health insights or logistics optimization. By giving users control over their data, the Act fosters transparency and consumer empowerment, allowing users to make informed choices about how their data is used and shared.

  • B2B and B2C Data Sharing Obligations

The EU Data Act imposes a framework for business-to-business (B2B) and business-to-consumer (B2C) data sharing, setting clear rules about how businesses must share data with other entities under fair, reasonable, and non-discriminatory (FRAND) terms. This provision is designed to encourage collaboration and reduce monopolistic control over data in certain industries, creating a more competitive and open digital economy.

  • Public Sector Access

Under exceptional circumstances, such as public emergencies, the EU Data Act allows for the mandatory sharing of data with public bodies. This ensures that, during crises, essential data is available to address challenges efficiently, but the scope and purpose of such access are strictly defined to avoid overreach and ensure data is only used in the public interest.

  • Interoperability Requirements

To ensure that data sharing does not become a technological or operational burden, the EU Data Act includes provisions for interoperability standards. These requirements are essential for fostering innovation, as they enable businesses to work across platforms without facing prohibitive costs or technical barriers. By standardizing data exchanges, the Act ensures that businesses of all sizes can benefit from greater access to data.

  • Preventing Data Lock-In

A key concern addressed by the EU Data Act is the prevention of vendor lock-in, particularly in cloud computing services. Cloud providers must enable users to switch between service providers more easily without being subjected to unfair contractual terms or technical limitations. This provision aims to increase competition in the digital services market by reducing switching costs, thus empowering businesses to choose the best services without fear of data loss or excessive migration fees.

  • Contractual Fairness for SMEs

To protect smaller enterprises from being disadvantaged in contractual negotiations with larger companies, the EU Data Act introduces rules to ensure fairness in data-sharing agreements. It restricts the imposition of unfair terms in contracts that result in an imbalance of power between parties, particularly when one party disproportionately benefits from access to valuable data. These rules are designed to foster more equitable relationships and encourage trust in data collaborations.

Opportunities for Businesses

The EU Data Act’s framework opens numerous doors for businesses to capitalize on new opportunities. By encouraging greater data mobility and access, companies across industries—whether in technology, manufacturing, real estate, agriculture, automotive, or healthcare—can utilize non-personal data to optimize operations, enhance customer experiences, and develop new business models.

How the EU Data Act Impacts Data Analytics

The EU Data Act introduces new opportunities and challenges for businesses engaged in data analytics. By democratizing access to non-personal data, the Act significantly broadens the availability of data from connected devices and other sources. Analytics firms will now have access to a wider range of high-quality datasets, enhancing their ability to deliver more comprehensive and actionable insights across various industries, from manufacturing to healthcare and beyond.

However, companies will need to secure access to such data through contractual agreements with data holders, ensuring that all data sharing follows fair, reasonable, and non-discriminatory (FRAND) terms. These contracts will set the conditions for data use, pricing, and security, enabling data analytics providers to leverage valuable datasets while complying with EU governance and interoperability standards. Ultimately, for companies involved in data analytics, the EU Data Act presents a powerful opportunity to leverage a more open and competitive data ecosystem—one where secure, transparent, and compliant data use drives innovation and growth.

Challenges and Compliance Considerations

While the EU Data Act presents immense opportunities, it also poses significant challenges, particularly for businesses accustomed to maintaining control over proprietary data. Compliance will require not only a reassessment of data governance policies but also investment in infrastructure to facilitate data sharing in secure and interoperable formats. Businesses will need to establish clear data-sharing protocols, protect trade secrets, and ensure they can meet the security requirements laid out in Regulation (EU) 2023/2854.

Moreover, businesses must navigate the complexities of harmonizing the Data Act’s provisions with existing EU regulations such as the GDPR and the Digital Markets Act (DMA). The intersection of these regulations could create potential overlaps and ambiguities, particularly regarding the treatment of mixed datasets containing both personal and non-personal data.

The EU Digital Strategy and future outlook

The EU Data Act, Regulation (EU) 2023/2854, introduces a dynamic regulatory environment that seeks to democratize access to non-personal data, reduce data monopolies, and encourage innovation across sectors. This regulation is part of the European Commission's broader Digital Strategy, which aims to create a single market for data that empowers businesses and individuals to make the most of the data they generate, while adhering to European values of privacy, security, and trust. By setting high standards for data sharing and fostering a competitive, open data economy, the EU is positioning itself as a leader in the global digital landscape.

In the coming years, we can expect increased pressure on companies to adopt transparent data-sharing practices and to leverage non-personal data in ways that drive innovation. For businesses that embrace the spirit of the EU Data Act, the regulation represents not just a compliance hurdle, but an opportunity to enhance competitiveness and contribute to Europe’s digital transformation.

More Information

Aptus Legal offers comprehensive legal support on data-related legal matter by providing expert guidance on regulatory requirements, developing tailored policies, as well as drafting and negotiating all types of data-sharing agreements. 

For more information, please contact Aptus Legal by clicking here or send an email to info@aptuslegal.com.

Nicoletta Kouvara
Next

Understanding the EU Digital Operational Resilience Act (DORA) applicable to financial entities