Data Act – Scope, Impact, Implementation

As of early 2024, the new Data Act entered into force and is set to be largely enforceable from 2025. This new regulatory framework may require significant legal and engineering effort to (re-)design affected products/services and business processes to ensure compliance. Organizations are advised to evaluate their compliance strategies well in advance of the enforcement deadlines, given the complexity of changes and efforts for implementing technical and organizational solutions.

Scope

The Data Act focuses on data in relation to the use of IoT-devices and device-related services (personal and non-personal data) and will apply various entities, including:

• Manufacturers of connected products and/or providers of product-related digital services as well as users of connected products and/or related services
• Data holders (entities who have the right or obligation to use and make available data, including due to data access obligations under the Data Act itself) and data recipients (entities to whom a data holder makes data available)
• Providers of data processing services (cloud computing services)

Obligations

The Data Act imposes various obligations, including:

• Accessibility of data from connected products and related services by design
• Making available data from connected products and related services to users and third parties
• Data licences for the use of non-personal data from connected products and related services
• Contractual terms for data access and data processing services and FRAND conditions
• Facilitating interoperability and switching between data processing services
• Transparency (information to users/customers)

Timeline

• The Data Act will generally be applicable from September 12, 2025
• The data accessibility requirement will apply to connected products and related services placed on the market after September 12, 2026

Compliance risks

Access under the Data Act might lead to conflicts with IP/trade secret protection and GDPR data protection requirements which remain unaffected by the Data Act. Organisations face the challenge of complying with both the Data Act and the GDPR while maintaining legitimate IP/trade secret protection. Non-compliance with the Data Act and/or the GDPR may have serious negative consequences for affected organizations, including:

• Severe administrative fines (up to EUR 20m or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher)
• Actions of competitors under laws on unfair competition
• Claims for damages by affected persons
• Loss of reputation

Our Data, Tech & Telecoms team is happy to support on any data regulatory matters.
See our Fact Sheet & Capability Statement for more details:

To assist our clients in navigating the regulatory jungle of the new European data law, we provide a regularly updated interactive “Map” of European data law at europeandatalaw.com.