Six years after the European Regulation 2016/679 on the protection of personal data (“GDPR”) came into force, the European Union has just adopted a new regulation targeting a better distribution of the value generated by the use of data between players in the digital economy.
Adopted on 11 January 2024, in only 22 months, Regulation 2023/2854 regarding the harmonized rules on fair access to and use of data (Regulation on Data or “EU Data Act”) aims at broadening the scope of Europe’s digital sovereignty, beyond the boundaries of personal data alone.
Acknowledging Disempowerment?
Launched in February 2022 under the French presidency of the European Union, formal negotiations aimed at tackling the challenges of the Internet of Things (“IoT”) and cloud computing industry, which produce tremendous quantities of personal and non-personal data, and whose economic value is currently regulated by the limited number of dominant players.
By removing certain obstacles to the portability of the underlying data, the EU Data Act purports to stimulate the development of a fair data economy within Europe and a rebalancing of the current state of play among competitors.
Fostering Businesses Through Data
The EU Data Act defines what “data” really is for the first time. Indeed, while “personal data” has been a mainstay of European law for over 30 years (defined as “any information relating [directly or indirectly] to an identified or identifiable natural person”), data is now also defined as “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording.”
At first, the definition of “data” seems materially narrower than personal data. Whilst the latter might be derived from data processing carried out on digital platform or paper, data as put forward by the EU Data Act is exclusively digital.
Moreover, the EU Data Act’s affirmation that “data” is either an “act”, a “fact”, or an “information” implies that it is only a state and, as such, not open to appropriation by intellectual property law (without prejudice to any rights in the database in which it is included, or to the secret nature of the data).
Consequently, since data can be the property of neither the service provider nor the customer, its ownership and control can only be governed by contract.
The EU Data Act’s Key Players
The EU Data Act covers a large spectrum of players in the data economy:
- Manufacturers and suppliers: any company which produces or sell “Connected Products” (such as connected thermostats or lights) distributed within the European Union’ market, or which offers “Related Services” (such as mobile applications allowing the display of data generated by connected products) is subjected to the EU Data Act.
- Users: any natural or legal person using Connected Devices and Related Services within the EU benefits from the rights contained in the EU Data Act, enabling them not only to access the data generated by their Connected Devices, but also to have this data transferred to a new service provider.
- Suppliers of data processing services: companies storing, processing or generating data on behalf of others in the EU (such as data hosts or cloud computing services) are also concerned.
While certain exemptions have been established for micro and small businesses, the latter also benefit from a favorable regime, notably in the context of their contractual relationship with larger suppliers, with a view to compensate contractual negotiations.
The New Rules of the EU Data Act
The EU Data Act imposes various obligations to the above-mentioned stakeholders, seeking to empower them, notably through reinforced transparency, to promote fair competition in the data market.
- Transparency: manufacturers and suppliers are mandated to provide users with clear and thorough information on the data collected by their Connected Products and Related Services, such as the nature and volume of the data collected, how it is used, and users’ rights in terms of data access and control.
- Data access: in a stark parallel with GDPR’s data portability right, users are also granted a right to access data generated by their Connected Products and Related Services. These data must be delivered in a commonly used, machine-readable format, enabling users to download and analyze them effortlessly. As with GDPR, this right of access and portability aims at allowing the transfer of the data history to a new provider without excessive costs. Concurrently, the EU Data Act lays down new interoperability requirements to give full effect to these transfer possibilities between service providers.
- Fair contract terms: contracts relating to access to data in the ecosystem of Connected Products and Related Services will have to be revised in order to ensure the proper balance of obligations. The EU Data Act contemplated a series of unfair clauses, either by nature or by presumption.
- Limitations on the use of data: the EU Data Act limits the way in which data holders can use the data they collect. To this extent, they cannot use data to gain an unfair competitive advantage in the marketplace. This measure aims to foster a more competitive data environment where innovation benefits all participants.
- Sharing public sector data: under exceptional circumstances, businesses might have to share data with public authorities. These provisions are designed to support deemed urgent, national security measures or other situations deemed critical by the government. The EU Data Act sets strict limitation to ensure that such data sharing remains necessary and proportionate to the interests at stake. At the same time, the EU Data Act imposes new restrictions on the transfer of non-personal data to authorities in non-EU countries.
Next steps and implementation
- Supplier side: Before 12 September 2025, all companies providing Connected Products and Related Services within the EU will have to ensure that their conditions, both contractual and operational, will allow the implementation of the new framework imposed by the EU Data Act.
- User side: While most obligations resulting from the EU Data Act impacts suppliers, users will also need to analyze whether the suggested conditions for their connected services will be consistent with their needs and the possibility of exploiting their potential.
While the EU Data Act establishes a clear-cut framework for data governance, some uncertainties persist. The exact relationship between the EU Data Act and existing regulations such as the GDPR is still being clarified for the time being. Courts are likely to play a key role in defining the “abusive” contractual conditions and “exceptional needs” justifying the sharing of public sector data.
Although the 14 months separating us from the implantation of the EU Data Act will not necessarily remove all these grey areas, it will be up to all stakeholders to identify the data systems and contracts affected, and to map out their needs.