On 11 January 2024, the Data Act, the new European Data Regulation on “harmonised rules on fair access to and use of data”, entered into force. It is part of the broader European strategy to create a single digital market and to acquire the Union’s leadership in the data sector and which will allow a greater flow of data for the benefit of businesses, citizens, and public administrations.
The Data Act represents the second most important European initiative on data, and together with the Data Governance Act (Regulation 2022/868), it is part of the broader European strategy to create a single digital market and to acquire the Union’s leadership in the data sector, already announced by the European Commission in February 2020. The aim of this strategy is to create a single European market in which data can circulate, be shared and used freely by both public and private actors in the field of research and innovation in the European Union, for example for the benefit of the modernisation of public services, the production of personalised medicines, the achievement of more efficient mobility and better policymaking.
The aim of the Data Act is to create a fairer and more innovative data economy by introducing harmonised rules to ensure a fair distribution of the value of data among data economy players. More specifically, the Data Act regulates the access to and use of data from a “product” or related service, i.e. an item that “obtains, generates, or collects, data concerning its use or environment, and that is able to communicate data via a publicly available electronic communication service”, such as connected vehicles, industrial machinery and machinery used in the healthcare sector. This means that all connected products placed on the European market, in the so-called Internet of Things (IoT) sector, have to be designed and manufactured in a way that allows users to easily and securely access, use and share the data they generate.
Specifically, companies that produce and supply such IoT-connected products, with the exception of small or micro enterprises, must ensure that users have access to and portability of the data generated by the product, as well as the related metadata necessary to interpret such data, making them available in a comprehensive, structured, commonly used and machine-readable format. In addition, among the measures aimed at regulating the efficient circulation of data, the following are envisaged:
i) The data monetisation, which means the payment of a price, reasonable and non-discriminatory, corresponding to the investments made for the data production and collection, as well as the cost to be incurred in making them available;
(ii) The protection of trade secrets, through security measures designed to protect information whose circulation would harm the interests and property rights of enterprises;
(iii) The interoperability of cloud services, thanks to measures that allow users to effectively switch between different data processing service providers to unlock the Union cloud market.
Moreover, the Data Act includes measures to contrast the abuse of contractual imbalances that prevent fair data sharing in order to protect small and medium-sized enterprises against unfair contract terms imposed by companies with a significantly stronger market position. In this regard, the Data Act provides for a list of ineffective contractual terms, distinguishing:
a) terms that are certainly unfair (e.g. terms that exclude or limit the liability of the party that unilaterally imposed the term for intentional acts or gross negligence, terms that exclude the remedies available to the party upon whom the term has been unilaterally imposed in case of non-performance of contractual obligations or the liability of the party that unilaterally imposed the term in case of breach of those obligations);
b) terms that are presumed unfair (e.g. terms that allow access to the data of the other party and to use it against the interests of the latter, terms that prevent the weaker party from being able to unilaterally terminate the contract within a reasonable period).
In addition, public authorities – such as the European Commission, the European Central Bank and other European Union bodies – may request access to data collected from businesses and private users in case of particular circumstances of necessity and urgency, for a reasonable fee.
Although Regulation 2023/2854 is already in force, the Data Act will become applicable in September 2025 regarding both personal data and non-personal data, supplementing and not affecting the provisions of the GDPR on the protection of personal data. Non-compliance with data access rights is subject to GDPR fines (up to 4 % of the yearly world-wide turnover or € 20 Million, whatever is higher).
The enactment of the Data Act confronts companies in many industries with a momentous change right from the design of their products or services, a change that will have to be addressed in the right way and by complying with the new regulation in order not to incur penalties and remain competitive in the market.
DISCLAIMER: This article merely provides general information and does not constitute legal advice of any kind from Macchi di Cellere Gangemi which assumes no liability whatsoever for the content and correctness of the newsletter. The author or your contact in the firm will be happy to answer any questions you may have.