REGULATION (EU) 2023/2854 on harmonized rules on fair access to and use of data | LegalFlash 98
REGULATION (EU) 2023/2854 on harmonized rules on fair access to and use of data | LegalFlash 98
REGULATION (EU) 2023/2854 on harmonized rules on fair access to and use of data (“Data Act” or “Regulation”) aims to create a fair and competitive data market by facilitating data sharing and reuse across sectors and stakeholders. Together with the Data Governance Act, the Digital Markets Act, and the proposed European Health Data Space, the Data Act constitutes part of the European Data Strategy Package.
The Data Act was published in December 2023 and is set to enter into force on the 20th day of its publication.
The Data Act lays down harmonized rules for making:
- data generated by the use of a connected product or related service available to the user of that product or service,
- data available by data holders to data recipients, and
- data available by data holders to public sector bodies or Union institutions, agencies or bodies, where there is an exceptional need, for the performance of a task carried out in the public interest.
The regulation covers personal and non-personal data obtained, generated, or collected by connected products and/or their components, and related digital services. As indicated in Art. 1 this data includes, for example, raw data generated by the user interface and device itself but does not extend to information inferred or derived from such data. The Regulation does not apply to data that sensor-equipped in-scope products generate when the user records, transmits, displays, or plays content, as well as the content itself with regard to data sharing (Recital 16).
The Regulation applies to a variety of entities :
(a) manufacturers of connected products (i.e. physical products capable of collecting or generating data concerning their use or environment, and of communicating product data), and suppliers of related services placed on the market (i.e., digital services, including software, integrated into or associated with a connected product), and the users of such products or services;
(b) data holders that make data available to data recipients in the Union;
(c) data recipients in the Union to whom data are made available;
(d) public sector bodies and Union institutions, agencies or bodies that request data holders to make data available where there is an exceptional need to that data for the performance of a task carried out in the public interest and the data holders that provide those data in response to such request;
(e) providers of data processing services offering such services to customers in the Union.
As it can be observed from the location of the recipients the Data Act is only applicable through the Union, namely to data obtained, generated, or collected by connected products and/or their components, and related digital services obtained in the European Union, aspect which difference it from GDPR.
Key Requirements
The Data Act sets a wide range of obligations, as follows:
- Obligations for manufacturers to design their products so that data generated or captured by those products are available to users of the product for free and ideally directly.
- Measures regulating contractual terms in data sharing contracts between parties to prevent the abuse of imbalances in contractual relationships, unfair contractual terms concerning access to, and the use of, data are prohibited. A contractual term is unfair if it deviates from good commercial practice in data access and use, contrary to good faith and fair dealing.
- Rights to access and share data generated through the use of connected products and related services. According to the Data Act, a data holder can request that certain conditions are satisfied before sharing data that constitutes trade secrets, or (exceptionally) withhold or suspend the user's access, or the sharing of such data with third parties, if the confidentiality of trade secrets could be undermined. Data holders are under an obligation to make the in-scope data available to third parties under fair, reasonable, and non-discriminatory terms and conditions and in a transparent manner.
- Measures to promote the development of interoperability standards. Data and cloud interoperability rules require data processing service providers to take specific measures in order to enable end users to effectively switch between cloud and edge service providers or to use several providers at the same time. In addition, data processing service providers must facilitate interoperability between data processing services, including by ensuring compatibility with open interoperability specifications and harmonized standards.
- Mechanisms for public bodies to access private sector data in case of public emergencies. In circumstances of high public interest, such as natural disasters, private data holders are, upon request (that must meet certain formal requirements), required to make the data available to public EU institutions. Personal data can only be requested in cases of exceptional need; for example, when it is necessary to respond to a public emergency and the public sector entities are unable to obtain such data by alternative means in a timely and effective manner under equivalent conditions.
Entry into force: The Data Act will become enforceable 20 months after it enters into force. There are certain provisions of the regulation, namely art. 3 (2) concerning the access requirement which will apply to connected products and related services placed on the market after 32 months from the Act’s date of entry into force, namely in mid-2026.