One year to go before the Data Act comes into force

10 Oct 2024

The new data regulation, known as the Data Act, will begin to be phased in from September 2025. Entities that will be subject to obligations under the regulation can now start to look at the steps they should take in the coming year to prepare for the onset of the Data Act. Its main goal is to enable better access to data and improve the conditions for sharing it across different economic actors.

The Data Act can be accessed at EUR-Lex.

DATA ACT AND THE GDPR

Together with the General Data Protection Regulation (GDPR), the Data Act is considered one of the most comprehensive data rules in the EU, not only in relation to data protection. The Data Act will work together with the GDPR, enhancing data sharing while preserving the GDPR’s primary role in safeguarding personal data. The Data Act focuses on the fair use and access to data within the EU’s data economy, but when it comes to personal data protection, the GDPR prevails. In specific cases, such as the real-time portability of data from IoT devices, the Data Act only complements the GDPR. However, if there is a conflict, the provisions of the GDPR take precedence, ensuring that comprehensive data protection is maintained.

MAIN OBJECTIVES OF THE DATA ACT

One of the main objectives of Data Act is to enable customers to move more easily between cloud service providers. To this end, the regulation comes with measures that promote so-called multi-home solutions, i.e. the simultaneous use of multiple cloud providers. The Data Act also seeks to avoid the effect of vendor lock-in, thereby increasing flexibility in the choice of services or providers. The legal framework also aims to promote the free movement of data between different providers and systems, which is intended to contribute to an open and competitive digital market.

KEY OBLIGATIONS TO ENSURE “SWITCHABILITY”

  • Removing obstacles to switching providers
  • Ensuring interoperability between services
  • Support of functional equivalence of services and APIs
  • Shortened notice periods, transparent fees
  • Enabling parallel use of another provider’s services
  • Data specification and digital assets

 

NEW OPTIONS FOR DATA USERS

The Data Act grants users significant control over the data generated by their connected products or services. For example, data holders are obligated to inform users about the data generated and provide them with access, either directly or indirectly. Direct access means users can retrieve their data without needing to request it, while indirect access involves an approval process where the user must ask the data holder for access. Flexibility exists for service providers, as not all products are designed for direct access.

Additionally, users can monetize their non-personal data, making agreements with data holders or third parties, who may compensate them for access and use of the data. The Data Act also ensures that if a user’s right to access and use data is not properly upheld, they can lodge complaints with competent authorities, initiate legal proceedings, or leverage EU consumer protection legislation to enforce their rights.

NEW DUTIES FOR SERVICE PROVIDERS

In line with the objectives and obligations mentioned above, we can briefly outline some of the impacts that providers will have to adapt to in the near future in order to comply with Data Act requirements. For example, providers will have to include ‘migration services’ in customer contracts, including clearly defined deadlines and fees for migration.

Other obligations include meeting information obligations, which include providing information on migration and data transfer procedures, maintaining an online registry with technical details of exportable data, and providing upfront information on standard service fees, early termination penalties and migration fees.

Where more complex or costly transitions are foreseen, providers must ensure that the customer is informed of this threat before signing the contract. From a technical point of view, IaaS providers will have to ensure reasonable measures to achieve functional equivalence and SaaS and PaaS providers will have to support open interfaces and adhere to harmonized standards.

NEXT STEPS

Most of the provisions of the Data Act will take effect in September 2025, which means that obliged entities still have time to adapt to the new rules. However, given the broad impact, it is not worth delaying preparations and it is advisable to start preparing your company for the new regulatory regime as soon as possible. Specifically, accurately drafting customer contracts and adhering to the new data sharing and protection requirements will be crucial.

Reach out to us if you have any questions regarding the implementation of the Data Act.