The EU Data Act is another key piece of legislation in the data field after the GDPR. It aims to establish fair rules for data access and sharing, with a focus on data generated by Internet of Things (IoT) devices.
I. Scope of the EU Data Act
The Act has extraterritorial effect. Any company placing connected products or providing related services on the EU market must comply, regardless of where the company is located (including Chinese companies). Cloud service providers offering data processing services to users within the EU are also subject to the Act.
EU Data Act Key Timeline:
-
January 11, 2024: The Act officially enters into force.
-
September 12, 2025: Most core obligations under the Act start to apply.
-
September 12, 2026: Provisions related to product design become applicable (providing a transition period for the compliant design of new products).
II. New Rules Established by the EU Data Act
The Data Act introduces new regulations primarily in the following areas:
-
B2C/B2B Data Sharing: Users have the right to access data generated by the connected products they use (e.g., smart appliances, industrial machinery) and can request manufacturers to share that data with a third party they designate (e.g., a repair service provider).
-
Definition of Data Scope: The data subject to mandatory sharing mainly refers to raw and pre-processed data generated by the device. Derived data created through complex algorithm analysis and content data protected by intellectual property rights (e.g., music, e-books) are generally not subject to the sharing obligation.
-
Cloud Service Switching: The Act requires cloud service providers to remove technical obstacles for customers switching between different providers, preventing vendor lock-in and promoting market competition.
-
B2G Data Provision: In response to public emergencies (e.g., natural disasters) or when fulfilling specific public interest tasks, government bodies may legally require companies to provide necessary data.
-
Fair Contractual Terms: The Act prohibits unfair terms in data access contracts, protecting small and medium-sized enterprises from unfair treatment by dominant companies.
III. Relationship with Other EU Regulations
EU Data Act does not exist in isolation. It forms part of the EU’s data governance framework alongside regulations like the GDPR:
-
Relationship with GDPR: The GDPR protects personal data, while the Data Act covers both personal and non-personal data, focusing on the right to access and share data generated by IoT devices. Their application may overlap but they have different emphases.
-
Part of a Regulatory Network: This Act is a key component under the EU’s European Data Strategy, working in conjunction with the Data Governance Act, the Digital Markets Act, the AI Act, and others to build a European single market for data.