Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Following its formal adoption by the EU Parliament and Council in November, the EU Data Act is about to become the new key pillar of the EU data strategy. The Data Act is widely expected to be a game changer in the market facilitating broader use of data by stipulating significant new rules, including on access, use and sharing of data generated by connected products and related services as well as on switching of cloud services and enhancing interoperability.
In this article, we share our key takeaways from our recent webinar titled “The EU Data Act – Empowering Businesses in the Data Economy”, which was part of our “AI, Big Data and Law – Digital Deep Dive” webinar series.
On 27 November 2023, as the final step in the legislative process, the EU Council formally adopted the Data Act (see press release here). Not long before, the EU Parliament had passed the final text of the Data Act by an overwhelming majority on 9 November 2023 (see press release here). The Data Act will now enter into force following its publication in the EU’s Official Journal (which is expected in the coming weeks). The final text of the Data Act can be found here.
The Data Act aims to create the regulatory framework for a flourishing data economy in the European Union by reducing barriers to data access and imposing data sharing obligations, removing obstacles to switching of data processing services, and facilitating interoperability of data from different domains. Data is identified as a key economic asset that should be harnessed for the benefit of the economy, fostering innovation and growth. In the following, we will take a closer look at the two central regulatory topics of the Data Act: (1) Data use and data sharing as well as (2) cloud switching.
There is no doubt that the core provisions of the Data Act regarding data access, use and sharing (Art. 3 - 13 Data Act) will completely reshape the existing landscape of B2C and B2B relationships governing data use and data sharing. The Data Act primarily relates to Internet of Things (IoT) products (so-called connected products (cf. Art. 2(5) Data Act) and related services (cf. Art. 2(6) Data Act). Under the current legal regime, the party exercising actual control over data can generally exclude third parties from accessing data generated by use of connected products or services. The Data Act pursues a user-centric approach and aims to put the user of a connected product or related service in control of his/her data. The “user” is any natural or legal person who owns or has a temporary right to use a connected product or receives a related service (cf. Art. 2(12) Data Act). This includes the following main rules:
The following graphic illustrates the described new data economy situation under the Data Act:
The data holder only has certain limited veto rights against such access and data sharing by the user and third parties. In particular, the disclosure of trade secrets cannot be generally refused but only in certain cases, e.g., if the user or data recipient do not agree to or do not comply with agreed confidentiality measures or in exceptional circumstances if serious economic damage from disclosure is demonstrably highly likely.
Personal data is generally covered by the Data Act but applicable data protection law requirements (including the GDPR) remain unaffected and apply in addition to the Data Act. In particular, personal data may only be made available to a user who is not the data subject (i.e. the natural person identified or identifiable by the personal data) if there is a valid legal basis.
Consequently, data holders will need to ensure to know whether and which trade secrets and personal data are part of data generated by the use of connected products or related services, and thus are potentially subject to data access and sharing obligations.
The various new requirements and potentially severe implications under the Data Act require timely and thorough preparation by companies affected by the new rules (e.g., as manufacturer of connected products, provider of related services or in general as a data holder).
To prevent a lack of competition and lock-in effects in the area of cloud services, the Data Act will make it easier for customers to switch cloud services. Economic, technical, or organizational obstacles shall be minimized through the Data Act. Therefore, Chapter VI of the Data Act provides detailed specifications and restrictions for data processing service agreements regarding switching of cloud services. For example, agreements with data processing services shall contain a maximum notice period for initiating the switching process, which shall not exceed two months (Art. 25(2) lit. d) Data Act). The provider of related services must also ensure that all "data, applications and digital assets" can be transferred to a new provider within 30 days following this notice period (Art. 25(2) lit. a) Data Act). Finally, switching charges may only be imposed for a transitional period of three years from the date of entry into force of the Data Act and will then be completely prohibited (Art. 29 Data Act).
The Data Act will enter into force the twentieth day following the publication in the EU’s Official Journal (which is expected in the coming weeks), and will apply after 20 months from the date of its entry into force. However, while the main obligations will be effective from this date, certain obligations will only become applicable at a later stage (in particular, the access by design obligations under Art. 3(1) Data Act which will apply to connected products and the related services placed on the market after 32 months from the date of entry into force of the Regulation):
Authored by Martin Pflüger, Sarah-Lena Kreutzmann, and Jasper Siems. Supported by Michael Niehaus.