Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data (Data Act)

Posted on by

Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data, also known as Data Act, establishes the rules on the access and use of data between businesses, users and the public sector. According to the Act, product manufacturers and holders of data are subject to extensive data sharing and data interoperability requirements, whereas providers of data processing services are obliged to allow switching of their customers to other providers.

On 11 January 2024, Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data, known as Data Act, has entered into force (“Regulation” or “Act”).

The Regulation is an integral part of the 2020 EU Data Strategy, which aims to make the EU a leader in a data-driven society.

The aim of the Regulation is to establish a European single market for data in order to allow data to flow freely within the EU and across sectors for the benefit of businesses, researchers and public administrations.

To this end, the Regulation enacts: (i) business to consumer and business to business data sharing obligations; (ii) data holders’ obligations to make data available; (iii) rules prohibiting the unfair restriction of access to data between businesses; (iv) rules on making data available to public sector bodies; (v) obligations on the switching of customers between data processing services; and (vi) requirements regarding data sharing and interoperability.

The Data Act, along with the Regulation on the free flow of non-personal data, the Data Governance Act and the forthcoming Common European Data Spaces and the GDPR, formulate the new field of EU data law, rendering data governance and compliance centerfold in most industries.

  1. Subject Matter & Scope

The Data Act lays down harmonized rules on the following areas:

i.business to consumer and business to business data sharing obligations;

ii.data holders’ obligations to make data available;

iii.rules prohibiting the unfair restriction of access to data between businesses;

iv.rules on making data available to public sector bodies;

v.obligations on the switching of customers between data processing services; and

vi.requirements regarding data interoperability.

The Act applies to the processing of personal and non-personal data by:

(a)manufacturers of connected products in the Union and providers of related services placed on the EU market;

(b)users of connected products or related services in the Union;

(c)data holders that make data available to data recipients in the Union;

(d)data recipients in the Union to whom data are made available;

(e)public sector and EU bodies that request data holders to make data available;

(f)providers of data processing services to customers in the Union;

(g)participants in data spaces and vendors of applications using smart contracts and persons commercially deploying smart contracts for the execution of data sharing agreements.

  1. Definitions

The Regulation provides for the following main definitions:

o“Data Holder”: any natural or legal person that has the right or obligation under the law to use and make available data.

o“Data Processing Service Provider”: any provider of digital service provided to customers that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction;

o“Data Recipient”: any natural or legal person acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a connected product or related service, to whom the data holder or a third party on the behalf of the latter makes data available.

o“User”: a natural or legal person that owns a connected product or to whom temporary rights to use that connected product have been contractually transferred, or that receives related services;

o “Connected Product”: an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user;

o“Related Service”: a digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the connected product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected product.

  1. Obligations of Manufacturers of Connected Products and Providers of Related Services

Manufacturers of connected products and providers of related services shall design and manufacture their products and services in such a manner that generated data, including metadata, are, by default, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format, and, where relevant and technically feasible, directly accessible to the user.

In addition, before concluding contracts for the purchase, rent or lease of connected products, sellers, rentors or lessors, which may also be manufacturers, shall provide information to users, in a clear and comprehensible manner, regarding the use and making available of generated data.

  1. Data Holders Rights & Obligations

According to the Act, data holders shall render data, including metadata, generated by connected products and related services accessible to users without undue delay, of the same quality as is available to the data holder, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time.

In addition, data holders shall be obliged to execute contracts with data recipients for making data available under fair, reasonable and non-discriminatory terms and conditions and in a transparent manner and without unfair contractual terms. A contractual term is unfair if it is of such a nature that its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing.

Furthermore, data holders shall not discriminate regarding the arrangements for making data available between comparable categories of data recipients, including partner enterprises or linked enterprises of the data holder when making data available.

Any compensation agreed upon between a data holder and a data recipient for making data available in business-to-business relations shall be non- discriminatory and reasonable and may include a margin, taking into account costs incurred and investments in the collection and production of data.

A data holder may apply appropriate technical protection measures, including smart contracts and encryption, to prevent unauthorised access to data, including metadata, and to ensure compliance with its rights under the Act, as well as with the agreed contractual terms for making data available.

The sui generis database right shall not apply when data is obtained from or generated by a connected product or related service falling within the scope of the Regulation.

Data holder obligations shall not apply to data generated through the use of connected products manufactured or designed or related services provided by microenterprises or small or medium-sized enterprises.

Finally, where a public sector or EU body demonstrates an exceptional need to use certain data, including the relevant metadata, to carry out its statutory duties in the public interest, data holders that are legal persons, which hold those data shall make them available upon a duly reasoned request.

  1. Users’ Rights & Obligations

Users have the following rights under the Act:

oTo request from data holders and receive data, including metadata, without undue delay;

oTo request from data holders to share data, including metadata, with a third party without undue delay;

oTo lodge a complaint with the competent authority;

oTo agree with the data holder to refer disputes to a dispute settlement body.

Any contractual terms which, to the detriment of the user, exclude the application of, derogate from or vary the effect of users’ rights shall not be binding on users.

Furthermore, data holders shall not make the exercise of user choices or rights unduly difficult, including by offering choices to the user in a non-neutral manner or by subverting or impairing the autonomy, decision-making or choices of the user via the structure, design, function or manner of operation of a user digital interface or a part thereof.

On the other hand, users shall not (i) use the data obtained to develop a connected product that competes with the connected product from which the data originate, nor share the data with a third party with that intent; or (ii) use coercive means or abuse gaps in the technical infrastructure of a data holder which is designed to protect the data in order to obtain access to data.

Trade secrets shall be preserved and shall be disclosed only where the data holder and the user take all necessary measures prior to the disclosure to preserve their confidentiality in particular regarding third parties.

  1. Third Parties’ or Data Recipients Obligations

According to the Act, third parties receiving data from data holders at the request of users shall process such data only for the purposes and under the conditions agreed with the user and subject to applicable data protection law.

The third party shall erase the data when they are no longer necessary for the agreed purpose, unless otherwise agreed with the user in relation to non-personal data.

Third parties shall, among others, not make the received data available to another third party, unless the data is made available on the basis of a contract with the user, and provided that the other third party takes all necessary measures agreed between the data holder and the third party to preserve the confidentiality of trade secrets.

Third parties shall also not use the received data to develop a product that competes with the connected product from which the accessed data originate or share the data with another third party for that purpose.

In case of breach of the Act or the agreed contractual terms with the data holder or the technical protection measures upon data, third parties or data recipients shall erase the data, end the offering of goods or services on the basis of knowledge obtained through such data and compensate the data holder.

  1. Obligations of Data Processing Service Providers

The Act imposes obligations to data processing service providers to enable their customers to switch to a different data processing service provider covering the same service type or or to on-premises ICT infrastructure, or, where relevant, to use several providers of data processing services at the same time without imposing commercial, technical, contractual and organizational obstacles.

The switching contract between the customer and the provider of data processing services shall, inter alia, include provisions stipulating (i) the switching without undue delay and in any event not after the mandatory maximum transitional period of 30 calendar days; (ii) the maintenance of the customer’s business continuity and the adherence to a high level of security during switching; (iii) the categories of data and digital assets to be ported and those exempted from switching; and (iv) the charges for the switching.

In addition, data processing service providers shall take all reasonable measures in their power to facilitate that the customer, after switching to a service covering the same service type, achieves functional equivalence in its use.

Furthermore, data processing service providers shall be subject to interoperability obligations through open specifications and harmonized standards.

Finally, data processing service providers shall take technical, legal and organizational measures to prevent international and third-country governmental access and transfers of nonpersonal data held in the EU when that transfer or access would conflict with existing laws, except in the case of an international agreement.

  1. Other Requirements Regarding Data Sharing & Interoperability

The participants in data spaces that offer data or data services to other participants in data spaces shall be subject to transparency obligations and provide for the means to enable the interoperability of tools for automating the execution of data sharing agreements, such as smart contracts. The foregoing requirements for data spaces shall be specified by virtue of a Commission delegated act.

Accordingly, vendors of applications using smart contracts and persons commercially deploying smart contracts for executing data sharing agreements must meet robustness, safety, continuity, access control, consistency and interoperability requirements. Likewise, the foregoing requirements for smart contracts shall be specified by virtue of a Commission delegated act.

  1. Supervision & Enforcement

Member states are required to designate national authorities for the application and enforcement of the Regulation.

Such authorities shall, among others, have the power to:

  • Request information from users, data holders, or data recipients, or their legal representatives, to verify compliance with the Act;
  • Handle complaints of any natural and legal person acquiring rights under the Act for alleged violations of the Act;
  • Conduct investigations into matters that concern the application of the Act;
  • Impose effective, proportionate and dissuasive financial penalties;
  • Monitor technological developments for making data available and its use.

Entities falling within the scope of this Regulation shall be subject to the competence of the Member State where the entity is established. Where the entity is established in more than one Member State, it shall be considered to be under the competence of the Member State in which it has its main establishment.

Any entity falling within the scope of this Regulation that makes connected products available or offers services in the Union, and which is not established in the Union, shall designate a legal representative in one of the Member States.

Users, data holders, data recipients, and customers and providers of data processing services may utilize certified dispute-settlement bodies to settle disputes concerning certain rights and obligations regarding data access, use and sharing, as well as switching data processing services. Dispute-settlement bodies must issue their decision within 90 days of receipt of a request for a decision.

  1. Timeline

The Data Act will become applicable on 12 September 2025.

Provisions related to the open data access design of connected products and related services shall apply from 12 September 2026.

By 12 September 2025, the European Commission shall also issue Model Contractual Terms on data access and use, and Standard Contractual Clauses for cloud computing contracts.

The Data Act is available here.