Insights EU Data Act in force


Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data (“the Data Act”), first proposed in 2022, has completed the legislative process and has been published in final form. The Act, which seeks to promote a fair and innovative data economy, is briefly summarised below.

The Act, which applies to both personal and non-personal data, provides that connected products and related digital services (e.g. vehicles, home equipment and industrial machinery) must be designed and manufactured in a way that enables owners of such products (”users”) (consumers and businesses), by default and free of charge, to directly access data generated by their use, where such access is technically feasible. Where such data is not directly accessible by the user, the Act grants a right for the user to request access to “readily available” data generated by their use which the data holder must provide free of charge, without undue delay and, where technically feasible, continuously and in real-time. The user can also request the data holder to share such data with third parties, free of charge to the user. The data holder must make the data available to third party business users under fair, reasonable and non-discriminatory terms but this does not prevent the data holder imposing a charge, including a margin, provided it is non-discriminatory and reasonable.

Certain exceptions to the user’s rights are included within the Act such as those relating to the protection of the data holder’s trade secrets, security requirements and prototypes, and there is a prohibition on the use of the shared data to develop products which compete with those from which the data originate. Data holders are not required to share data with third parties who are designated as gatekeepers under the EU Digital Markets Act.

The Act also addresses business-to-business contracts containing terms relating to the access and use of data. Where any such term is unilaterally imposed by one contracting party on another, the term will not be binding if it is unfair, that is, if it grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing. “Unilaterally imposed” means that the other contracting party has not been able to influence the content of the contractual term despite an attempt to negotiate it. The contracting party that offers the contractual term bears the burden of proving that the term has not been unilaterally imposed.

Private sector data holders are required to share data with public sector bodies and EU institutions when, amongst other things, they demonstrate an exceptional need to carry out their statutory duties in the public interest, such as where the data is necessary to respond to a public emergency (e.g. major cybersecurity incident), and the data cannot be obtained by alternate means in a timely and effective manner.

The Act also sets out rules to facilitate the ability of customers (individuals and businesses) to switch from one data processing service provider to another or to the customer’s own on-premises ICT infrastructure, including removing obstacles to the porting of the customer’s exportable data and digital assets and the gradual removal of switching charges.

To avoid a conflict between the Act and existing IP law, the Act clarifies that the sui generis right that protects databases under EU law will not extend to databases containing data obtained from or generated by the use of a connected product or related service falling within the Act’s scope. Further, any processing of personal data under the Act must comply with GDPR, including the need for a legal basis for processing; the Act itself does not constitute such a basis.

The Act came into force on 11 January 2024 and will apply from 12 September 2025. Specifically, the prohibition against unfair contractual terms relating to contracts for the access and use of data will apply to contracts concluded after that date and will apply from 12 September 2027 to contracts concluded before 12 September 2025 where they are of indefinite duration or due to expire at least ten years from 11 January 2024. The obligation to design and manufacture connected products and related services in a way that enables users to access data generated by their use will apply to such products and services placed on the market after 12 September 2026.

For access to the final text, click here.