The new Data Act and the EU’s vision for non-personal data sharing in Europe

The question

What does the proposed EU Data Act mean for the usage and sharing of non-personal data by businesses?

The key takeaway

The proposed EU Data Act (the Act) will govern the ownership, access, use and storage of non-personal data generated by connected devices and machinery such as smart appliances. Foreign products and services supplied to users in the EU will also be subject to the proposed Act.

The background

In February 2022, as part of the EU’s 2020 Data Strategy, the European Commission proposed a new Act which sets out a framework to govern the use and sharing of non-personal data. The Act is not a replacement for the EU General Data Protection Regulation but is intended to focus on non-personal data generated by connected devices and services arising from such devices. Issues regarding the use of such data have been brought into sharp relief due to the rise in popularity of smart household appliances and industrial machinery as well as the rapid development of artificial intelligence.

The development

On 24 March 2023, the EU law-making institutions entered into trilogues – the last stage before the EU officially agrees on the text of the Act. 

The Act is expected to apply extra-territorially so products and services which are supplied to the EU will also be within scope.

The Act introduces the following obligations:

• manufacturers and service providers must design connected products and services which allow users (both individuals and businesses) to access their data with ease
• users should be given the option to consent for their data to be shared with third parties
• data holders must implement measures to safeguard data
• data sharing agreements between businesses must be fair, and
• cloud operators and data processing service providers will be subject to interoperability requirements to facilitate customers’ ability to switch between providers easily. The European Commission may adopt delegated acts or implement additional harmonised standards to introduce further interoperability requirements.

Regulators may impose administrative fines as per their discretion on manufacturers and data holders if they do not comply with the above measures.

Why is this important?

For businesses who invest heavily in collecting, analysing and monetising data collected through their products or services, the new Act is significant as it would require that such data be made accessible to users, other third parties and the public sector. The new interoperability requirements are also noteworthy as these will likely result in a compliance cost for cloud providers and may affect their customer base and market share.

Any practical tips?

Manufacturers of connected devices and data holders should review their data collection and data use strategies in light of the new obligations under the Act. New processes and systems would also need to be implemented to ensure that users are able to exercise their rights under the Act. Cloud providers and data processing service providers should review the interoperability and switching standards set out in the proposed Act as against their infrastructure and keep an eye on further requirements that may be issued by the European Commission in the future.