Privacy & Cybersecurity Law Blog

On November 9, 2023, the European Parliament adopted, by a majority of 481 votes in favor, 31 votes against and 71 abstentions, the final text of the Data Act. As explained in our previous blog, the Data Act aims to “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all” and was initially proposed by the European Commission on February 23, 2022.

Key elements of the Data Act include:

• Reinforced data portability and data sharing measures allowing connected device users to gain access to, and share with third parties, data generated by connected devices, thereby allowing cheaper aftermarket and other data-driven innovative services (such as predictive maintenance).
• Rules governing the processing of data shared under the Data Act by third parties, and the relationship between the third party receiving the data and the original data holder.
• Measures to rebalance the negotiating power of small and medium-sized enterprises by preventing the abuse of contractual imbalances in data sharing contracts. Model contracts also will be developed by the European Commission to help companies draft and negotiate fair data-sharing contracts.
• Granting public sector bodies the authority to access and use data held by private companies in circumstances of high public interest, such as natural disasters, subject to specific conditions.
• Data and cloud interoperability rules that allow end users to effectively switch between cloud and edge service providers, and establish safeguards against unlawful data transfer and access by non-EU governments.
• A clarification that databases containing data from Internet-of-Things (IoT) devices and objects should not be subject to separate legal protection, thereby allowing data generated by IoT devices to be accessed and used more easily by end users.
• Restrictions on data sharing with entities considered as gatekeepers under the Digital Markets Act.

EU Member States are required to designate one or more competent supervisory authority(ies) to enforce Data Act. Furthermore, EU Member States are responsible for defining the rules on penalties applicable to infringements of the Data Act. That said, these penalties should be effective, proportionate and dissuasive. Additionally, under Article 40(4) of the Data Act, EU data protection supervisory authorities will be responsible for monitoring the application of Chapters II, III and V of the Data Act, insofar as the protection of personal data is concerned and, in this case, the rules on penalties under the GDPR shall apply.

The Data Act will enter into force after it is formally adopted by the Council, which is expected to occur in the near future. Most of its provisions will become applicable 20 months after its entry into force.

Read the Data Act (as adopted by the European Parliament) and the press release.

Update: Following adoption by the European Parliament, on November 27, 2023, the Council has officially adopted the Data Act.