In 2022, the European Commission proposed a Regulation on harmonised rules on fair access to and use of data. The Commission’s view is that use of data generated by machine-to-machine and human-to-machine interaction via connected devices is critical for innovation by businesses (e.g. for training AI systems) and public authorities (e.g. to build smart cities). Continuous, real-time access to such data could bring improvements in many areas including personalised medicine, mobility and sustainability. However, there is insufficient availability of such data.

On 9 November the European Parliament (“EP”) formally adopted the Data Act in plenary in the form agreed during earlier negotiations with the Council of the EU (“adopted text”).

Specifically, the Data Act, which applies to both personal and non-personal data, grants users (consumers and businesses) a right to access data generated by their use of connected products and related software and digital services (e.g. vehicles, home equipment and industrial machinery). The adopted text has clarified that this should be free of charge to the user. Providers must ensure that all relevant devices and related services are designed to facilitate the exercise of such rights. The user is not allowed to use the shared data to develop connected products which compete with those from which the data originate.

The owner of a connected product can also request the holder of data relating to its use of the connected product and related service (“data holder”) to share such data with third parties (save that there is no obligation to make the data available to entities designated as “gatekeepers” under the EU Digital Markets Act, digital service providers with substantial market share in the EU). The adopted text clarifies that this must be free to the user but also limits the obligation to data which can be obtained without disproportionate effort. The data holder must make the data available to third parties under fair, reasonable and non-discriminatory terms but this can include an agreement to receive reasonable compensation.

Private sector data holders are required to share data with public sector bodies and EU institutions in the case of exceptional need such as where the data is necessary to respond to a public emergency (e.g. cybersecurity incident), to prevent or assist in the recovery from a public emergency, or where the lack of data prevents the fulfilment of a specific task in the public interest explicitly provided by law (and the data cannot be obtained by alternate means or obtaining the data in this way would substantively reduce the administrative burden for data holders). The adopted text makes several changes to this provision to narrow it and add additional safeguards. The Act also allows the sharing of data obtained in the case of exceptional need for the purposes of scientific research compatible with the purpose for which the data was requested.

To avoid a conflict between the Act and existing IP law, the Act clarifies that the sui generis right that protects databases under EU law will not extend to databases containing data obtained from or generated by the use of a connected product or related service. Finally, the information sharing requirements under the Act are subject to several provisions for the protection of confidential information and trade secrets.

The Act also sets out rules to facilitate the ability of customers to switch from one cloud service provider to another, including removing obstacles to the porting of the customer’s data, applications or other digital assets from one provider to another.

Once the Council has also formally adopted the text, it will then be published in the Official Journal of the EU and will come into force 20 days from the publication date. Most of Act’s provisions will come into force 20 months after that (increased in the adopted text from 12 months).

For more information, click here.