On November 27, 2023, following the European Parliament, the European Council also adopted the EU Data Act. The aim of this act is to reduce legal, economic, and technical barriers to the data economy. Access to and transfer of automatically generated data arising from the use of a wide variety of networked products and related services (Internet of Things, IoT) is to be simplified. Such products include fitness trackers and products such as Apple CarPlay. Furthermore, this regulation is intended to make it much easier to switch cloud service providers. This blog article examines the key content of the EU Data Act, in particular its significance for the use of cloud services and the history of its development.
History of its development
The first draft of the EU Commission’s Data Act dates from February 23, 2022. It is a comprehensive set of rules for fair access to and use of data. According to the EU Commission, a large proportion of machine-generated/industrial data – up to 80% – currently remains unused. The Data Act aims to unlock this treasure trove of data by removing the legal, economic, and technical barriers to its use, while at the same time improving the value creation associated with data.
After many readings and amendments, the European Parliament approved the regulation on November 9, 2023. Following its subsequent adoption by the European Council on November 27, 2023, the EU Data Act entered into force on January 11, 2024. There will now be a transition period of 20 months before the Data Act becomes applicable on September 11, 2025. It will then apply to all companies offering relevant products in the EU. Further obligations, such as compliance with the principle of “access by design,” i.e., access by state judicial and investigative authorities when necessary, will only become applicable after a further twelve months, i.e., probably in September 2026.
The EU Data Act was developed from the initial draft phase on February 23, 2022, to its implementation on January 11, 2024. This period includes the transition period until full applicability on September 11, 2026.
Figure 1: Timeline of development
Overview – EU Data Act
But what exactly does this Data Act entail in terms of new developments?
The EU Data Act is intended to regulate the handling of data from the areas of IoT, Industrial Internet of Things (IIoT), and connected cars. It also addresses the use of virtual assistants, which are likely to be AI-based in the future, and assumes that they will become increasingly important.
It is intended to regulate the relationship between data owners and users. Users generate data that remains with data owners. The Data Act is intended to empower users to claim the data they have generated – and, if necessary, to trade it.
Switching between cloud service providers is to be made much easier. According to the EU Data Act, it is no longer permissible to prevent users from switching.
Key content aspects
Chapter 4 of the EU Data Act is dedicated specifically to switching between data processing services. This refers to what is known as “cloud switching.” According to this, a cloud service provider may not, for example, place technical, contractual, or organizational obstacles in the way of a customer who is about to switch. Specifically, this applies to, among other things, the termination of services, the conclusion of a new contract with a competitor, and the porting of data to a competitor or to one’s own on-premise infrastructure with the aim of obtaining similar services from a competitor or splitting services – also known as “unbundling.”
Chapter 4, Article 25 of the Data Act contains provisions on contractual agreements for data processing services such as cloud services. In addition, there are information requirements regarding the methods and formats for changing service providers. This includes, among other things, information about any restrictions and technical limitations. Service providers are required to maintain an up-to-date online register that provides information on data structures and formats as well as relevant standards and specifications for interoperability.
In Chapter 8, Article 33, the Data Act establishes comprehensive rules on the interoperability of data, mechanisms and services for data transfer and use in shared European data spaces. Data spaces refer, for example, to cloud environments such as AWS, Azure, or Google Cloud. The EU Commission may issue implementing regulations and request standards-setting organizations (e.g., ISO, DIN) to establish uniform standards in this area in order to achieve this interoperability. Providers must then implement these standards accordingly.
Monitoring the implementation of requirements
As is customary in comparable EU regulations, the EU sets out corresponding requirements for the implementation and enforcement of these rules in the Data Act. According to these requirements, the individual EU member states are to designate authorities responsible for enforcing the Data Act. For Germany, this is likely to be either the Ministry of the Interior or the BSI, which reports to it. However, this has not yet been decided. These authorities are to investigate complaints of violations of the EU Data Act, particularly in the area of trade secret protection, and generally monitor the application of the Data Act. In addition, they are to observe technological and economic developments in the area of data provision. Possible consequences would be an adjustment of regulations. An example of this would be a new product on the market that offers previously unknown possibilities for data collection and processing, for example in connection with AI. The member states will have to work out in the coming months what the EU-wide cooperation between the authorities should look like.
Similar to the GDPR, significant penalties are provided for violations of the EU Data Act. Fines can be up to €20,000,000 or up to 4 percent of the company’s global annual turnover. Such a penalty would be possible, for example, in the event of refusal to grant access to data.
Conclusion – EU Data Act
The EU Data Act is the first set of regulations of its kind worldwide. The processing of industrial data is moving closer to the processing of personal data (GDPR) in regulatory terms. However, no concrete statement has been made on the subject of “data ownership,” which has been criticized by data protection organizations. Furthermore, the Data Act represents a significant encroachment on the freedom of the parties concerned to draft data use agreements. Once the regulation finally comes into force, it will become clear what consequences this will have. Affected service and product providers should start implementing the requirements of the Data Act now at the latest, as it is clear that the Data Act will entail numerous obligations for digital companies, some of which can only be met through long-term and extensive process adjustments.
