Data regulation and cyber
Learn more
Data Act
Status: In force
- Commission’s proposal published 23 February 2022
- Council adopted its position on 17 March 2023
- Parliament adopted its position on 14 March 2023
- Final agreement formally adopted by Parliament on 9 November 2023, Council’s formal endorsement given on 27 November 2023
- In force since 11 January 2024, see after publication of final text in the EU Official Journal, application from 12 September 2025 (with certain exceptions where individual provisions or chapters have a deviating application date)
Summary
EU Regulation introducing rules for the sharing and use of data generated on the internet of things, and for cloud providers when it comes to interoperability, switching and international data transfers. Designed to improve access, exchange and use of valuable data generated by connected devices so that more public and private stakeholders can benefit from Big Data and Machine Learning.
Scope
- Data sharing obligations apply to companies that manufacture / offer connected products or related services in the EU, those who make this data available to others
- Interoperability obligations and obligations on international data transfers apply to providers of data processing services (including IaaS, PaaS, SaaS) offered to EU based customers
- Applies to personal and non-personal data
Key elements
Connected products and related services
- Obligation for companies to grant users, third companies or the public sector access to data. Implementation of fair, transparent and non-discriminatory regulation (standards) of access to data
- Extensive information requirements on the generated data vis-à-vis end users before a contract for the purchase, rent, or lease of a connected product or a related digital service is concluded
- Use of private data by government (B2G): fair, transparent access to privately held data for use in public interest (e.g. environmental protection, public health)
- Promoting data access and use in B2B relationships (fairness test against unfair, unilateral contractual terms and transparency obligations)
Data processing services (in particular cloud services)
- Obligation for cloud service providers to allow users to easily switch cloud services and to improve portability between cloud providers, and to implement safeguards against unlawful government access and for international transferof non-personal data
Enforcement
- Fines of up to EUR 20 million or 4% of annual group turnover, whichever is higher
Challenges
Connected products and related services
- Interplay with GDPR is unclear, specifically how to treat in practice mixed data sets which contain personal and non-personal data
- Implementation of data access obligations poses a significant administrative burden
- Data access rights might interfere with the protection of companies’ trade secrets
- Requirements for the technical design of data portability might be onerous: Companies in scope must fulfil access and portability requirements for data for users of networked products
Data processing services
- Compliance burden by imposing Schrems-II requirements for international transfer of non-personal data on data processing services
- Limiting switching charges, not a clear cut which costs will be in scope
- Scope of interoperability obligations is not completely clear and yet to be determined how the requirements will function regarding the practical challenges of IT migration
Contacts
Dr. Theresa Ehlen Partner
Düsseldorf, Frankfurt am Main
Dr. Christoph Werkmeister Partner
Düsseldorf
Dr. Lutz Riede Partner
Wien, Düsseldorf
Jenny Leahy Partner
London, Brüssel
