On November 27, 2023, the Council of the EU formally adopted the Data Act, following the European Parliament’s endorsement of November 9, which concludes the EU legislative process.  As noted below, the Data Act will shortly be published in the Official Journal and become enforceable in 2025.

The Data Act is designed to require entities to make data, including non-personal data, accessible to other parties, so that it can be re-used for new purposes.  The Data Act’s obligations are broad  and may require significant engineering work to re-design products to ensure compliance.  

We provide below a brief overview of key takeaways and timelines.

Scope

As previously reported in our blog posts (here and here), the Data Act covers both personal and non-personal data that is obtained, generated, or collected by connected products and/or their components, and related digital services.  It will apply to a variety of entities, including (i) manufacturers of connected products (i.e., physical products capable of collecting or generating data concerning their use or environment, and of communicating product data), (ii) suppliers of related services (i.e., digital services, including software, integrated into or associated with a connected product); (iii) “data holders” that have the right or obligation to use or make data available; and (iv) providers of data processing services.

The Data Act sits alongside a growing cast of existing and planned EU data-related laws, such as the GDPR (especially in relation to the right of access and data portability), the Data Governance Act (see our previous blog post here), the proposed European Health Data Space (see our previous blog post here), and the Digital Markets Act (see our previous blog post here).

Obligations

The Data Act imposes a range of obligations, including:

  • Obligations for manufacturers to design their products so that data generated or captured by those products are available to users of the product for free and ideally directly;
  • Measures regulating contractual terms in data sharing contracts between parties, such as data holders and users or third parties;
  • Rights to access and share data generated through the use of connected products and related services;
  • Measures to promote the development of interoperability standards; and
  • Mechanisms for public bodies to access private sector data in case of public emergencies.

The new obligations may require organization to consider that they will make previously proprietary data accessible to users and roll out new contracts that are Data Act compliant.  They will also apply to a broad range of products generating “non-personal data” – for example, industrial and commercial machines sold business-to-business – which were previously largely unregulated under EU data laws but will now need to be re-assessed.

Timeline

The Data Act will enter into force on the twentieth day after its publication in the Official Journal of the European Union, which is expected in the coming weeks.  The regulation will then become enforceable 20 months after its entry into force – i.e., in mid-2025.

The access requirement will apply to connected products and related services placed on the market after 32 months from the Act’s date of entry into force – i.e., in mid-2026.

Although the regulation will not be enforceable for some time, organizations should begin assessing their compliance strategies well in advance of the enforcement deadline, as the new obligations may require significant time to plan and roll out technical solutions.


Covington’s Data Privacy and Cybersecurity Practice Group has deep experience advising clients on European data-related and privacy regulations, including on the implementation of the Data Act, Data Governance Act and data spaces such as the EHDS. If you have any questions on how the Data Act and other upcoming EU legislation will affect your business, our team is happy to assist.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Laura Somaini Laura Somaini

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules…

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules as well as data protection contracts and policies.