The clock has ticked down by one year already: time to prepare for the Data Act

We have updated our overview to address what you need to know about the Data Act, how it may affect you and next steps.  This is informed by our experience in advising clients as well as the European Commission's "Frequently Asked Questions" document.

For those who prefer a shorter digest, here are the key takeaways:

• Name: Regulation on harmonised rules on fair access to and use of data ("Data Act")
• Scope:  The Data Act contains provisions of particular impact upon:
  • Manufacturers of connected products who offer their products to the EU market and providers of related services.
  • Providers of data processing services to customers in the EU (e.g. many cloud service providers).
• What does it do: The Data Act aims to set out a framework for sharing of data:
  • especially access and portability for connected product data and related services data ("GDPR-like" rights will now apply to data which is not personal data); and  
  • easing the ability for customers to switch between providers of data processing services with far-reaching requirements on contracts and termination entitlements.
• Enforcement: As a Regulation, the Data Act will apply automatically across EU member states. However, there will be local law variations, including in relation to enforcement (new regulators may be appointed). 

Examples of devices that will be in scope of the Data Act:

• Consumer devices of all sorts including lifestyle apps (connected to wearable devices) tracking activities related to the user's exercise, diet, etc;
• Medical devices and appliances including those that facilitate health monitoring, (e.g. insulin pumps, glucose monitors, ECG monitors or blood pressure monitors, biosensors, etc) or for diagnostic purposes (e.g. for the analysis of blood samples) or for medical care (e.g. in-ward heart monitors, connected MRI or ultrasound scanners etc).
• The Internet of Things including industrial connected equipment that does not collect personal data.

Data Processing Services in scope will include SaaS, PaaS and IaaS (that is, many cloud services) with only limited exceptions.

Next steps

The clock continues to tick and the Data Act will become applicable on 12 September 2025. Organisations potentially in scope ought to undertake some threshold analysis and then look to develop a project plan for compliance covering such topics as:

• Mapping the data in scope – including identifying what is "pre-processed" data and identifying whether the "trade secret" exception may apply;
• Policies and procedures for data access and portability (for connected products and related services);
• Drafting new or updating existing contract terms, for instance data access and data portability terms or, for providers of data processing services, in relation to termination and switching.   
• Considering the interaction between the Data Act and GDPR – noting that the Data Act applies to both personal data and non-personal data and provisions may conflict.

We have developed a project plan to help navigate these obligations.

If you have any questions or would like our assistance in preparing, please get in contact.

We will look to issuing further updates as and when the implementation date gets nearer and member states supplement the legislation.