The EU Data Act aims to provide a regulatory framework to govern and make easier the sharing, use and re-use of internet of product-generated data. It also aims to make it easier to switch between cloud providers.
Is the text of the law finalised yet? When will it apply?
No, the law is still going through the EU legislative process but we expect it to be finalised during 2023 and then enter into force 24 months thereafter.
Who does it apply to?
The EU Data Act primarily applies to manufacturers, suppliers and users of IoT devices/related services. It also applies to “data holders” that make data available to data recipients in the EU, public sector bodies in certain situations and data processing services providers. It also applies to cloud service providers.
What are the key obligations?
Data holders (i.e. the manufacturer/service provider with initial control of the IoT data) must give users (i.e. the owner or renter of the IoT product) readily available access to the data generated about them.
There are complicated restrictions on how IoT data may be used by third parties.
Cloud providers will be subject to a range of obligations to help users switch to another provider, including a right for customers to terminate on 2 months’ notice (exact period currently being debated). They must also take technical measures to safeguard against non-EU governmental access that may conflict with EU laws to IoT data that they hold.
There are also provisions relating to minimum standards for interoperability for operators of European Data Spaces and minimum standards for smart contracts used for data sharing.
Does the UK have anything similar?
Not specifically, but Part 3 of the UK Data Protection and Information Bill (the Bill) (which is subject to further change) sets the ground for regulations analogous to the EU Data Act. For example, the current draft of the Bill enables the Secretary of State to pass regulations which enhance competition between companies by facilitating the sharing of both customer and business data.
What are some of the commercial impacts of the EU Data Act?
Data holders that are obliged to make data available to data recipients will need to consider what data is in scope.
Businesses providing B2C or B2B IoT data access will need to understand what provisions they should (and are permitted to) include in their data access contracts in order to protect their own IPR.
Cloud service providers will need to repaper existing contracts to meet the new requirements.
Subscribe and stay up to date with the latest legal news, information and events . . .