Will the EU Data Act Transform How We Handle Digital Data ?

Working in tandem with the EU Data Governance Act (DGA), applicable since September 2023, the Data Act establishes clear rules about who can create value from data and under what conditions. While the Data Governance Act focuses on voluntary data sharing processes, the Data Act defines the practical implementation of data access and usage rights. Together, these regulations form the backbone of the EU's single market for data.

As a cross-sectoral piece of legislation, the Data Act applies principles across all industries while maintaining existing data access obligations. Its primary focus lies in addressing the challenges presented by the Internet of Things (IoT) and ensuring that connected products empower both businesses and consumers with easy, secure access to their generated data.

The Act introduces specific measures for data accessibility.
Connected products must now be designed and manufactured to allow users to easily access and share their generated data. This represents a giant shift : just as traditional products come with all their physical components, connected devices must now provide access to the data they generate during use.

The legislation's practical implications are far-reaching. 
For example, in precision agriculture where IoT analytics enable farmers to analyze real-time data about weather conditions, moisture levels and market prices, leading to optimized crop yields and more informed resource allocation decisions.
In the industrial sector, access to equipment performance data opens new possibilities for efficiency improvements. Manufacturing, agriculture, and construction industries can now optimize their operational cycles and production lines through machine-learning technologies, fostering innovation and competitiveness.

The Data Act actively promotes fair competition in the aftermarket services sector. Users of connected products can now choose to share their data with third-party service providers, enabling more cost-effective repair and maintenance options. This not only potentially reduces market prices but also contributes to the EU's Green Deal objectives by extending product lifespans.

A significant innovation in the Data Act is about cloud market efficiency. New rules establish a framework for customers to switch between different data-processing service providers effectively, promoting competition and data interoperability in the EU cloud market.

The legislation includes safeguards against unfair contractual terms, particularly protecting enterprises from conditions imposed by parties with significantly stronger market positions. The European Commission will develop model contract clauses to assist market participants in drafting and negotiating fair data-sharing agreements.

The Act enables public sector bodies to access private sector data for specific public interest purposes, particularly in emergencies or natural disasters, while ensuring minimal burden on businesses.

It would be likely to take a risk-based approach, focusing particularly on identifying valuable data assets like machine learning data, service enablement information and energy data, as these are likely to attract more interest and therefore carry higher risk: 

1. Personal Data Risks:

• • Increased visibility of data due to enhanced access requirements
  • Challenges with data minimization requirements
  • Issues with deletion and anonymization compliance
  • Higher risks due to expanded data visibility

2. Non-Personal Data Risks:

• • Uncertainty about future regulatory processes
  • Unknown stakeholder interest in industry data
  • Potential individual and company claims from data recipients
  • Evolving risk landscape that will develop over time

3. Business Model Risks:

• • Impact on data-driven business models
  • Competition taking advantage of accessed data
  • Protection of IP and trade secrets while providing data access
  • Security implications of reverse engineering

4. Implementation Risks:

• • Adaptation of development and procurement processes
  • Internal data governance challenges
  • Legal entity structure considerations
  • Alignment with multiple regulatory frameworks (GDPR, Cyber Resilience Act, etc.)

Due to the complexity of implementation, it is highly recommended to start preparation early even though the requirements may seem straightforward at first glance : 

1. Access by Design and Default: Manufacturers and data holders must implement data access capabilities as a fundamental design feature. This mirrors GDPR's privacy by design concept.
2. Data Sharing Requirements: Organizations must enable data sharing with third parties upon user consent. This creates challenges around protecting intellectual property while ensuring data accessibility.
3. Information Obligations: Similar to GDPR privacy notices, companies must provide clear information about data usage and access rights.

For implementation, organizations should:

• Adapt development and procurement processes early
• Map data landscapes and identify affected products
• Assess technical requirements
• Review internal data governance
• Align with existing regulations (GDPR, Cyber Resilience Act)
• Protect IP and trade secrets while enabling access
• Ensure security against reverse engineering

The EU Data Act has lots of similarities to GDPR 2.0 in :

• Data access rights
• By design and default requirements
• Information obligations
• Partial enforcement by Data Protection Authorities

But the key difference lays in : The only element not in GDPR is the third parties being able to get access with the consent of the user.

Organizations are advised to reuse GDPR best practices where applicable while recognizing these distinct requirements, particularly around third-party access rights.