EU policymakers reach agreement on Data Act

The EU countries and lawmakers have reached a consensus on the Data Act. Initially proposed by the European Commission in 2022, the Data Act introduces the principle of data access, portability, and sharing for users of internet of things (IoT) products. It enables users of connected devices, including smart home appliances and industrial machinery, to access the data generated by these devices, typically controlled exclusively by manufacturers and service providers. It also aims to prevent unauthorised access to data by non-EU governments, addressing concerns raised following revelations of extensive surveillance by the USA in 2013. Additionally, it seeks to protect trade secrets and intellectual property rights, with safeguards in place to prevent abusive behavior by data holders. Public sector bodies, including the European Commission, the European Central Bank, and Union bodies, will have access to and can utilise private sector data in exceptional circumstances, such as during public emergencies or for fulfilling public interest tasks. It will also enable customers to switch between data-processing service providers (cloud providers) and establish additional safeguards against unauthorised data transfers. Lastly, the interplay between the Data Act’s existing horizontal and sectoral legislation, such as the Data Governance Act and the General Data Protection Regulation (GDPR), is clarified.

The Data Act will start to apply 20 months following its entry into force, with new products required to meet design requirements for data accessibility after one year and existing contracts on IoT products changing after five years.