Breaking down the European Data Regulation: Implications and perspectives
In December 2023, the final version of the European Data Regulation was published in the Official Journal of the European Union, establishing conditions for the relationship between data holders and users.
The Data Act sets harmonized rules for data management and exchange in the European Union. Key aspects addressed by this regulation include:
- The availability of data from products and services for users.
- Data exchange between data holders and recipients.
- Facilitation of portability.
- Introduction of safeguards against unauthorized access to data.
- Development of interoperability standards.
The scope of the Data Act includes manufacturers of connected products, providers of related services, Union users, data holders and recipients, public sector bodies, and data processing service providers, among others. It is established that this regulation shall apply without prejudice to Union law and national law on the protection of personal data.
However, it is important to note that the European Data Act does not apply to voluntary agreements for data exchange between private and public entities.
Key implications
This legal text entered into force on January 11, 2024, with the main objective of creating equity in the data economy and empowering users to derive value from the data they generate through connected products.
The European Data Act allows users of connected products and related services to access the data they generate through their use, significantly impacting the economy by boosting additional services and creating new business opportunities.
- Data generated by the use of connected products or related services, such as temperature, pressure, etc., are included, both personal and non-personal. Derived or inferred data, as well as audiovisual material, are excluded.
- Data obtained cannot be used to develop other connected products, but their use for after-sales services is not prohibited. Furthermore, there is no obligation to share data with third parties outside the EU.
- Users can challenge data holders’ decisions to refuse data sharing before the competent authority.
On the other hand, it establishes rules for situations where a company (the ‘data holder’) has a legal obligation to share data with another company (the ‘data recipient’), ensuring that the terms are fair and non-discriminatory.
- Data holders can request reasonable compensation for data sharing, with limits to prevent excessive charges for microenterprises and SMEs.
- Measures are included to protect data holders from unauthorized access or use of data, allowing them to take corrective actions and seek compensation in case of infringements.
Similarly, this Law aims to protect European companies against unfair contractual clauses by intervening in situations where one of the companies has a stronger negotiating position and imposes non-negotiable terms related to data access and use.
- A non-exhaustive list of terms that are always considered unfair and others that are presumed unfair is established.
The Data Act also allows public sector bodies to access data held by private entities, under certain conditions, when there is an exceptional need, such as public emergencies or non-urgent situations that require data for public interest tasks.
- Companies can request reasonable remuneration for providing data, with certain limits based on the size of the company.
- Requests must comply with strict principles of transparency and proportionality, and data must be deleted when no longer necessary.
- To minimize the burden on companies, data cannot be requested more than once by different public sector bodies.
It also seeks to remove barriers for customers to switch data processing service providers freely, quickly, and smoothly.
- Customers, both public and private, will benefit from increased contractual transparency, balancing power between providers and customers.
- From January 12, 2027, providers will no longer be able to charge customers for data change or transfer operations.
In addition, requests for access and transfer of non-personal data by countries outside the EU are addressed.
- Rules are established to prevent illegal access and transfer of data to third countries that may conflict with EU laws and guarantees.
- Requirements and safeguards are established for requests for access by foreign public bodies to non-personal data in the EU.
- Data processing service providers are required to take reasonable measures to prevent unauthorized access to systems where non-personal data is stored.
Another goal is to ensure interoperability between data processing services. The groundwork is being laid to increase interoperability of data processing services through harmonized standards and open interoperability specifications.
Finally, Member States will designate competent authorities to implement the Data Act, with a designated coordinator to simplify the process. The Commission will maintain a public register of these authorities. Additionally, the European Data Innovation Board will facilitate coordination between these authorities and establish effective sanctions for infringements.
Future perspectives
From September 11, 2025, the legislation will come into full force, meaning that all its provisions and regulations will be effective and applicable in their entirety.
For businesses, implementing this regulation will require a thorough review of their data management practices. Organizations are expected to take proactive measures to ensure compliance with the new obligations.
Additionally, companies offering connected products and services will need to adjust to the access requirement set by the regulation, which will involve providing end users with greater control over their data and privacy.
For individuals, the entry into force of the Data Regulation will mean greater transparency and control over the use of their personal data. End users will have the legal ability to access, rectify, transfer, and delete their data more effectively, enabling them to make informed decisions about how their data is used online and protect their privacy more effectively.
For public authorities, this date will also mark the beginning of a new regulatory framework regarding data management. Designated authorities are expected to work closely to ensure consistent and effective implementation of the law in all Member States. Additionally, monitoring and enforcement mechanisms will be established to ensure compliance with the law and address any infringements in a timely and adequate manner.
The European Data Strategy aims to make the European Union a leader in the data economy by creating a single European market for the secure flow of data between sectors and Member States.
The European Data Act is a key pillar of this strategy by ensuring fairness in the distribution of data value. In this sense, an impact assessment of the law will be conducted within 3 years, with the possibility of amendments if necessary.
Overall, the entry into force of the Data Regulation in 2025 represents a significant step towards greater protection of privacy and individual rights in the digital environment. While imposing new responsibilities on companies, it also offers end users greater control and transparency over their personal data. Therefore, it is essential for both businesses and individuals to prepare for and adapt to the changes that this regulation will bring in the near future.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.