Introduction to the EU Data Act: Revolution in the non-personal data market: Innovation and business in the IoT market
Last January 11, 2024, the long-awaited and heralded EU Regulation, known as the "Data Act" (Regulation (EU) 2023/2854), entered into force. It is scheduled to apply from September 12, 2025 for most provisions and from September 12, 2026 for specific provisions related to the design of new related products and services. This large timeframe is intended -as is often the case with EU Regulations with major impacts on business organization (see, for example, GDPR) -to allow companies to adapt their procedures and business models to the new and stringent requirements dictated by the legislation.
To give an initial general background, we point out that the Data Act:
- fits into the 2020 "European Data Strategy," which aims to create a single market allowing data to circulate freely within the EU and across all sectors, for the benefit of businesses, researchers and public administrations;
- follows the publication -and subsequent effectiveness from September 2023- of the "Data Governance Act," which in turn aims to establish a regulatory framework for the enabling,** sharing and use of data** within the European Union, promoting access to and reuse of data, while respecting data protection and privacy rules;
- pursues the goal of enabling, promoting and regulating the sharing and commercialization of non-personal data generated by Internet of Things (IoT) devices among enterprises and with government agencies. Given its nature and context, the Data Act will need to be applied with due consideration of all related EU regulations on privacy (GDPR), e-commerce and digital services (Digital Service and Market Acts), and Artificial Intelligence (AI Act, forthcoming).
The innovative scope of the legislation can already be understood by reading some specific provisions of this legislation:
- Article 3: Requires IoT products to be designed to provide end users with access to the data generated in a simple, secure and free way. Enterprises will have to incorporate appropriate data access mechanisms into their technical solutions, ensuring that the data is provided in standardized and easily usable formats. Enterprises must then review the design of their products to ensure compliance with the principles of accessibility and transparency.
- Article 4.3: requires service providers related to IoT products to inform users about the nature of the data generated and how it can be accessed and shared. This calls for a transparent communication approach, where companies will have to develop and share clear and understandable documentation on how users can retrieve and use their data, thus stimulating greater trust and collaboration with end users.
- Article 8.1: requires parties who, by contract or regulatory obligation, will have to make data available to third parties to do so on fair, reasonable, non-discriminatory terms and in a transparent manner, promoting fair competition and preventing monopolistic or restrictive practices in the data market.
- Article 9.1: specifies that the compensation agreed upon between the owner and recipient of data for making data available in business-to-business relationships shall be non-discriminatory and reasonable and may include a margin. Thus, parties involved in data-based transactions must negotiate and establish fair agreements that reflect the value of the shared data, ensuring a fair distribution of the benefits derived from its commercialization.
These predictions make us realize that the legislation not only establishes obligations but also opens up new avenues for data monetization and innovation. Sharing data according to principles of fairness and transparency will promote a more collaborative and competitive digital ecosystem, where companies will be able to develop new services or improve existing ones through access to previously inaccessible data. Business development will also be able to be fostered by providers of “intermediation services” (a figure already envisioned by the Data Governance Act) who will carry out economic activity aimed at creating business relationships based on data sharing between users and third parties.
In this area, some studies on the operational application of the Data Act are already available, such as the "Study for developing criteria for assessing 'reasonable compensation' in the case of statutory data access right" prepared for the European Commission to better understand the assumptions on the basis of which it will be possible to establish the fairness of compensation arising from the buying and selling of data. Through the analysis of case studies and the application of economic models, it proposes an approach for establishing compensation that reflects the true value of shared data, promoting a balanced market environment that incentivizes collaboration and innovation.
Further of note is that the Data Act establishes minimum requirements for agreements between customers and providers of data processing services, such as cloud services, making it easier for customers to switch to other providers and providing for the phasing out of data exit fees, and requiring transparent measures regarding jurisdiction and strategies to prevent unauthorized government access to non-personal data, avoiding conflicts with EU or member state laws.
In conclusion
The Data Act is a significant step toward realizing Europe's vision of an open, secure and competitive digital single market. By facilitating the sharing and commercialization of non-personal data, it introduces new rules of the game for producers, consumers and data intermediaries, spurring innovation and creating new business opportunities.** Companies are being called upon to adapt to these changes**, preparing to navigate an evolved regulatory landscape that places the value of data at its core in an ethical and sustainable manner. As implementation dates approach, it is critical that all stakeholders actively engage to understand the implications and take full advantage of the potential offered by the Data Act.
For further discussion, David Ottolenghi, Senior Counsel, Clovers.