Seize the power of data with the EU Data Act

The Data Act: encouraging fairness, access and innovation

What does the Data Act do?

The Data Act supports the European Commission’s data strategy. It aims to create an inclusive and fair data market by: 

• making data more accessible and usable

• promoting data-driven innovation and competition

• providing legal clarity on the use of specific data types

• giving users greater control over the data their connected products generate

• introducing fair contractual terms

• safeguarding for international transfers

• supporting public sector data use and sharing for emergencies

• setting minimum regulatory requirements for cloud switching

Does the Data Act apply to my business? 

The Data Act applies to parties associated with connected products and related services: 

• manufacturers and providers

• users

• data holders

• data recipients

• public sector bodies and institutions

• participants in data spaces

• smart contract vendors

The Act has an extraterritorial effect; it applies to entities who operate and manage connected products or related services in the EU, even if those entities are located outside the EU.  

What are the key elements of the Data Act?

1. Enabling fair business-to-business and business-to-consumer data sharing

The Data Act enables users to access the data they co-create and generate using connected products and related services, ensuring transparency and fairness in data sharing between businesses and consumers. 

It applies to both raw and pre-processed data, and defines limitations on the use of the data to protect users' rights and to promote equitable data practices.

2. Setting rules around mandatory business-to-business data sharing

The Data Act introduces scenarios where a business (data holder) has a legal obligation to make data available to another business (data recipient). In addition, it allows data holders to request reasonable compensation for making data available to the data recipient. This chapter applies to all data, both personal and non-personal, held by a business.

3. Protecting against unfair contractual terms

The Data Act aims to protect all EU businesses seeking to acquire data particularly SMEs against unfair contractual terms. It establishes a list of terms considered to be unfair and terms presumed to be unfair. All data (both personal and non-personal) are in the Act’s scope.

4. Governing business-to-government data sharing

The Act permits business-to-government data sharing where an exceptional need exists, such as in public emergencies and certain non-emergency situations. In such cases, public sector bodies can access data to perform a task in the public interest. 

Where requests are made, strict principles and conditions must be followed. This applies to all data, with a focus on non-personal data. If personal data is needed, it should be anonymised.

5. Making it easier to switch between data processing services

The Data Act includes measures to ensure customers can switch from one data processing service provider (‘source provider’) to another (‘destination provider’) smoothly and efficiently. And switching charges will be removed from 12 January 2027. 

The Act defines the minimum requirements for the content of cloud contracts, in a chapter applying to data processing services providers.

6. Preventing unlawful third-country government access

When it comes to preventing unauthorised third-country governments from accessing or transferring non-personal data held in the EU, the Data Act conforms to the Data Governance Act. It creates rules and safeguards for access requests by a foreign public sector body to non-personal data. It applies to non-personal data held in the EU by a provider of a data processing service.

7. Enhancing interoperability

The Data Act focuses on enhancing interoperability among data processing systems and platforms. It establishes essential requirements, including measures such as smart contracts. 

It also lays out requirements for vendors of smart contracts for the automated execution of data-sharing agreements. This applies to users of data spaces who offer data-based services and participate in data sharing within those areas.

Timeline -  important dates to consider

The Act was published in the EU’s official journal on 22nd of December 2023 and entered into effect on 11th January 2024. Other key dates include: 

• 12 September 2025  - organisations need to comply with the requirements of:

  • Chapter III (Rules on mandatory business-to-business data sharing);  and 

  • Chapter IV (Unfair contractual terms) for contracts concluded after 12 September 2025.

• 12 September 2026 - the obligations stemming from Article 3(1) (Obligation to make product and service data accessible to the user) shall apply to connected products and the services related to them placed on the market after 12 September 2026.

• 12 September 2027 - organisations will need to comply with Chapter IV (Unfair contractual terms) for contracts concluded on or before 12 September 2025 under certain requirements.

Take these key steps in your Data Act journey:

1. Understand your role.

Organisations need to understand their role and responsibilities under the Data Act. This includes identifying whether they are data holders, data recipients or both, and understanding the specific obligations associated with each role.

2. Review your product designs.

Evaluate current product designs to facilitate data access and sharing. This involves assessing how products generate, store and transmit data, and then identifying necessary modifications to meet the Act’s requirements.

3. Develop your policies.

Define and implement policies that align with the Data Act’s provisions. The policies should cover data access, sharing and protection, and should be developed on a detailed mapping of the Act’s requirements. 

4. Review your contract terms.

Review and update your contract terms related to data sharing and user agreements. Ensure contracts comply with the Act’s standards for transparency, fairness and data portability.

5. Evaluate cloud service practices.

In-scope cloud service providers should review their technical specifications, contracting practices and transparency requirements to ensure compliance with the Data Act. 

In addition, facilitating easier switching between providers and meeting new data portability standards.

6. Review your data governance.

Evaluate key aspects of your data governance policies and procedures to ensure compliance with the Data Act. 

Ensure operations regulate how data is used and shared. Focus on data integration and interoperability by enabling seamless data portability and integration across systems while maintaining compliance with security and privacy requirements.

We are here to help you

Complying with the EU Data Act enables your organisation to harness the full potential of data for innovation, growth, and fostering a fair and transparent data economy.

PwC Ireland’s team of trusted independent advisors has the experience to help you navigate and fulfil your obligations under the Data Act. 

Contact us for support tailored to your organisation's needs.