AI

The new European Data Act: Overview

Hypatos Team
April 23, 2024
10
min. read

The European Commission's recent initiative, the European Strategy for Data, represents a significant step towards creating a unified market for data within the EU.

Shift your operation teams to high-value tasks
By enabling Autonomous Finance
Free test demo

Among its key components is the Data Act, a legislative framework designed to regulate the use of data generated through connected devices and promote fair and innovative data practices across various sectors. With its final text approved in November 2023, the Data Act is poised to impact businesses that utilize, collect, or manage data within the EU. Whilst the EU Data Act entered into force on 11 January 2024, applicability starts on 12 September 2025.

Scope of application

The EU Data Act obliges "data holders" (defined as natural or legal persons, e.g. people and companies) to share personal and non-personal data that is obtained, generated, or collected from data recipients (defined as natural or legal persons to whom data holders make data available to non-users for commercial purposes), by "connected products," "related services" and "virtual assistants”.

The Act has three central focuses :

  1. Remove obstacles to the process of switching between providers of “data processing services” and the portability of data generally;
  2. Increase interoperability of data and data services; and
  3. Increasing accessibility to data generated by “connected products” and “related services”

The EU Data Act has an extraterritorial scope. It applies, regardless of the place of establishment, to a variety of entities :

  • Manufacturers of connected products - e.g. connected cars, smart-home devices, medical devices, and providers of related services, where such products and services are placed in the market in the EU.
  • Users of connected products or related services in the EU.
  • Public sector bodies of EU member states or institutions, agencies or bodies of the EU that request data holders to make data available in case of exceptional needs (e.g. public emergencies).
  • Providers of data processing services - in particular cloud-services such as SaaS, PaaS, IaaS as governed by the EU Cloud Strategy, and edge service providers as included in the European strategy for data - providing such services to customers in the Union.
  • Participants in data spaces, vendors of applications using smart contracts and persons whose trade, business or profession involves the deployment of smart contracts for others.

Key Provisions of the Data Act

  • Data access. Upon request by a data recipient, the data holders must provide access to certain data.
  • Data sharing with third parties. Data holders are obliged to make data available to third parties under data sharing contracts.
  • Data sharing with public sector bodies. Data holders are obliged to make data available to public bodies in case of public emergencies.
  • Design requirements and transparency. Obligations for manufacturers to design their products so that data generated or captured by those products are available to users of the product for free and ideally directly.
  • Unlawful international governmental access and transfer. To prevent international and third-country governmental access and transfer of non-personal data held in the EU that could create a conflict with EU law.

Relationship with GDPR

Unlike the GDPR, which is limited to personal data, the EU Data Act applies to both personal data and non-personal data, which means that its scope of application is broader.

However, any processing of personal data must still comply with the General Data Protection Regulation (GDPR). Consequently, businesses must ensure that their data processing activities adhere to the principles and stipulations outlined in the GDPR.

Conclusion

The European Data Act represents another milestone in the EU's efforts to regulate data sharing and promote responsible data practices. By gaining a thorough understanding of the Act's provisions and implications, businesses can ensure compliance and foster a culture of transparency and accountability in the digital age.

Given the novelty of the Data Act, it is important to note that practical case law is yet to emerge. There are many uncertainties, and more details will be clarified until September 2025. Consequently, we are poised to closely monitor its implementation and observe how its provisions are applied in practice and how exactly they can affect us at Hypatos.

For more detailed information, the Data Act can be reviewed here.

If you have any questions, our Legal team is at your disposal - legal@hypatos.ai.



[1] O'Keeffe, E. & Ellis, M. (2023, December 20). Final text of the EU's Data Act approved. TechLaw. Click here!
[2] Anania S. & Robersts A. (2024, March 11). Navigating the European Data Act: Key Provisions, Changes, and Challenges. Kennedys Law. Click here! 
[3] Anania S. & Robersts A. (2024, March 11).Navigating the European Data Act: Key Provisions, Changes, and Challenges.Kennedys Law. Click here!
Unleash the potential of your people and business

Dial up results for any team with autonomous document processing

Further stories from our blog