Navigating the Data Shift: Embracing the Impact of the New European Data Act in 2024

The recently unveiled New Data Regulation heralds a transformative era in data governance, introducing a comprehensive set of rules poised to reshape how data generated by connected devices is shared and utilized.

This regulatory framework stands as a beacon of change, empowering both consumers and businesses to access and leverage their devices’ data for aftermarket and value-added services, thereby fostering a competitive data market. This paradigm shift seeks to break free from the historical model where manufacturers held exclusive control over data generated by connected products, providing them with a distinct competitive advantage.

Traditionally, data harvested from connected products remained within the purview of manufacturers, limiting consumer choices concerning aftermarket services. The New Regulation intervenes by imposing obligations on organizations to make both product data and related services data accessible to users. This deliberate move aims to democratize the data landscape, creating a more competitive market and granting consumers the freedom to make informed choices.

One of the foundational principles of the New Regulation is to clarify who can derive value from industrial data and under what conditions. It strives to establish a balance, putting users and providers of data processing services on a more equal footing regarding access to data. Unlike existing restrictions, particularly under the General Data Protection Regulation (GDPR), the New Regulation transcends personal data processing, extending its reach to encompass non-personal data.

The European New Regulation seeks to create a fair and competitive data market by facilitating the sharing and reuse of data across sectors and stakeholders. It imposes specific obligations on manufacturers of connected devices and providers of related services, mandating them to make data accessible to users and third parties, subject to certain conditions and exceptions.

A key facet of the regulation is its prohibition of unfair contractual terms, ensuring that terms unilaterally imposed and grossly deviating from good commercial practice are not tolerated. The regulatory framework provides illustrative examples, emphasizing the commitment to fostering equitable business practices.

Furthermore, it outlines a framework for making data available, free of charge, to public sector bodies in cases where an exceptional need arises for specific public interest tasks. It introduces innovative rules allowing customers to seamlessly switch between different data processing providers without undue delay or cost. Customers are also empowered to port their data and digital assets to another provider or their own infrastructure.

In addressing international dimensions, the new regulation extends obligations for international data transfers under the GDPR and the Schrems II ruling to providers of data processing services. These entities are mandated to implement appropriate safeguards to prevent incompatible or unlawful access by third governments.

For companies to adhere to data sharing requests under this regulatory landscape, the emphasis is placed on having appropriate mechanisms and policies in place. This involves the swift, secure, comprehensive, and structured extraction of data, including the necessary metadata, from connected devices. Companies are also urged to scrutinize their contracts to ensure compliance with the new regulation, mitigating the risk of terms being deemed unfair.

This regulatory paradigm shift will have a profound impact on various stakeholders, ushering in an era of enhanced transparency, accessibility, and fairness in the utilization of data. It casts a wide net, applying to a diverse array of entities across the European Union. The key stakeholders encompass manufacturers of connected products placed on the EU market and providers of related services, irrespective of their geographic location.

The New Regulation empowers the public bodies to request data from holders when an exceptional need arises for the performance of a specific task in the public interest. Simultaneously, providers of data processing services, irrespective of their geographic location, offering such services to EU customers will fall under the purview of these groundbreaking regulations.

The scope extends further to include participants in data spaces, vendors of applications employing smart contracts, and individuals engaged in trades, businesses, or professions involving the deployment of smart contracts for others in the execution of agreements. This expansive coverage underscores the comprehensive nature of the regulatory framework, striving to create a harmonized and equitable data ecosystem.

The new regulation introduces specific measures aimed at empowering users to access the data generated by their connected products. This includes the relevant metadata essential for interpreting such data. Users are granted the ability to share this data with third parties, fostering aftermarket or other data-driven innovative services. Importantly, the rules emphasizes that such data should be accessible in an easy, secure, comprehensive, and structured manner, devoid of charge, and provided in commonly used machine-readable formats.

In a bid to safeguard user autonomy and choices, the Data Act outlines that data holders must not unduly complicate a user’s exercise of choices regarding their data. This includes refraining from offering choices in a non-neutral manner or subverting and impairing user autonomy through the design, structure, function, or manner of operation of a user digital interface.

Within the framework of EU law, Chapter III of the New Regulation delineates the conditions under which data holders must make data available to recipients, alongside considerations for compensation. In the realm of business-to-business relations, the regulation stipulates that data holders should engage with data recipients to establish fair, reasonable, and nondiscriminatory terms for data availability.

Transparency is paramount in these dealings, and discrimination in arrangements for making data available among comparable data recipients is expressly prohibited. Should a data recipient perceive discriminatory conditions, the data holder is obligated to furnish information demonstrating the absence of discrimination.

Further reinforcing equitable practices, it addresses the issue of unfair contractual terms, particularly for micro, small, or medium-sized organizations. It asserts that contractual terms unilaterally imposed on such entities will not be binding if they grossly deviate from good commercial practice, rendering them unfair. These include instances where terms aim to exclude or limit liability for intentional acts or gross negligence, confer exclusive rights to determine data conformity, or inappropriately restrict remedies in cases of nonperformance or breaches.

The paramount importance of enabling customers to transition effortlessly between various cloud and edge service providers is also acknowledged in the regulations. These rules aim to eliminate impediments, whether they be pre-commercial, commercial, technical, contractual, or organizational, hindering customers from exercising their right to switch. The regulation delineates a comprehensive set of objectives, including the termination of contractual agreements after the stipulated notice period and the successful completion of the switching process. Customers are empowered to establish new contracts with different service providers offering similar services, port their exportable data and digital assets seamlessly, and achieve functional equivalence in the use of new data processing services. Furthermore, the regulation encourages unbundling of data processing services where technically feasible.

To address these challenges effectively, the data act stipulates contractual requirements that compel service providers to facilitate customer switching or porting of data and assets without undue delay. This transition, mandated to occur within 30 days after the expiry of a notice period not exceeding two months, ensures a smooth process with full support and continuity of service.

In addition to these contractual measures, the New Regulation imposes information obligations on data processing service providers. Furthermore, it establishes a framework for gradually reducing charges associated with switching to another service provider. A notable provision mandates that, after three years from the New Regulation’s entry into force, service providers must offer the so-called “exit service” to customers for free, promoting affordability and accessibility.

In summary, the European Data Act will create a comprehensive and interconnected framework that addresses the intricacies of data governance and signifies a comprehensive legal framework emphasizing fairness, competition, and responsible governance in the evolving landscape of data utilization. It addresses obligations, contractual terms, data accessibility for public interest, user flexibility, and international data transfer safeguards having the following in mind:

• New EU law focusing on creating a fair and competitive data market. Aims to facilitate data sharing and reuse across various sectors and stakeholders
• Imposes specific obligations on manufacturers of connected devices and providers of related services. Mandates the accessibility of data to users and third parties under defined conditions and exceptions
• Prohibits unilaterally imposed contractual terms that significantly deviate from good commercial practice. Provides illustrative examples to reinforce the commitment to fair and reasonable contractual arrangements.
• Sets out a structured framework for providing data, free of charge, to public sector bodies. Activated in cases where there is an exceptional need for data in specific public interest tasks.
• Introduces new rules allowing customers to switch between different data processing providers. Enables the porting of data and digital assets without undue delay or excessive costs
• Extends obligations for international data transfers under GDPR and Schrems II ruling regarding international transfers. Requires providers of data processing services to implement safeguards to prevent incompatible or unlawful access by third governments.