The EU Data Act aims to provide a regulatory framework to govern and make easier the sharing, use and re-use of internet of product-generated data. It also aims to make it easier to switch between cloud providers.

Is the text of the law finalised yet? When will it apply?

No, the law is still going through the EU legislative process but we expect it to be finalised during 2023 and then enter into force 24 months thereafter.

Who does it apply to?

The EU Data Act primarily applies to manufacturers, suppliers and users of IoT devices/related services. It also applies to “data holders” that make data available to data recipients in the EU, public sector bodies in certain situations and data processing services providers. It also applies to cloud service providers.

What are the key obligations?

Data holders (i.e. the manufacturer/service provider with initial control of the IoT data) must give users (i.e. the owner or renter of the IoT product) readily available access to the data generated about them.

There are complicated restrictions on how IoT data may be used by third parties.

Cloud providers will be subject to a range of obligations to help users switch to another provider, including a right for customers to terminate on 2 months’ notice (exact period currently being debated). They must also take technical measures to safeguard against non-EU governmental access that may conflict with EU laws to IoT data that they hold.

There are also provisions relating to minimum standards for interoperability for operators of European Data Spaces and minimum standards for smart contracts used for data sharing.

Does the UK have anything similar?

Not specifically, but Part 3 of the UK Data Protection and Information Bill (the Bill) (which is subject to further change) sets the ground for regulations analogous to the EU Data Act. For example, the current draft of the Bill enables the Secretary of State to pass regulations which enhance competition between companies by facilitating the sharing of both customer and business data.

What are some of the commercial impacts of the EU Data Act?

Data holders that are obliged to make data available to data recipients will need to consider what data is in scope.

Businesses providing B2C or B2B IoT data access will need to understand what provisions they should (and are permitted to) include in their data access contracts in order to protect their own IPR.

Cloud service providers will need to repaper existing contracts to meet the new requirements.

Latest insights

Artificial Intelligence Regulation

Artificial Intelligence Regulation

The EU is planning on formally regulating AI systems to make sure that they are safe, respect laws on fundamental rights and help investment and innovation in AI.

Global | Publication

Data Governance Act

Data Governance Act

The EU Data Governance Act aims to promote sharing and re-use of public sector data and to encourage data altruism.

Global | Publication

Digital Markets Act

Digital Markets Act

The Digital Markets Act places obligations on large online platforms to increase competition and boost innovation.

Global | Publication

Digital Services Act

Digital Services Act

The Digital Services Act places obligations on digital services that connect consumers to goods, services and content.

Global | Publication

NIS2

NIS2

The EU and the UK are amending their laws around network and information security to protect against cyber-attacks.

Global | Publication

Online Safety Act

Online Safety Act

The Online Safety Act (OSA) places obligations on online ‘user-to-user’ (U2U) services and search services to take steps to control and monitor the content published on their platforms.

Global | Publication



Subscribe and stay up to date with the latest legal news, information and events . . .

Subscribe now