Six years after the European Regulation 2016/679 on the protection of personal data (“GDPR”) came into force, the European Union has just adopted a new regulation targeting a better distribution of the value generated by the use of data between players in the digital economy.

Entered into force on 11 January 2024, in only 22 months, Regulation 2023/2854 regarding the harmonized rules on fair access to and use of data (Regulation on Data or “EU Data Act”) aims at broadening the scope of Europe’s digital sovereignty, beyond the boundaries of personal data alone.

Acknowledging Disempowerment?

Launched in February 2022 under the French presidency of the European Union, formal negotiations aimed at tackling the challenges of the Internet of Things (“IoT”) and cloud computing industry, which produce tremendous quantities of personal and non-personal data, and whose economic value is currently regulated by the limited number of dominant players.

By removing certain obstacles to the portability of the underlying data, the EU Data Act purports to stimulate the development of a fair data economy within Europe and a rebalancing of the current state of play among competitors.

Fostering Businesses Through Data

The EU Data Act defines what “data” really is for the first time. Indeed, while “personal data” has been a mainstay of European law for over 30 years (defined as “any information relating [directly or indirectly] to an identified or identifiable natural person”), data is now also defined as “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording.”

At first, the definition of “data” seems materially narrower than personal data. Whilst the latter might be derived from data processing carried out on digital platform or paper, data as put forward by the EU Data Act is exclusively digital.

Moreover, the EU Data Act’s affirmation that “data” is either an “act”, a “fact”, or an “information” implies that it is only a state and, as such, not open to appropriation by intellectual property law (without prejudice to any rights in the database in which it is included, or to the secret nature of the data).

Consequently, since data can be the property of neither the service provider nor the customer, its ownership and control can only be governed by contract.

The EU Data Act’s Key Players

The EU Data Act covers a large spectrum of players in the data economy:

• Manufacturers and suppliers: any company which produces or sell “Connected Products” (such as connected thermostats or lights) distributed within the European Union’ market, or which offers “Related Services” (such as mobile applications allowing the display of data generated by connected products) is subjected to the EU Data Act.
• Users: any natural or legal person using Connected Devices and Related Services within the EU benefits from the rights contained in the EU Data Act, enabling them not only to access the data generated by their Connected Devices, but also to have this data transferred to a new service provider.
• Suppliers of data processing services: companies storing, processing or generating data on behalf of others in the EU (such as data hosts or cloud computing services) are also concerned.

While certain exemptions have been established for micro and small businesses, the latter also benefit from a favorable regime, notably in the context of their contractual relationship with larger suppliers, with a view to compensate contractual negotiations.

The New Rules of the EU Data Act

The EU Data Act imposes various obligations to the above-mentioned stakeholders, seeking to empower them, notably through reinforced transparency, to promote fair competition in the data market.

• Transparency: manufacturers and suppliers are mandated to provide users with clear and thorough information on the data collected by their Connected Products and Related Services, such as the nature and volume of the data collected, how it is used, and users’ rights in terms of data access and control.
• Data access: in a stark parallel with GDPR’s data portability right, users are also granted a right to access data generated by their Connected Products and Related Services. These data must be delivered in a commonly used, machine-readable format, enabling users to download and analyze them effortlessly. As with GDPR, this right of access and portability aims at allowing the transfer of the data history to a new provider without excessive costs. Concurrently, the EU Data Act lays down new interoperability requirements to give full effect to these transfer possibilities between service providers.