Implications of the EU Data Act
Trends & Innovations

The EU Data Act: What Can Companies Expect?

| | Editorial Team, SEEBURGER
The new European data regulation (EU Data Act)

Every modern device collects data in some form or another — from smart home devices such as robot vacuum cleaners, smart light bulbs and fitness trackers, to networked industrial systems. However, until now it hasn’t been clearly regulated who is allowed to access and use this data. The European Union has now stepped in to create a binding legal framework to ensure both the sovereignty of data as well as the protection of privacy. The legal act was published in the Official Journal of the European Union on December 22, 2023 and took effect on January 11, 2024. After a transitional period of 20 months, it will become applicable law throughout the EU starting September 12, 2025.1 In this blog, we explain what the EU Data Act is, what it aims to achieve and what affected companies should expect.

 

What is the EU Data Act?

The “Regulation on harmonized rules for fair access to and use of data” (Data Act for short) aims to make both non-personal and personal data more readily accessible in various areas of life. As the “second pillar” of the European Strategy for data, it is intended to make better use of the economic potential of rapidly growing data volumes. The “first pillar”, the European Data Governance Act, came into force in September 2023. As a first step, it regulates the processes and structures through which data is to be exchanged. In the second step, the EU Data Act clarifies who can create value with this data and under what conditions. The obligation to pass on user data will also give small companies the opportunity to use such data to develop new business models. The transfer of data will be free of charge and take place in real time as well as in machine-readable standard formats without any loss of quality. Ultimately, the EU Data Act also supports the German government’s goal of promoting new business models, start-ups and SMEs through a more economical use of data.2

 

What does the EU Data Act entail?

The EU Data Act provides important regulations in the B2C, B2B and B2G sectors that affect the transfer of data between companies, consumers and, in certain cases, government authorities. It creates a new legal framework for the use of (I)IoT data that is collected and processed for example by sports and fitness equipment, apps, household appliances, voice assistants or connected vehicles. Such data is of particular interest not only for the development of innovative products, but also for the training of AI algorithms and consequently has a high monetary value.

 

The EU Data Act in the B2C sector (business-to-customer)

A significant part of the data collected comes from smart devices used by private individuals. But users are often not even aware that their data is being collected and processed, or to what extent. This is why the EU Data Act also addresses the question of who has sovereignty over the collected data, and how it can be protected. Legislators have clearly decided in favor of citizens’ personal rights: every person should always retain full control and decision-making power over their own data. This also applies to anonymized data that cannot be clearly assigned to a specific person. To this end, the Data Act explicitly incorporates the idea of access by design.

This also results in new obligations for the companies that handle this data:  The manufacturer/provider must inform users about data access and the possibility of passing on usage data, even before the contract is concluded. Users also have the right to obtain information at any time about the type and scope of data collected when using the product. They can also ask whether the provider uses the collected data itself or whether it is passed on.

However, the EU Data Act not only deals with new contracts, but also regulates cancellation periods for existing usage contracts. This mainly affects the providers of the clouds in which the data generated via IoT devices is stored and processed. Users now have the right to terminate their contracts with these providers within 30 days. In the event of termination, the cloud provider must ensure that any necessary data transfer to another cloud provider takes place in common standard formats (cf. article 26) and complies with current security standards (so-called cloud switching). After the changeover, the old provider is also obliged to delete all collected data and metadata. Proof of deletion must still be provided. Furthermore, only reduced fees may be charged for the transfer of user data when switching providers.

The EU Data Act in the B2B sector (business-to-business)

The legislator has also tightened up the use of data in the B2B sector, i.e. between companies. With the EU Data Act, unfair contract terms are now expressly prohibited under article 13. A term is considered unfair if it deviates significantly from “good business practice” and is “contrary to good faith and fair dealing”. Examples include the limitation of liability, the exclusion of legal remedies or the granting of unilateral rights. Contracts containing such unfair terms are invalid. The EU Commission also intends to introduce additional model contract clauses at a later date in order to make it easier to avoid unfair terms. This regulation gives the EU Data Act an additional antitrust component, which is intended to promote fairness on the data market.

 

The EU Data Act in the B2G area (business-to-government)

Normally, the EU Data Act does not affect the B2G sector. However, in the event of exceptional needs or emergencies such as natural disasters or pandemics, public authorities and EU bodies may also request access to the collected data if this is in the public interest. If a company receives such a request, it is obliged to provide the authorities and other public bodies with the requested data without delay.

What opportunities does the EU Data Act offer companies?

In everyday life, companies and private individuals generate enormous amounts of data, which is often not fully utilized. Yet this data has the potential to play a decisive role in shaping the digital transformation. Large companies usually keep the data generated by their devices under lock and key, arguing the need to protect trade secrets. That way, they can continue to profit from the data without being paid, even if the networked products are no longer in their possession or active. Moreover, mega players such as Apple, Amazon and Google are usually based outside the EU and have no interest in sharing their data with European companies, even if the data was collected within the EU. This is where the EU Data Act aims to achieve a fairer distribution of the ability to make digital progress. The resulting decentralized value chains should help to open up new sources of income and business areas while enabling micro and small companies without market power or a broad user base of their own to benefit from user data collected by other companies. They can develop new, better products and services that are geared towards the actual user behavior of customers, optimize internal company processes and improve their own position through more precise market analysis.

 

What companies are affected by the EU Data Act?

The Data Act affects every company that collects and processes networked usage data, regardless of industry. This applies equally to European and non-European companies, provided they are active within the EU (“market location principle”).

Until now, manufacturers have been able to make exclusive use of the data generated when using the (I)IoT devices they offer. This is where the EU Data Act comes in, making this valuable data accessible to a broader group of interested parties. In the future, manufacturers and providers will be obliged to make the collected data available to other companies. The users of the respective devices and applications can decide for themselves who will have access to their data. This also applies to the manufacturer of the device used: Previously, they had automatic access to the usage data collected. In the future they may only use it for their own purposes if the respective user has expressly consented to this. This strengthens the rights of private individuals to their data.

Only micro and small enterprises, i.e. companies with fewer than 50 employees and an annual turnover of less than 10 million euros, are exempt from the regulation. However, this only applies if they do not have any partners or other affiliated companies that exceed this size criterion.

 

Risks of non-compliance

Companies that violate the requirements of the EU Data Act and do not or not fully comply with their information, disclosure and forwarding obligations can be fined. As with the General Data Protection Regulation (GDPR), a maximum limit of up to EUR 20 million or up to 4% of annual global turnover (previous financial year) applies.

 

How do companies comply with the EU Data Act requirements?

The EU Data Act was published on December 22, 2023 and entered into force on January 11, 2024. As an EU regulation, the Data Act takes immediate effect in the member states without them having to implement it independently first. However, the companies affected have until September 2025 to implement the corresponding process adjustments internally. In view of the associated technical requirements and the redesign of contracts and information channels, this is a rather tight deadline. Affected companies should inform themselves at an early stage in order to implement the requirements of the EU Data Act in a legally compliant and efficient manner.

 

How SEEBURGER supports companies in implementing the EU Data Act

Under the Data Act, companies such as cloud providers must pass on data to other companies in a structured, commonly-used and machine-readable format (cf. article 26) – securely, reliably, in high quality and without delay. An integration platform such as the SEEBURGER BIS Platform with its functions for API integration and API management offers networking of applications, business partners, clouds and data in real time. SEEBURGER connectors and mappings connect endpoints quickly and easily, while the BIS Platform’s flexible process design enables the optimization of data and information flows between endpoints of all kinds. Create a secure digital foundation for seamless data exchange across your entire digital ecosystem.

1 Source: EU verabschiedet Data Act, abgerufen am 16.02.2024.

2 Source: Nationale Datenstrategie der Bundesregierung – Weiterentwicklung

Get in contact with us:

Please enter details about your project in the message section so we can direct your inquiry to the right consultant.

Share this post, choose your platform!

Twitter

Written by:

Claudia studied English and Japanese studies in Heidelberg and Tokyo. In the SEEBURGER marketing team, she is responsible for blogs, whitepapers, social media texts and anything else to do with language. Before joining SEEBURGER in 2022, she worked as the head of a trade publishing house.

Related Posts

Digital Ecosystems - Automotive Industry Trends and Data Integration

Digital Ecosystems - Automotive Industry Trends and Data Integration

Data is the foundation of successful green logistics

Green Logistics: How Digitalization is Driving Sustainability in Logistics

How does machine learning actually work? Demystifying AI

Making Your Business Artificially Intelligent: How Machine Learning Makes Sense of Your Data and Lets You Automate

Künstliche Intelligenz im Cloud-Monitoring

Artificial Intelligence in Cloud Monitoring – How Bird Watching Helps Predict the Weather

Hyperautomation means automating automation

Hyperautomation: Just a Hype or The Upcoming Breakthrough?

Extended reality (XR) in the working world of the manufacturing industry

Extended Reality (XR) in the World of Work: Is A New Dimension of Productivity and Collaboration on the Verge of a Breakthrough?