The rapid advancement of technology, with the proliferation of smart devices, social media platforms, and cloud-based services, has brought about a myriad of challenges when it comes to data privacy and protection. Our personal data is constantly being collected, processed, and shared, often without our explicit consent or understanding. Furthermore, the rise of big data analytics and artificial intelligence has raised concerns over the potential misuse of personal information, including discrimination, manipulation, and the erosion of individual privacy rights. Enters the European Data Act (the “Act”), a groundbreaking legislation that aims to revolutionize data governance and privacy protection across the European Union. In this article, we explore the impact of these regulations on data access, privacy-preserving technologies, and the future of data management, in particular,
- The current data privacy landscape
- The Act: a paradigm shift
- The Act and differential privacy
- Implications and future developments
- Conclusion
The Current Data Privacy Landscape
While existing regulations, such as the General Data Protection Regulation (GDPR), have laid the foundation for data privacy and protection, the ever-evolving digital landscape demanded a more comprehensive and forward-looking approach. On 27 November 2023, the Council of the EU formally adopted the Act, following the European Parliament’s endorsement of November 9, which concluded the EU legislative process.1
The Act came into force on 11 January 2024. From 12 September 2025 onwards, most of its rules will begin to apply, though some will take effect later.2 The Act requires entities to make data, including non-personal data, accessible to other parties so that it can be re-used for new purposes.
As mentioned in our previous article, “Which and how privacy preserving technologies can help to share data safely in light of the new Data Act?” the path leading to the adoption of the Act has its roots in the European Union’s acknowledgment that over 80% of industrial data remains untapped due to the absence of a suitable framework regulating its access.3 Consequently, the European Union has introduced the Act as a pivotal component of its data strategy, aiming to grant access to data generated by all interconnected devices.
The Act: a paradigm shift
The scope of the Act
The Act covers both personal and non-personal data collected by connected devices (connected products and/or their components), distinguishing between product data and related service data from which readily available data can be derived. It will apply to a variety of entities, including:
- manufacturers of connected products
- suppliers of related services
- “data holders” that have the right or obligation to use or make data available
- providers of data processing services
The Act sits alongside a growing cast of existing and planned EU data-related laws, such as the GDPR, the Data Governance Act, the proposed European Health Data Space, and the Digital Markets Act.4
What are its obligations?
As mentioned in our previous article: “Which and how privacy preserving technologies can help to share data safely in light of the new Act?” the Act imposes a range of obligations, including:5
- Obligations for manufacturers to design their products so that data generated or captured by those products are available to users of the product for free and ideally directly.
- Obligations for service providers to allow their users to access, reuse, and share data collected through their products and related services free of charge.
- Rights to allow access to data by third parties upon the user’s request or for legal obligations, including readily available data and relevant metadata.
- Measures regulating contractual terms in data sharing contracts between parties, such as data holders and users or third parties.
- Furthermore, the Act establishes standards to facilitate the transition between cloud service providers and other data processing services, eliminating pre-commercial, commercial, technical, and organizational barriers.
- Finally, mechanisms for public bodies to access private-sector data in case of public emergencies.
The new obligations may require organizations to consider that they will make previously proprietary data accessible to users and roll out new contracts that are Act-compliant (please see sections below). They will also apply to a broad range of products generating “non-personal data” – for example, industrial and commercial machines sold business-to-business – which were previously largely unregulated under EU data laws but will now need to be re-assessed.6
When will the Act come into force?
The Act will become enforceable from September 2025 onwards. The access requirement will apply to connected products and related services placed on the market after 32 months from the Act’s date of entry into force – i.e., mid-2026.7
Although the Act will not be enforceable for some time, organizations should begin assessing their compliance strategies and evaluate the adoption of PPTs well in advance of the enforcement deadline, as the new obligations may require significant time to plan and roll out technical solutions.
Key differences between the Act and the GDPR
Despite both being data-related legislation, the Act and the GDPR have some key differences. While the GDPR focuses solely on personal data protection, the Act takes a broader approach by regulating access, sharing, and use of both personal and non-personal data generated by connected products and services. The Act serves as the industrial counterpart of the GDPR. In particular:
- Scope and data covered: the GDPR regulates personal data, which is any information relating to an identified or identifiable natural person, while the Act applies to both personal and non-personal data, including almost any type of digitized information, whether anonymous or not.8
- Data portability rights: the GDPR introduced the right to data portability for individuals, but this right is limited to personal data. At the same time, the Act expands on this by granting users the right to access and share both personal and non-personal data generated by connected products or related services.9
- Data sharing obligations: the GDPR does not impose direct obligations on companies to share data with third parties, while the Act requires data holders (e.g., manufacturers) to make data available to users and share it with third parties upon the user’s request, subject to certain conditions.10
- Public sector data access: the GDPR does not provide mechanisms for public authorities to access private sector data, while the Act outlines circumstances and procedures for EU public institutions to access certain types of data held by private entities in emergencies or for legal mandates.11
The Act and differential privacy
What is the Act’s impact on privacy?
The Act introduces several provisions impacting privacy; it incorporates robust safeguards to protect user rights and ensure responsible data handling. Here are some key impacts on privacy:
- Expanded data portability rights: as we have seen above, the Act grants users the right to access and share data generated by their use of connected products and related services. This expands data portability beyond personal data covered by the GDPR, empowering users to control and share non-personal data as well.12
- Consent and control over data sharing: users must provide explicit consent for data holders (e.g., manufacturers) to share their data with third parties.13 This enhances user control over how their data is shared and used, aligning with privacy principles.
- Data minimization and privacy by design: the Act emphasizes data minimization, requiring parties to only process data necessary for specific purposes. It mandates privacy by design and default, with technical safeguards like pseudonymization and encryption to protect user rights.14
- Contractual fairness and transparency: the Act prohibits unfair contractual terms that undermine user rights or data protection obligations. It requires clear and transparent information about data processing and sharing practices.15
- Limitations on international data transfers: the Act restricts international transfers of non-personal data to prevent unauthorized government access outside the EU. This aims to protect the confidentiality and privacy of data shared under the Act’s provisions.16
- Balancing data sharing with trade secrets: the Act allows data holders to protect trade secrets and intellectual property when sharing data. This safeguards the privacy and confidentiality of sensitive business information.17
How might the Act influence the adoption of differential privacy?
While the Act itself does not explicitly mandate the use of differential privacy, the increased emphasis on data sharing, privacy protection, and the need for privacy-preserving technologies (PPT) creates an environment where differential privacy could potentially play a more prominent role in enabling compliant and secure data sharing practices in the following ways:
- Increased data sharing needs robust privacy protection: by facilitating increased data sharing and access across the EU, the Act heightens the need for strong privacy safeguards to prevent re-identification risks when combining datasets. Differential privacy enables secure data sharing while providing robust privacy guarantees.18
- Extending privacy scrutiny to non-personal data: the Act covers both personal and non-personal data, suggesting that non-personal data may require similar privacy protection scrutiny as personal data under the GDPR. Differential privacy techniques could be applied to non-personal data sharing to maintain individual privacy.19
- Promoting PPTs: the Act and the broader EU data strategy emphasize the importance of PPTs in enabling privacy-preserving data sharing within the envisioned common European data spaces.20
Data Peace Of Mind
PVML provides a secure foundation that allows you to push the boundaries.
Implications and future developments
How do businesses need to adapt their data classification strategies under the Act?
Businesses will need to adapt their data classification strategies in several key ways to comply with the Act:
- Distinguish between personal and non-personal data: the Act regulates access and sharing of both personal and non-personal data. Companies must clearly delineate which data falls under the GDPR (personal data) and which falls under the Act (non-personal data).21
- Identify “product data” and “related service data”: the Act introduces new categories of “product data” (data from connected products) and “related service data” (data from services related to those products). Data classification must account for these new categories to determine data-sharing obligations.22
- Assess data-sharing requirements: classify data based on whether it must be made available to users and shared with third parties upon request. Identify any data exempted from sharing due to trade secrets, intellectual property, or cybersecurity reasons.23
- Enable data portability and interoperability: classify data in a way that facilitates portability to other providers in common, machine-readable formats. Ensure data is structured and formatted to meet interoperability standards for data spaces and sharing.24
- Review data processing agreements: assess existing data processing and sharing agreements to identify provisions that may conflict with the Act’s fairness requirements. Classify data subject to these agreements to renegotiate terms if needed.25
- Implement data governance processes: establish robust data governance frameworks to ensure proper classification, protection, and controlled sharing of data under the Act. Define clear roles, responsibilities, and processes for data classification and management.26
Potential challenges companies might face when complying with the Act
In light of how business shall adapt, companies may face several potential challenges when complying with the Act:
- Data sharing obligations: determining what data needs to be shared and with whom can be complex, especially for companies dealing with sensitive or proprietary data. Ensuring data is provided in the required formats and adhering to interoperability standards may require significant technical investments. Balancing data-sharing requirements with the protection of trade secrets and intellectual property rights poses legal and operational hurdles.27
- User rights and data portability: implementing robust mechanisms to facilitate user access, data portability, and third-party data sharing can be technically and logistically challenging. Ensuring compliance with data protection regulations like GDPR while enabling data sharing and portability adds complexity.28
- Contractual fairness: reviewing and potentially renegotiating existing data-sharing agreements to comply with the Act’s fairness provisions can be resource-intensive. Negotiating new agreements with third parties under the Act’s guidelines may require legal expertise and bargaining power, particularly for smaller companies.29
- Compliance and enforcement: understanding and adhering to the Act’s various requirements, exemptions, and sector-specific rules can be a significant undertaking, especially for companies operating across multiple industries. Potential hefty fines and penalties for non-compliance necessitate robust compliance programs and risk assessments.30
- Technical and operational adjustments: Redesigning products, services, and data processing systems to enable data accessibility and portability by default may require substantial investments. Adapting business models and processes to accommodate data-sharing obligations can disrupt existing operations and revenue streams.31
- Public sector data access: Establishing procedures and safeguards for responding to public sector data access requests during emergencies or exceptional circumstances can be challenging. Ensuring the protection of sensitive data while complying with such requests requires careful risk assessments and legal guidance.32
Conclusion
By promoting data sharing and access, the Act aims to foster innovation and competition within the European Union. This groundbreaking legislation will provide startups and small businesses with greater opportunities to leverage data for developing new products and services. Furthermore, it is expected to drive the development of innovative data-driven business models, enabling companies to monetize their data assets while respecting privacy and intellectual property rights.
As technology continues to evolve rapidly, the Act will need to adapt to address emerging challenges and opportunities. Key areas of focus may include Artificial Intelligence (AI), the Internet of Things (IoT), and Blockchain. Addressing these cutting-edge technologies will be crucial to ensure the Act remains relevant and effective in the ever-changing digital landscape.
The Act is also poised to have a significant global impact, influencing data governance practices and policies beyond the borders of the European Union. As businesses and organizations strive to comply with these new regulations, there is likely to be a push for greater harmonization of data protection laws across different jurisdictions. International cooperation and collaboration will be crucial in ensuring a consistent and coherent approach to data governance, promoting cross-border data flows while respecting individual privacy rights.
The Act represents a bold and ambitious step toward a more equitable and privacy-conscious digital future. By striking a delicate balance between data sharing, innovation, and user rights, this groundbreaking legislation has the potential to reshape the data landscape, fostering economic growth while safeguarding individual privacy.
2 Cooley, “The European Data Act,” 22 December 2023, Cooley, https://cdp.cooley.com/the-european-data-act-new-rules-for-a-new-age/
3 What does the new EU Data Act bring to companies, innovators and Europeans? https://multimedia.europarl.europa.eu/en/video/what-does-the-new-eu-data-act-bring-to-companies-innovators-and-europeans_N01_AFPS_231303_DATA
4 See note 1
5 Roschier, The new EU Data Act enters into force in January 2024, 2 January 2024
https://www.roschier.com/newsroom/the-new-eu-data-act-enters-into-force-in-january-2024/?post_date=20240103091209
6 See note 1
7 See note 1
8 Nicole Bonnet, “The Eu Data Act,” 30 August 2022, Lexology, https://www.lexology.com/library/detail.aspx?g=cb288792-b02f-4d06-a56b-a29785a6e0b0
9 Morgan Lewis “The EU Data Act,” 5 December 2023, https://www.morganlewis.com/pubs/2023/12/new-eu-data-act-impact-on-data-flows-within-and-outside-the-eus-borders
10 CMS Law Now “Disharmony between Eu Data Act and GDPR,” 1 December 2023, https://cms-lawnow.com/en/ealerts/2023/12/disharmony-between-data-act-and-gdpr
11 See note 9
12 See note 9
13 Rosa Barcelo, “Shaping the digital future” 8 February 2024, MWE, https://www.mwe.com/insights/shaping-the-digital-future-the-newly-adopted-eu-data-act-and-its-impact/
14 Utimaco, “The EU Data Act,” 17 May 2024, https://utimaco.com/news/blog-posts/eu-data-act-and-its-impact-your-data-security
15 See note 9
16 See note 9
17 See note 13
18 Dpella, “Towards a European Data Economy,” https://www.dpella.io/post/towards-a-european-data-economy-a-quick-overview-of-eu-data-acts-and-eu-common-data-spaces
19 See Note 14
20 See note 18
21 Gernot Fritz et Al, “A Game Changer in Data Regulation,” 26 February 2024, Feshfields, https://technologyquotient.freshfields.com/post/102j0a8/a-game-changer-in-data-regulation-the-eu-dat
22 See note 9
23 Andre Walter, “Eu Data Act,” 11 January 2024, Pinset Masons, https://www.pinsentmasons.com/out-law/news/eu-data-act-entering-into-force-should-spur-business-action
24 Norton Rose, “the Eu Data Act,” March 2022, https://www.nortonrosefulbright.com/en/knowledge/publications/62517353/the-eus-data-act-capstone-of-the-eu-data-strategy
25 See note 23
26 See note 21
27 See note 5
28 See note 13
29 Meredith Broadbent, “The Eu Data Act,” 29 June 2023, CSIS, https://www.csis.org/analysis/eu-data-act-long-arm-european-tech-regulation-continues
30 See note 5
31 See note 13
32 See note 13