On 27 November, the Council of the European Union adopted the Data Act. It’s the latest of many, many new EU regulations covering – you guessed it – data.
But despite its bland name and familiar-looking subject matter, the Data Act could really shake up the EU’s digital economy. The law aims to help organizations create value from data while offering consumers new rights and setting up some security guardrails.
Here’s an overview of how the Data Act works, who it covers, and what organizations must do to comply with the law.
Data Act vs Data Governance Act (DGA)
To help put the Data Act in context, it’s worth comparing the law to its sister legislation, the Data Governance Act (DGA).
Like the Data Act, the DGA provides a framework for the sharing of data. But here’s how the DGA and Data Act contrast:
- The DGA creates rules, obligations, and processes to govern the sharing of data by companies, individuals, and public sector organizations
- The Data Act clarifies who can use certain types of data, and under what conditions
The aims of the Data Act
Among other objectives, the Data Act aims to:
- Provide a framework to help create value from data
- Grow the EU’s data-driven economy
- Enable organizations to do innovative things with data
- Make data more accessible for individuals and organizations
Another important goal of the Data Act is to drive competition in the digital services sector via “cloud switching” – making it easier to leave a cloud services provider and sign up with a new one.
Definitions in the Data Act
Here are some truncated definitions of some of the Data Act’s most important terms.
First, here’s how the Act defines various types of data:
- Data: A digital representation of “acts, facts or information…”
- Personal data: Any information “relating to an identified or identifiable natural person” (The same definition as under the General Data Protection Regulation)
- Non-personal data: Any data that isn’t personal data
- Product data: Data that is “generated by the use of a connected product” and which the manufacturer “designed to be retrievable…”
Next, here are the definitions related to Internet of Things (IoT) and other products:
- Connected product: An “item” that “obtains, generates or collects data concerning its use or environment and that is able to communicate product data…” (an IoT device)
- Related services: A digital service that is “connected with” a connected product at the point of purchase “in such a way that its absence would prevent the connected product from performing…” (software that makes an IoT device work)
- Virtual assistant: Software that can “process demands, tasks or questions including those based on audio, written input, gestures or motion…” (think Siri or Google Assistant)
And here are some of the types of people and organizations defined under the Data Act:
- Data holder: A person who “has the right or obligation… to use and make available data…” (while this definition is broad, the Data Act’s obligations apply in the context of cloud services and IoT products)
- Data processing service: A digital service that is “provided to a customer” and that “enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources…” (namely, a cloud or edge computing services provider)
- Customer: A person who has “entered into a contractual relationship with a provider of data processing services…”
- User: A person who owns or has the rights to use a connected product, or who receives related services
As mentioned, data-sharing is one of the Data Act’s main focus areas.
All parties to data-sharing must put in place “technical and organizational measures” to ensure security and data protection. The Data Act imposes further obligations on particular types of organizations.
Here are some of the obligations of “data holders”:
- If a user can’t access data directly from a connected product or service, data holders must make that data readily available in a simple, secure, and accessible way, for free, and at the user’s request (with some exceptions)
- Data holders must make data available to third parties at the user’s request. This provision aims to help users easily switch between providers of connected products
- When there is an “exceptional need” for the performance of a task in the public interest, data holders must also share data with:
- Public sector bodies
- The European Commission
- The European Central Bank
- Other EU bodies
Obligations on “third parties”, who receive data from a data holder, include the following:
- When receiving data from a data holder at the user’s request, a third party must only use the data in accordance with the conditions agreed with the user
- A third party must delete data once it is no longer needed for a specific purpose unless the user agrees otherwise
- A third party is prohibited from using data in certain ways, including:
- Sharing the data with further third parties (unless agreed with the user),
- Using the data to develop its products or services,
- Prohibiting the user from making the data available to other third parties
Finally, here are some of the Data Act’s provisions related to “cloud switching”, designed to improve customer choice in cloud services.
- Data processing services providers (cloud services providers) must enable their customers to:
- Switch to another service provider of the same type,
- Switch to an “on-prem” system (hosted on-site, as opposed to remotely), or
- Switch to one or more other providers (so as to use multiple providers simultaneously)
- Data processing services providers must ensure their customer contracts include provisions that set out customers’ “switching rights”
- Data processing services providers must not put up barriers that impede a customer from switching providers. In some circumstances, providers must put technical measures in place to make it easier to switch
In late November, the Council adopted the text of the Data Act. By taking this step, the Council officially agrees with the European Parliament on the final text of the regulation.
All that remains is for the Data Act to appear in the EU’s Official Journal, at which point the law will come into force. Once that happens, organizations will have 12 months to ensure they comply with the law.