Data Act

Basics and objectives

The Data Act has been in force since January 11, 2024 and will be fully applicable from September 12, 2025. The regulation aims to regulate fair access to and use of data in the European Union. The Data Act forms the second pillar of the European data strategy, alongside the existing Data Governance Act. For the first time, the regulation creates a uniform legal framework for the use of data from networked devices. The Act applies directly in all EU member states without national implementation. The regulations apply to both personal and non-personal data. The scope of application extends to all companies that process data in the EU. The regulation follows the marketplace principle regardless of the company’s registered office. The regulations are intended to make better use of the economic potential of the growing volume of data. The competitiveness of the European data market is to be strengthened. Innovation through access to data is to be promoted.

Scope of application and obligated parties

The Data Act primarily covers IoT devices and networked products that can generate data automatically. The regulations do not apply to end devices such as smartphones or tablets that require human input. In particular, manufacturers of connected products and providers of connected services are obliged to comply. The regulation is also aimed at data owners and public bodies. Cloud providers and data processing services also fall under the scope of application. The obligations vary depending on the position in the data value chain. The regulations affect the entire supply chain of networked products. Responsibilities are clearly defined. The technical requirements are specified. Interoperability is promoted. Data transparency is increased.

Data access rights and obligations

The Data Act grants users comprehensive rights of access to the data generated by their devices. Data must be provided immediately, simply and free of charge. The data must be provided in a commonly used, machine-readable format. Users can request that their data be passed on to third parties. The data quality must correspond to the internal use. Real-time provision must be technically possible. The access rights apply continuously. Data portability is guaranteed. User rights are enforceable. Data security must be guaranteed. Transparency is increased. Control lies with the user.

Technical requirements and implementation

Manufacturers must develop their products “privacy by design” and “security by design”. The technical interfaces must be standardized and interoperable. Data security must be guaranteed by appropriate measures. The systems must enable the continuous provision of data. The documentation must be complete and up-to-date. Implementation must take place by September 2026. The technical standards are developed on an ongoing basis. Interoperability is ensured. The systems must be scalable. Maintenance must be guaranteed. Updates must be provided.

Protection of trade secrets

The Data Act takes into account the protection of trade secrets and intellectual property. Derived and processed data are excluded from the right of access. The use of data for competitive products can be restricted. Non-disclosure agreements remain effective. Intellectual property rights must be protected. A balance is struck between access and protection. Investments are protected. Innovation is promoted. Competitiveness is maintained. Rights are respected. Interests are balanced. The boundaries are defined.

Sanctions and enforcement

Violations of the Data Act can be punished with substantial fines. The penalties can amount to up to 20 million euros or 4% of annual global turnover. Enforcement is carried out by national supervisory authorities. Cross-border cooperation is coordinated. The sanctions have a preventive effect. The controls are carried out systematically. Complaints mechanisms are established. Law enforcement is effective. Compliance is monitored. Violations are prosecuted. Cooperation is intensified. Effectiveness is evaluated.

Practical implications and outlook

The Data Act will fundamentally change the data economy in Europe. Companies will have to adapt their systems and processes. The implementation costs can be considerable. The opportunities from data access outweigh the risks. Innovation is promoted through data availability. Competitiveness is strengthened. Digitalization is accelerated. The data economy is developed. Standardization is driven forward. Legal certainty is increased. Future viability is secured. The European data economy is strengthened.