Dear privacy pros,

A new European regulation is coming to life this week. The Data Act was formally and overwhelmingly adopted Thursday during a plenary vote by the European Parliament. Trilogue negotiations concluded in June and this vote marks the final step of the legislative process. Once the text is published in the Official Journal, the clock will start ticking on a 20-month transition period. 

Proposed in February 2022 by the European Commission, the regulation is part of the EU Data Strategy package and is the latest to be adopted. At its core, the Data Act aims to support the emergence of a single market for data, alongside the Data Governance Act which, already in force, focuses on facilitating the voluntary sharing of data by individuals and businesses and harmonizing conditions for the use of certain public sector data. According to European statistics, 80% of industrial data is never used. The Data Act is expected to make more data available for reuse and to create 270 billion euros of additional GDP by 2028.

According to proposal, the Data Act "ensures that users of a product or related service in the Union can access, in a timely manner, the data generated by the use of that product or related service and that those users can use the data, including by sharing them with third parties of their choice.” In short, it creates new requirements to clarify who can use and access data of connected products and related services to create value.

A few highlights:

  • The Data Act applies to manufacturers of products and suppliers of related services; data holders that make data available to data recipients in the EU, and data recipients themselves; public sector bodies that request data holders to make data available under exceptional circumstances and said data holders; and providers of data processing services offering such services to customers in the EU.
  • It also applies to personal and nonpersonal data across all economic sectors, as well as the public sector.
  • It sets rights to access for business to consumer and business to business data sharing; applies a blanket requirement that data sharing be fair, reasonable and non-discriminatory; and bans unfair terms being imposed on small and medium-sized enterprises.
  • It includes a ban on obstacles to switching cloud service providers.

Some concerns inherent to the act's data sharing requirements have emerged throughout negotiations, pointing to technical and contractual challenges of sharing data with third parties, the impact it may bear on businesses' appetite to innovate or concerns related to trade secrets protection.

Elsewhere:

  • The EU and the Republic of Korea are launching negotiations for an EU-Korea digital trade agreement. A broad free trade agreement has been in place since 2011. South Korea received data protection adequacy from the European Commission in 2021.
  • "The Point of No Return?" Not the latest action movie, but rather the title of a recent seminar hosted by the European Data Protection Supervisor on the current state of play of the child sexual abuse material proposal.

Spoiler alert: panelists — whether regulators, legal experts, academics, industry and civil society, legislators or law enforcement authorities — agree that the proposal in its current state is not effective and not proportional. The common thread among panelists was that for the proposal to be effective and proportional, its provisions need to be completely rewritten and other measures might need to be included — such as a harmonized criminal justice approach regarding child sexual abuse crimes in member states, sufficient resources for competent law enforcement authorities, and measures supporting effective prevention. The proposal is currently under negotiations and the final report by the European Parliament's LIBE committee is expected soon.

We look forward to hosting many of you in Brussels next week at the IAPP Europe Data Protection Congress 2023.