The EU Regulation on harmonized rules on fair access to and use of data (the "Data Act") has been formally adopted by the Council of the EU as of 27 November 2023 at its first reading.

The Data Act aims to fit within the larger EU framework of legislation. The Data Act aims to balance the rights and obligations of various users and actors within the digital data ecosystem. Its impact is likely to be broad as it will impact manufacturers and providers of connected products and services, including network and IoT devices, in the EU, enterprise providers, and individual users of products and services, data recipients, public sector bodies in the EU and providers of data processing services in the EU.

The Data Act seeks to achieve the following objectives, which were laid out in the explanatory memorandum:

  • Increase the quality and quantity of data accessible by consumers and businesses, while retaining incentives to generate value through data.
  • where there is an exceptional data need, mainly emergencies, provide access to bodies of data held by enterprises for public sector bodies. Though this could exceptionally be for non-emergency situations, it would need to be justified.
  • Ease the transition process from cloud and edge services which are closer to data sources, allowing for more competitive and interoperable processing.
  • Increase safeguards against unlawful data transfer, to address the concerns of non-EU/EEA governmental access to GDPR regulated personal data.
  • Assist in development of interoperability standards for data to reduce barriers for data sharing, like sectorial interoperability standards.
  • Remain consistent with the current policy framework.

The goal of the Data Act aims to position the EU with access to higher quality and more sources of data within the economy. This insufficiency was identified in the May 2021 inception impact assessment and consultation. The assessment found that the data position for Europe was restricted mainly due to lack of clarity on data rights, the imbalance of negotiating positions and less access to fair and trustworthy cloud services. Another significant limitation on the European data ecosystem is the lack of cross-section data interoperability within the EU. This had negative consequences for consumer choice, innovation, and public service delivery.

The Data Act will be published in the Official Journal of the European Union and will come into effect, 20 months after that date.

Brexit means that the Data Act will not directly apply to the UK. The UK does not seem likely to adopt copycat legislation to mirror the changes in the EU. Instead approaching the regulation of data usage by overlapping policy initiatives and legislation. For example, the Online Safety Act 2023 has some similar content regulation obligations. However, the pro-innovation AI policy and "Data Saves Lives" initiatives are more coordination of regulatory response rather than creating new legislative obligations like the EU Health Data Spaces Regulation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.