The EU Data Act: What does it mean for you?

You are sitting on a goldmine.

Your data is digital gold and understanding how it can be used and drive innovation creates the true value of the data available to us.

The European Commission has recently introduced multiple regulations to standardize digital transformation. A key element is the Data Act, which seeks to harmonize the access to and use of data within the EU. This will establish a framework for data sharing, impacting individuals and organizations. The act defines which citizen-generated data can or even must be shared with businesses and social authorities. It will lead to a bright field of opportunities for innovations and collaborations but could also be considered as a double-edged sword.

To promote growth and competitiveness of the EU's digital economy the European Commission introduced the data economy strategy in 2018. The aim was to create a single market for data, also called data space, while ensuring an ethical and responsible use of data. After the Data Governance Act, the Data Act represents the second pillar that creates the framework for the common European data space (Figure 1).

Figure 1: Concepts and regulations of European data strategy

The Data Act aims to promote fair data access and use, boost data’s economic value, encourage innovation, and maintain individuals’ control over their data. One of the key aspects is the implementation of different data sharing concepts which will become applicable in 2024 (Figure 3). The Commission estimates ~80% of European industrial data is unused and the regulation will create additional GDP of €270 billion by 2028. This article references the most recent draft of the Act dated 7 July 2023 (Figure 2).

Figure 2: Key milestones of the Data Act

What does the Data Act involve?

Figure 3: Defined actors which are subject to the Data Act

The Data Act defines three actors in relation to the use and sharing of data (Figure 3). To create additional value from data, the framework specifies the data to be considered, along with the conditions and procedures for three types of data sharing processes: business to consumers (B2C), business to business (B2B) and business to government (B2G) (Figure 4). To ensure the harmonization of the processes, general interoperability guidelines are provided, as well as individual obligations and restrictions for each process and the related parties:

Figure 4: Concepts behind different data sharing processes

1. Business to consumers (B2C):

The Act focuses on machine-generated “data,” which is intentionally or unintentionally collected by a “connected product” (often referred to as Internet-of-Things (IoT) product) or “related services” following a user action (Figure 5). A data holder is obliged to grant users’ access to generated data. For instance, users may ask for access of data produced by a car during its operation (Figure 6). The control of users is even going further as data holders are obliged to conclude contractual agreements for the use of non-personalized data, for example surrounding temperature data.

Figure 5: Classification of connected product, related service and data

2. Business to business (B2B)

Following the regulations users are entitled to share their own created data with a third party for predetermined purposes, except for competition objectives. If a user decides to share the data with a third party/data recipient, data holders are obliged to make the data available under fair, reasonable, and non-discriminatory terms. To protect the data and prevent unauthorized access participants are obliged to arrange for appropriate technical protection measures. In addition, if the data holders or user discover data misuse, they may require data recipients to delete the data and discontinue the use.

As data holders will potentially face additional costs to make the data available, “reasonable compensation” must be agreed upon for the B2B data sharing processes, considering data volume, format, and nature. Small or medium enterprise are granted specific exemptions for this compensation.

A practical application of this would be if car users grant permission to insurance companies for data generated by using a car. Based on these, an insurance firm might incentivize safe driving by providing discounts to policyholders. (Figure 6).

Figure 6: Example of car related data sharing

3. Business to government (B2G)

While the Data Governance Act already enables voluntary data sharing with public institutions, the Data Act goes further by mandating data holders to provide “necessary data” to authorities in situations of exceptional need, such as responding to, mitigating, or recovering from a public emergency. If data is needed to respond to a public emergency, it must be provided free of charge, whereas compensation can be claimed if it is used for mitigation or recovery.
Under certain criteria, the public sector can also request data to fulfill a lawfully required task in the public interest, such as statistics. Also here, data holders may be entitled to claim compensation.
For all B2G cases, the requested data cannot be used in a manner incompatible with the initial purpose. But, within the B2G process, data is not limited to IoT products or services, “any digital representation of acts, facts, or information” can be requested. For instance, during a natural disaster, social media companies could provide geolocation data to help identify at-risk individuals.

Besides defining the sharing processes the legislation will also affect data processing service providers, for example cloud service providers, as it describes contractual and technical aspects to switch between providers. This grants more flexibility to customers, should boost competition but creates challenges for providers. Precisely, providers shall ‘not pose obstacles’ related to themselves, which prevent customers from switching to competitors. Service providers have a responsibility to ensure “functional equivalence,” which entails offering support to ensure that customers receive a “materially comparable outcome” from the new provider. This reduces strong dependencies companies may have with a single cloud provider.
Furthermore, data service providers are also affected by data protection mechanism within the regulation. Providers need to prevent international and third-country governmental access to, and transfer of non-personal data stored within the EU. To ensure this, data service providers must “take all adequate technical, legal, and organizational measures, including contractual arrangements.”

How does the Data Act impact industry?

The regulation may have significant impact across sectors, with opportunities for innovation and collaboration, but also potential challenges and risks related to data sharing.

Consumer:

The majority of data holders will operate in the consumer sector. Depending on their digital infrastructure, IoT manufacturers will undergo extensive procedures to comply with all technical obligations. Modern vehicles, for instance, collect information on usage trends, fuel efficiency, and tire wear while used. Users are entitled to request this data and share it with third parties. For manufacturers, this data represents a digital asset usable to improve products or services. Conversely, manufacturers have the advantage to collaborate and collaboratively produce a personalized product for customers.

Financial services:

Businesses within the financial industry are primarily allocated as data receivers. Banks can leverage shared data to enhance risk assessments, customer experience, revenue streams and efficiency. For instance, a bank could offer travel insurance or foreign currency exchange services to a customer who frequently travels abroad.

Government & Public Services:

The public services sector, with its special position, could also generate advantages. Data collected by public transportation systems could be used to increase reliability. However, citizens of the EU could be worried about B2G sharing processes, especially as it goes beyond IoT related data.

Energy, Resources & Industrials:

The energy sector could use data to optimize energy usage and reduce waste. For example, a start-up could request users to share data from sensors in buildings. In return, they can provide an app to monitor and optimize use of heating, cooling, and lighting systems of users.

Life Sciences & Healthcare:

Based on a user request, medical device manufacturers need to provide data which could be used to create personalized medical treatments targeting the period before, during or after a medical issue arises. This data could be shared with doctors in real time to personalize medication dosages or treatment plans.

Technology, Media & Telecom:

An important restriction within this sector exists for companies that are designated as gatekeepers under the Digital Markets Act. They are ineligible to benefit from the data-sharing provisions of the entire regulation.

Industries are well aware of the upcoming regulation and some market players identified already potential lack of specificity due to the horizontal aspect, leading the financial and automotive sectors to propose already additional complementary regulations.

What should be retained?

The first key point to remember is the switch of control over data from IoT product manufacturers/providers to users. This shift may result in increased costs and technical challenges for manufacturers/providers in meeting data sharing obligations. Additional to protect trade secrets businesses should understand their obligations and rights within the sharing processes. However, the sharing obligations can create new business models for emerging EU companies. The B2G sharing obligation will expand above IoT related data. This means any company within the EU should be ready to share data with institutional bodies. The last key aspect to be mindful about is the simplified procedure to switch cloud service providers. It will remove barriers for switching and promote interoperability through open standards.

The Data Act represents the next crucial element in building a unified European data market along the path of the European data economy strategy. Every company should aim to prepare itself for potential data sharing with customers, businesses, and public institutions in the near future. Users, on the other side, will have greater control and transparency over their own produced data. The key question is whether users will take advantage of this newly granted power. Generally, simplifying data sharing processes through interoperability restrictions lay the foundation for innovation and collaboration. Given the sharing of data is linked to the permission of the user, it remains unclear whether it will bring the expected economic impact.