[…] The Regulation on harmonised rules on fair access to and use of data — also known as the Data Act — entered into force on 11 January 2024 and into application on 12 September 2025. The Act is a key pillar of the European data strategy and it will make a significant contribution to the Digital Decade‘s objective of advancing digital transformation. The Data Act explained provides more in depth explanations.
The Data Act is designed to empower users — both consumers and businesses — by giving them greater control over the data generated by their connected devices, such as cars, smart TVs, and industrial machinery.
[…]
he new rules aim to facilitate the seamless transfer of valuable data between data holders and data users while upholding its confidentiality. This will encourage more actors, regardless of their size, to participate in the data economy. The Commission will also develop model contract clauses in order to help market participants draft and negotiate fair data-sharing contracts.
[…]
Public sector access and use of data
Rules enabling public sector bodies to access and use data held by the private sector for specific public interest purposes. For instance, public sector bodies will be able to request data necessary to help them respond quickly and securely to a public emergency, with minimal burden on businesses.
[…]
New rules setting the framework for customers to effectively switch between different providers of data-processing services to unlock the EU cloud market. This will also contribute to an overall framework for efficient data interoperability.
[…]
Users of connected products may choose to share this data with third parties. This will enable aftermarket (e.g. repair) service providers to enhance and innovate their services, fostering fair competition with similar services provided by manufacturers.
[…]
Source: Data Act | Shaping Europe’s digital future
Following the general provisions (Chapter I) which set out the scope of the regulation and define key terms, the Data Act is structured into six main chapters:
Chapter II on business-to-business and business-to-consumer data sharing in the context of IoT: users of IoT objects can access, use and port data that they co-generate through their use of a connected product.
Chapter III on business-to-business data sharing: this clarifies the data-sharing conditions wherever a business is obliged by law, including through the Data Act, to share data with another business.
Chapter IV on unfair contractual terms: these provisions protect all businesses, in particular SMEs, against unfair contractual terms imposed on them.
Chapter V on business-to-government data sharing: public sector bodies will be able to make more evidence-based decisions in certain situations of exceptional need through measures to access certain data held by the private sector.
Chapter VI on switching between data processing services: providers of cloud and edge computing services must meet minimum requirements to facilitate interoperability and enable switching.
Chapter VII on unlawful third country government access to data: non-personal data stored in the EU is protected against unlawful foreign government access requests.
Chapter VIII on interoperability: participants in data spaces must fulfil criteria to allow data to flow within and between data spaces. An EU repository will lay down relevant standards and specifications for cloud interoperability.
Chapter IX on enforcement: Member States must designate one or more competent authority(ies) to monitor and enforce the Data Act. Where more than one authority is designated, a ‘data coordinator’ must be appointed to act as the single point of contact at the national level.
[…]
Chapter V of the Data Act on business-to-government data sharing differentiates between two scenarios:
In order to respond to a public emergency, a public sector body should request non-personal data. However, if this is insufficient to respond to the situation, personal data may be requested. Where possible, this data should be anonymised by the data holder.
In non-emergency situations, public sector bodies may only request non-personal data.
[…]
The Data Act will also entirely remove switching charges, including charges for data egress (i.e. charges for data transit), from 12 January 2027. This means that providers won’t be able to charge their customers for the operations that are necessary to facilitate switching or for data egress. However, as a transitional measure during the first 3 years after the Data Act’s entry into force (from 11 January 2024 to 12 January 2027), providers may still charge their customers for the costs incurred in relation to switching and data egress.
Source: Data Act explained
This is all great stuff, but the wording where public sector bodies can request personal data for unexplained emergencies (so… does a peaceful protest constitute an emergency, for example?) is pretty scary. Especially within the context of Chat Control Blanket Surveillance that the Danish presidency is keen to push through.
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft