Bytesize Legal Updates | Fieldfisher
Fieldfisher are experts in European digital regulation and guide businesses through the complexities of the EU’s rapidly evolving regulatory environment. Europe is one of the world’s largest internal markets - with our focus on digital regulation for online platforms, social media and emerging technologies (AI, automation, AR/VR etc.) we keep you up-to-date with the EU’s digital agenda, and latest impacting European legislation for the industry.
Bytesize Legal Updates | Fieldfisher
Bytesize Legal Update - The EU Data Act is approved
The Data Act seeks to optimize and leverage the volumes of data (both personal and non-personal) created within the IoT market in order to improve data accessibility to individuals, businesses and governments and create interoperability standards for data sharing. The Data Act also looks to redress contractual arrangements with cloud hosting, by promoting choice within the market and protecting SMEs from imbalanced contractual terms.
In this Bytesize Legal Update, Fieldfisher's James Russell and Eilish Beeby outline what businesses can expect from the Data Act and the next steps for businesses that may be within scope.
EU Data Act Nov 23
James: [00:00:00]
Hello, I'm James, and I'm Eilish, and we're both tech and data specialists from FieldFisher's Silicon Valley. Today, we're going to give you a bit of a flavor of the EU's Data Act and what it means for you and your business. So today, the European Council has formally announced the agreed text of the Data Act, marking a key milestone in the Act's journey to becoming law. Today, we're just going to break down some of the key provisions that you're going to need to think about. How it applies to internet connected devices, mandatory B2G sharing, and of course, international transfers of data.
All right, so let's start with the key question I'm sure on all our listeners mind, which is [00:01:00] What exactly is the Data Act and where did it come from?
Eilish: Great. Thanks, James. So, the EU Data Act is one of the main deliverables for the European Commission's European Strategy for Data and part of the Commission's broader action plan to ensure Europe's digital sovereignty by 2030 by supporting responsible access, broader sharing and reuse of personal and non-personal data.
So global data is growing. In 2018, global data sat at around 33 zettabytes. So in 2025, global data is expected to sit at 175 zettabytes. That's a five fold increase. So the European Commission is keen to unlock those troves of industrial data and leverage it within the single market to enable better competition against non-EU tech companies.
In addition, in order to unlock the potential of artificial [00:02:00] intelligence, digital companies need to be able to access rich and voluminous data sets. So the Data Act forms one part of that puzzle to make it easier for European businesses to access, share, and exploit this data for high economic reward.
James: Okay, so for those listeners who are thinking, alright, you've got my attention, but what do I need to do now? Is the Data Act in force yet?
Eilish: That's a great question, James. So, EU institutions reached a provisional agreement on the 27th of June of this year, and the agreed text has now formally been adopted by the European Parliament and the European Council, so we expect the official act will be published in the EU official journal any day now.
So, once that happens, the Act enters into force 20 days later, but it'll only become applicable 20 months after that, so we're likely working towards compliance for around the second half of 2025.
James: Okay, so if we're targeting the second half of 2025, who does the Data Act apply to? Who needs to be thinking about this?
Eilish: So this is [00:03:00] primarily going to be manufacturers who are putting their products on the market in the EU, and data holders who make their data available in the EU. So essentially this is going to be manufacturers and service providers of connected devices, so this might be smart cars, smart appliances, industrial robots, any device that could be connected to the internet, as well as cloud service providers.
So you can see how the Data Act is likely to impact a wide range of different sectors and industries. The Data Act is also going to have extraterritorial effect, so for those familiar with the GDPR, this isn't going to be an alien concept to you. Ultimately, it means that a company does not have to physically be based within the EU to be caught by the requirements of the Act.
Any provider doing business within the EU will need to consider the implications of the Act, including U. S. cloud providers that are processing EU data, or connected smart security devices and services being sold in the EU.
James: So are you saying that basically due to the [00:04:00] extraterritorial nature of the Act, any U.S. business that's targeting the EU market is still going to need to comply?
Eilish: Absolutely.
James: I see. Okay, so then moving on to some of the obligations a bit. Can you talk us through what the main obligations under the Data Act are?
Eilish: Of course. So, the obligations aim to ease the switching of providers of data processing services, puts in place safeguards against unlawful data transfer by cloud service providers, and provides for the development of interoperability standards for data to be reused between sectors.
The Data Act will also give both individuals and businesses more control over their data through a reinforced portability right. Copying and transferring data easily across from different services, where the data is generated through smart objects, machines and devices. So, the new legislation will empower consumers and companies by giving them a say on what can be done with the data that's being generated by their connected products.
There'll be some additional obligations as well around [00:05:00] data sharing with public authorities in the cases of exceptional need, so public emergencies, global pandemics and the like.
James: Okay, when you say it like that it sounds all a bit more manageable. So is this all tied up in a bow, is it all going to be nice and simple for us all to solve really quickly?
Eilish: I wish, I like your optimism, James. But there's some pretty knotty issues to work through in terms of how the Data Act is going to interact with some other EU legislation. So the Data Act covers both personal and non-personal data that's generated by the use of connected products, and services.
So companies really need to be cognizant of their existing duties under data protection legislation and how they're treating personal data under the GDPR compared to the Data Act. There are other regulations in the digital space as well, so data portability rights already exist under the GDPR. But under the EU's Digital Markets Act, that also introduces some additional rights for users to port their data when they're generating that data on [00:06:00] certain platform services. So a lot of overlap already.
James: And it sounds like there is quite a lot to consider. So, for all these companies who are potentially in scope, what are the sort of things that they need to be thinking about now in order to comply with the Data Act?
Eilish: Yeah, great question, James. So just as a brief overview, really. We expect there's going to be some work to be done around the design of connected devices and services on contractual arrangements that are in place with third parties, terms and conditions with service users , and some thought to be given around data collection, sharing practices, things like that.
James: So even if it's not until 2025, there is stuff to be starting to think about, at least, and stuff to be digging into already?
Eilish: Absolutely. There's so much more that we could discuss and dig into on this. But I think for now, the EU Data Act is still in its infancy. There's certainly going to be some time between the Data Act coming into force and becoming applicable for companies to work through.
[00:07:00] How this can impact their business and really start to build a compliance plan. For now, our key message for the Data Act is that for those businesses working in IOTs, related services, cloud services, the Data Act should be on your radar. But as we move into 2024, it's a good time to really start thinking about allocating some budget for the next fiscal year.
James: And I assume that we'll be coming back to provide people more updates as more information is released.
Eilish: Absolutely. So watch this space.
James: Brilliant. Well, thanks, Eilish. And thank you for joining us on today's latest episode of Fieldfisher's ByteSize Legal Podcast, your source for concise legal updates on the key legal developments in technology and data protection law.
If you have any questions about today's update, of course, don't hesitate to reach out to us. And if you found it useful, do make sure to give us a like or review on your podcatcher of choice. As always, thanks for taking the time to listen. Thanks, Eilish, for joining. Thanks, James. And we'll see you next time.
[00:08:00] Thanks, everybody.