The EU Data Act will become directly applicable to member states from 12 September 2025. Although the UK is no longer a member of the EU, UK businesses will need to familiarise themselves with their obligations under the Act if they use, collect and/or manage any data in the EU.
There are a variety of reasons why a UK business might fall within the scope of the Act, but the most common are likely to be because they place products on the EU market that can be connected to the internet (connected device), offer data processing services to EU clients or make data available to people in the EU.
The Act applies to both personal and non-personal data, but not every chapter applies to both types of data, and some will only apply to very specific categories of data. Where a business potentially falls within the scope of the Act it will be necessary to consider all data it handles to determine whether any of their services fall within the scope of the Act and, if so, which chapters are applicable.
The Act supports the EU’s overall data strategy, which is to create a single market for data within the EU. It does this by addressing issues with the way data is shared and accessed, and introduces a series of regulated activities that fall into the following categories:
- Data access for users: Data generated by connected devices (and other services) should be made available to the user, including where a user asks the data holder to share readily available data with a third party.
- Obligations on data holders: When giving a user access to data, this must be done on fair and transparent terms and conditions. The data holder can charge if they are making data available to a third party, but this is subject to a series of other conditions.
- B2B data sharing: There are new requirements in place for parties entering into a data sharing agreement, particularly where the disclosing party is required to make the data available by law. Any unfair contractual terms that relate to making data available will not be binding if have been unilaterally imposed.
- Sharing data with the government: Rules have been introduced to allow public sector organisations to obtain data in exceptional circumstances. These exceptional circumstances must be either a public emergency or necessary to fulfil a task that is provided by law and in the public interest.
- Data Processing System (DPS) providers: There is a series of requirements that any DPS provider must comply with in order to create a multi-vendor cloud environment. This includes an overall aim to make it easier for users to move between providers.
Rules on penalties for non-compliance will be decided by individual EU member states. Therefore, it is likely that penalties will vary between countries, but these could include financial penalties, warnings or orders requiring corrective action to bring businesses into compliance.
If you have any questions arising from this article, or about data protection more generally, please contact [email protected]