On 9 November, 2023, the European Parliament adopted a compromise text for the proposal for the Data Act[1]. The new regulation is yet to be officially adopted by the Council of the European Union, but the contents of the future EU regulation are now known.

The Data Act is intended to eliminate barriers to access to data for entities in the private and public sector, while it also preserves incentives to invest in data generation by ensuring balanced control over the data for the entities that create the data.

In practice, the Data Act is intended to improve data access for a broad group of entities. For this reason, users will be given special rights to access data related to products and services they use. On the other hand, the providers of these products and services will have specific obligations to enable exercise of those rights. Entities in the public sector, such as national or EU authorities, will also be given special rights to access data in the private sector, and the product and service providers will have additional disclosure obligations.

An important element of the Data Act will be rules on data portability to facilitate switching between providers of data processing services. Under the new rules:

  • service providers will be required to put in place measures to facilitate switching providers of data processing services;
  • the rights and obligations of the parties regarding switching between providers will have to be clearly set out in a written contract with which the customer is provided prior to conclusion;
  • there will be specific requirements regarding the agreement with the service provider, such as stating the maximum notice period and the scope of data that can be transferred, and obligations to erase data following transfer;
  • providers will have specific obligations with regard to transparency;
  • it will not be possible to impose switching charges subsequent to a transition period.

Importantly, the current scope of protection of trade secrets is significantly broader than in the original proposal, following extensive criticism of the previous rules due to the scope of protection being too narrow.

As the Data Act is a regulation, it will be uniformly applicable across the EU. The regulation will take effect twenty months from enactment, but it is not clear when precisely this will occur. Barring unforeseen circumstances, the Data Act should apply from around QIII 2025.


[1] https://www.europarl.europa.eu/RegData/seance_pleniere/textes_adoptes/definitif/2023/11-09/0385/P9_TA(2023)0385_EN.pdf