Data sharing: preparing for compliance with the EU Data Act

In our Podcast we very often talk about Regulatory topics, texts developed at European level with the aim to regulate industry activities – of course, we always focus on dossiers around the Business Information Industry.

As we approach the end of the year, we wanted to come back to one of the very important latest pieces of EU legislation promoting data sharing – namely the EU Data Act. And to help us look at how we can prepare for compliance with the Data Act I’m really glad to welcome Maria Teresa Lacatena, Regulatory Affairs Specialist at CRIF.

 

What is the EU Data Act and what is the timeline for full compliance?

 

The Data Act is part of the EU’s broader Data Strategy and builds on previous legislative efforts like the GDPR and the Data Governance Act. While GDPR focuses on protecting personal data, the Data Act primarily deals with non-personal data and how it is shared, accessed, and used across industries and sectors.

 

The act, proposed in February 2022, has been published in the EU Official Journal in December 2023 and will be applicable from 12th September 2025, with some exceptions regarding the chapter related to unfair contractual terms, which will be applicable from September 2027 to contracts concluded on or before 12th September 2025.

 

The Data Act is structured into 8 main chapters:

1. Chapter on business-to-business (B2B) and business-to-consumer (B2C) data sharing in the context of IoT: users can access the data generated by the devices they own or use. For example, if you own a smart device, such as a connected washing machine, you should have the right to access its performance data. Furthermore, you can share this data with another service provider (defined as third party) if you wish, encouraging competition and better services. This principle levels the playing field by reducing the control device manufacturers have over data, giving users more freedom and choice. The data holder is typically the company that makes the connected product or that provides a related service. A data holder must have a contract with the user defining the rights regarding the access, use and sharing of the data that is generated by the connected product or related service.
2. Chapter on business-to-business (B2B) data sharing: this clarifies the data-sharing conditions wherever a business is obliged by law to share data with another business. For instance SMEs, which often lack the resources to gather vast amounts of data, will be able to access datasets from larger organizations under fair terms. By fostering collaboration, the Data Act can drive innovation in areas like artificial intelligence, logistics, and green energy. Here, data holders may request reasonable compensation for making the data available to a data recipient. This could include costs incurred for making data available as well as technical costs related to dissemination and storage.
3. Chapter on unfair contractual terms: in many data-sharing agreements, larger companies impose unfair terms on smaller partners. The Data Act addresses this by ensuring that contracts are balanced and equitable, giving smaller players a fair chance to negotiate.
4. Chapter on business-to-government (B2G) data sharing: The new Data act allows public authorities to access private-sector data in situations of emergency, such as pandemics or natural disasters. Imagine a scenario where a government needs real-time mobility data to manage evacuations or track the spread of a disease. The Data Act enables such access while ensuring safeguards to prevent misuse.
5. Chapter on switching between data processing services: To overcome the imbalance of power between providers and customers in the cloud market, the Data Act sets minimum requirements for the content of cloud contracts. The Data Act includes measures to ensure that customers can switch from one provider of data processing service to another provider quickly and smoothly, and without losing any data or the functionality of applications.
6. Chapter on unlawful third country government access to data: The Data Act does not prohibit cross-border data flows but ensures that the protection afforded to data in the EU travels with any data transferred outside the EU. In this context, the Data Act establishes rules and safeguards for access requests by a foreign public sector body to non-personal data held in the Union. Legitimate international cooperation in relation to law enforcement is not affected by these provisions.
7. Chapter on interoperability: The act emphasizes the importance of interoperability—making sure that data can flow seamlessly across systems, platforms, and industries. This is particularly critical for sectors like smart cities, healthcare, and renewable energy, where collaboration is key to progress. The Data Act also prepares the ground for increasing the interoperability of data processing services through harmonised standards and open interoperability specifications. In addition, it lays out requirements for vendors of smart contracts for the automated execution of data-sharing agreements, for example to ensure that they correctly carry out the provisions of the data-sharing agreement and withstand manipulation by third parties.
8. Chapter on enforcement: Member States must designate one or more competent authority/ies to monitor and enforce the Data Act. Where more than one authority is designated, a ‘data coordinator’ must be appointed to act as the single point of contact at the national level.

What are the major impacts ?

 

The Data Act has a huge impact in the EU data sharing ecosystem because it will increase the data sharing in line with the European Data Strategy. This new Regulation could be considered as a game-changer, especially when we consider that it:

• democratizes access to data, breaking down barriers that stifle innovation;
• fosters innovation and collaboration. For example, if we take in consideration smart cities, by sharing transportation data, energy providers and city planners can develop integrated solutions to reduce congestion and improve sustainability;
• strengthens the EU’s digital sovereignty by ensuring that data practices align with European values, such as fairness, transparency, and privacy.

In term of impacts, it is possible to show also several benefits for specific sectors. This is the case of:

• Healthcare: shared access to medical data can accelerate research and improve patient care.
• Energy: the Data Act enables better integration of renewable sources like solar and wind by improving data sharing between providers, grid operators, and consumers.
• Transportation: by sharing mobility data, the act can improve urban planning, reduce traffic congestion, and enable innovations like autonomous vehicles.
• Agriculture: farmers can access and share data from IoT-enabled equipment, improving productivity and sustainability in farming practices.

Does it represents more an opportunity or a threat for Business Information Providers?

 

(Maria Teresa) In my opinion, the Data Act presents both opportunities and threats for Business Information Providers. Regarding the opportunities, this new piece of legislation encourages broader data sharing, giving BIPs access to datasets previously monopolized by private companies or locked in silos.

Through the increase of available data, it will be possible to develop new services and products.

On the side of threats, the Data Act will increase competition because with broader access to data, new players may enter the market, intensifying competition. At the same time, implementing robust systems for managing data access, sharing and compliance could be costly.

To conclude, it is up to policymakers, businesses, and individuals to embrace the opportunities the Data Act to build a data-driven economy that works for everyone.

 

Thanks for all the interesting outlook you have given us – I suppose we all have now to prepare for compliance!

 

You can listen to this and other episodes of the FEBIS Podcast here.

 

 

Source: FEBIS