The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

Data Act

The European Commission has published the long-awaited proposal for a regulation on data law (“Data Act“). This is, after the Data Governance Act, the second most important regulatory measure crossing all sectors of the EU Data Strategy (see Bulletin of 22/7, 9/9, 11/11 and 23/12/2021).



EU Data Strategy

The Commission has promoted a set of regulatory acts aimed at supporting the free flow of data within the EU market, facilitating access to and sharing of “non-personal data”; in the case of mixed data sets or “personal data”, the conditions dictated by the relevant legislation (i.e. GDPR, Data Protection Regulation with respect to EU institutions, the Police Directive 2016/680, the ePrivacy Directives) must still be respected.

Data Act e Data Governance Act

The title of the Data Act isharmonised rules on fair access to and use of data” and it indicates the purpose and scope of the proposal: to facilitate the access and use of (mostly non-personal) data resulting from user interaction with devices and services in the IoT world, in accordance with the rules and values of the Union.

The Data Act, therefore, applies to data obtained, generated, or collected from physical products, by means of their components, relating to their performance, use, or environment, and that are able to communicate that data via a publicly available electronic communications service.

The regulation sates who is entitled to access this data generated by products and related services, under what conditions, and on which basis.

The DGA, for its part, has placed emphasis on facilitating the voluntary sharing of data by individuals and companies, with provision for both the three profiles of:  

  • Reuse of data held by public entities  
  • Data sharing services (intermediation between data owners and users, intermediation between data subjects, data cooperatives)  
  • Data altruism (for “general interest purposes”)  

both of the new role of “data intermediaries”.

Data Act Objectives

The Data Act pursues the following objectives: 

  • Recognize the user’s right to access and use data generated by interaction with products and services in the IoT environment 
  • Recognize the right of public bodies to request and use data held by by enterprises in certain situations where there is an exceptional data need 
  • Facilitate switching between cloud and edge services 
  • Put in place safeguards against unlawful data transfer without notification by cloud service providers. 
  • Provide for the development of interoperability standards for data to be reused between sectors.

Relationship between Data Act and GDPR or ePrivacy

When the information is personal data or even promiscuous data or relate to electronic communications, its use is regulated by the GDPR and ePrivacy directives (soon to be replaced by the expected regulation); in case of conflict, the GDPR and ePrivacy rules prevail over the Data Act provisions.

Recital (8) of the Data Act reiterates that even within its scope, the principles of data minimisation and data protection by design and by default are essential when processing involves significant risks to the fundamental rights of individualsall parties to data sharing, must implement technical and organisational measures to protect these rights.

Recital (24) focuses on the subjective roles in the case of personal data processing: the data holder is the data controller and users, if individuals, are data subjects.