The Official Journal of the European Union has published the long-awaited data regulation “Data Act”.
After the Data Governance Act, the Data Act is the second most significant regulatory intervention of a horizontal nature i.e., applicable to any sector, of the EU Data Strategy promoted by the Commission for 2020/2023.
The title of the Data Act is “harmonised rules on fair access to and use of data,” and it indicates the purpose and scope of the regulation: that of facilitating access to and use of data (personal and non-personal) resulting from user interaction with devices and services in the IoT world, while respecting applicable laws and the values of the Union.
The Data Act, therefore, covers data obtained, generated or collected from devices, by means of their components; data related to their performance, use or reference environment and that can be made available.
Definitions and terminology
The data regulation interacts with, among other things, the GDPR and the DGA.
It leaves EU data protection law – i.e., GDPR, EUDPR and the ePrivacy Directive – unaffected. Following this, the introduction to the Data Act stresses the importance of respecting the principle of data minimization and the principle of protection by design and by default in this context as well, when the referenced data is personal data. To this purpose, it recommends using technologies that “allow algorithms to be applied to the data and valuable information to be derived without inter-party transmission or unnecessary copying of the data.”
With this in mind, for the terms “personal data,” “data subject,” and “profiling” used in the Data Act, please refer to those in the GDPR.
“Data intermediation services” are those defined in the DGA.
Scope of application
Unlike other regulatory acts on the broader EU data strategy that cover data held by public administration-such as the Free Movement of Data Regulation, the Open Data Directive, and the DGA-the Data Act also includes private sector data.
The scope of the Data Act includes within its scope data sharing and reuse, across all sectors:
- business to business, (B2B)
- business to government, (B2G)
- public administration to business, (G2B)
- from public administration to public administration, (G2G)
- but also from government or business to individual consumer, (G2C) or (B2C).
Indeed, “[w]hile the notion of ‘data controller’ does not generally include public bodies, it may include public enterprises” (Recital (25).
The Data Regulation covers data generated by Internet-related products and generated through direct or indirect interaction with the user.