you are being redirected

You will be redirected to the website of our parent company, Schönherr Rechtsanwälte GmbH :

14 March 2022

The European Data Act

The use of connected services and objects in all economic sectors is constantly increasing and, with it, the generation of data. More and more people are contributing their data to the Internet of Things (IoT), for example by using "smart" speakers, (more or less) self-driving cars, intelligent heating control for their living quarters, etc. In most cases, though, the users of these "things" are either (contractually) not entitled or not able to access and use the data generated by them and their devices. Also, data interoperability between different manufacturers or companies is hardly ever accomplished, because many devices are not suitable for the task or companies are not sure how and under what conditions the data generated may be shared. To reap the full value of data in the European economy, the European Commission ("Commission") is developing strategies and plans for the better use of data. According to the Commission, savings of EUR 120bln per year can be expected in the EU health sector and an additional GDP of EUR 270bln can be achieved by 2028 thanks to the new data rules.1

A European strategy for data

The European Commission started to develop and implement its strategy for digital transformation back in 2014. With this strategy, it is trying to shape the future of the European digital market by making more data available for use in the economy and society, all the while ensuring that the technology "works for the people" who create the data. According to the Commission's plans, not only people will profit from the implementation of the digital strategy, but also businesses as well as the environment by reaching climate neutrality with the help of digital strategies.2

The key points of the strategy are investment in digital skills for all Europeans, cyber-threat protection, responsible development and use of artificial intelligence, acceleration of the roll-out of "ultra-fast" broadband internet for everyone, strengthening the responsibility of online platforms by a Digital Services Act (recently approved by the European Parliament3) and clarifying rules for online services, but also the reduction of the digital sector's carbon emissions, the creation of a "European health data space" to foster targeted research, diagnosis and treatment and to give citizens more control over and protection of their data.4 Use cases of industrial and commercial data use include:

  • real-time traffic avoidance navigation to reduce traffic jams and CO2 emissions;
  • resource allocation to fight big-scale diseases (such as pandemics);
  • using sensor data from engines (from airplanes or tankers) to ensure effective operation and accelerate research and development;
  • improved understanding of the customer (e.g. acquisition and retention, forecasting, prize optimisation, etc.) through the use of big data.

To achieve its rather ambitious goals, the Commission has proposed and published numerous legal texts that have mostly been enacted over the course of the last years. These include the Regulation on the Free Flow of Non-personal Data5, the Cybersecurity Act6, the Open Data Directive7, the Data Governance Act8 and the GDPR. Also, in 2019 the first Artificial Intelligence Strategy was presented, and in 2021 a coordinated plan was agreed for enactment with the EU Member States.9 In February 2022 the Commission proposed a text for a "Regulation on harmonised rules on fair access to and use of data", the European Data Act.10

The Data Act

As a first step, the Data Governance Act facilitates data sharing across all business sectors and Member States. The Data Act should thereafter make more data available for use and regulate who can access and use the data and for what purposes. In other words, it clarifies who can create value from the data.

The proposal provides for various data access and sharing rights and obligations, e.g.:

  • Users should be able to access the data they generate. The manufacturer must provide the user with the relevant information about the generation of data and where to access it before concluding the contract.
  • Products (and services) must be designed in a way that data generated by their use are, by default, easily, securely and directly accessible to the user.
  • "Data Portability": Upon request by a user, the data holder (i.e. the legal or natural person who has the right, obligation or the ability to make available certain data11) must make the generated data available without undue delay, free of charge to the user, of the same quality as is available to the data holder and, where applicable, continuously and in real-time. Switching cloud providers is also to be facilitated by interoperability specifications.
  • Micro, small and medium-sized enterprises will be protected from unfair contractual terms. If a contractual term concerning the access to and use of data, liability, remedies for the breach or termination of data-related contractual obligations has been unilaterally imposed, it will not be binding if it is "unfair" under the Data Act.
  • Public sector bodies and EU institutions, agencies or bodies will be entitled to request access to the data based on "exceptional need". This right is limited to public emergencies but also includes the possibility of access when the public body is "unable to obtain such data by alternative means", making it a far too broad provision.

In an interesting interplay with the Digital Markets Act ("DMA")12, the proposal provides that companies who qualify as "gatekeepers" under the DMA (such as Apple, Google, Amazon, etc.13) are not entitled to request access to data from a data holder and will not receive generated data. Moreover, third parties are not permitted to transmit or disclose data with them.14 This provision will help to avoid lock-in effects.


The goal of achieving more control over generated data is definitely to be appreciated. Even though a decent first step has been taken, many details still need to be clarified (e.g. defining "exceptional needs", ensuring the security of personal data, providing for access rights for consumer protection organisations or other civil society organisations representing non-commercial interests, etc.).

Critics note that the proposal's strong economic bias is evident, but the benefits to the public good and society (or "technology that works for the people", as the Commission puts it) are likely to be limited. In particular, the proposal fails to provide for public institutions that manage and share public data specifically for societal purposes and the public benefit.15

The Data Act is only at the beginning of the legislative process and will be amended numerous times before finally becoming effective. Even though when the regulation will enter into force and what its eventual content will be cannot be reliably foreseen, companies should keep an eye on the further development of this proposal. Especially as the envisaged implementation period of 12 months after the date of entry into force is rather short and fines for infringement of the Data Act are based on the GDPR and can thus amount up to EUR 20m or 4 % of the global annual turnover.


1 European Commission, Data Act Fact Sheet,
8 (Final Proposal).
9 (Final Proposal).
11 Cf Art 2 (6) Data Act.
13 Cf. for details
14 Cf. Art 5 (2) Data Act.
15 Cf. e.g.

author: Florian Terharen


Attorney at Law

austria vienna