Data Act: EU law to liberate data

Contents

On September 12, the Data Act comes into full force and effect. This EU regulation came into force on January 11, 2024, and is now directly effective as law in all member states after a grace period. The EU Commission conceived and implemented it as an important component of the “EU Data Strategy” defined in 2020.

According to the Commission, the Data Act aims to clarify “who can create value from data and under what conditions.” The act is intended to help break down data silos, create a single market for data, and make it easier to switch between cloud providers. Specifically, it covers all kinds of non-personal data that is generated when devices are used, for example, in industry, agriculture, and the transport sector, but also in the Internet of Things (IoT). This also includes smart household appliances and fitness trackers.

For example, if a vehicle manufacturer stores the sensor data of a sold car in its cloud, it is considered a “data controller” under the Data Act. While they previously had exclusive access to all of this collected data, they are now to be exempted. The manufacturer must hand it over to the user, who actually generated it, on request. They can also make it available to others (“third parties”) for a fee, provided this is contractually regulated.

Data optimism

The EU wants to improve consumer protection, but in particular enable the trade in huge amounts of non-personal data. When the Commission drafted the Data Act 2020, it predicted that this trade alone, made possible by the law, would boost the EU's gross domestic product by 270 billion euros by 2028. The Data Act would also enable new business models that generate up to ten percent additional productivity growth, according to the optimistic prediction.

Both companies and private individuals are covered by the Data Act. The Data Act defines so-called “in-scope data.” This is non-personal raw data and metadata that is generated when devices are used. The law applies to them with immediate effect. However, “out-of-scope data,” such as structured analyses or algorithmic sorting, is not affected.

The Data Act is designed as a complementary regulation to the General Data Protection Regulation (GDPR), which continues to apply in full. While the Data Act only deals with non-personal data, the GDPR regulates the handling of personal data. It follows from this: The Data Act frees up trade; however, the storage, processing, and disclosure of GDPR-relevant data still requires a legal basis in accordance with Art. 6 GDPR.

Disclosure or not?

This is where the problems begin for companies as data owners: they must check all collected data to see whether it contains personal data. If this is the case, they can refuse to disclose it to users or third parties if there is no legal basis under the GDPR. If they release the data even though it contains personal references, they may subsequently get into trouble with their competent data protection authority.

In practice, the relationships between data owners, users, and third parties are to be governed by contracts. There are also new transparency obligations for producers/owners towards users. The implementation of the Data Act is considered to be complex, especially as, according to experts, many things are still unclear, such as whether the Data Act only applies to new databases or also to old databases that existed before September 12.

This means a lot of implementation and compliance work for the economy. While most large corporations have been dealing with the Data Act for a long time, many SMEs and small companies are likely to be hopelessly overwhelmed by the new disclosure obligations. Presumably, some have not even bothered with it yet because the Data Act deadlines have largely slipped under the media radar.

This assessment was confirmed by a survey conducted by the IT industry association Bitkom, which questioned 605 companies with 20 or more employees about the Data Act in the spring. According to the survey, only 1 percent of the companies affected had fully implemented the Data Act requirements 100 days before it came into force, while a further 4 percent had partially implemented them. 10 percent had only just begun implementation, while 30 percent had not yet started. “The Data Act affects almost every company, but most of them haven't even seriously considered it yet,” explained Bitkom President Dr. Ralf Wintergerst three months ago. This is unlikely to have changed much to date.

They can hardly expect any support from the EU at the moment. Article 41 of the Data Act stipulates that it will support all affected parties with legally binding model contracts to minimize the effort involved. A group of experts appointed by the EU Commission has published such model clauses in a report, but only as non-binding drafts. The EU Data Protection Committee, for example, has since identified a need for improvement in an opinion. It is not yet clear when the responsible EU Commission will transform these drafts into legally binding templates.

Country without supervision

Similar to the GDPR, the Data Act places supervision and enforcement in the hands of the member states. These were required to have appointed and installed a functioning supervisory body by today's launch. While this has mostly worked, Germany is lagging, as is so often the case. On February 7, 2025, the lead ministries of the traffic light coalition presented their draft bill for a law to implement the Data Act. It was already overdue at the time, but then came the early federal elections, and the black-red coalition has not presented a new draft since then.

In the draft, the government had designated the Federal Network Agency (BNetzA) as the supervisory authority. The Federal Commissioner for Data Protection and Freedom of Information (BfDI) was to take over all data protection issues. At the time, the state data protection authorities went on the barricades against this proposal and insisted on their competence in GDPR matters. They complained that the proposal violated EU law and the constitutional distribution of administrative powers.

According to reports, a new draft is pending, which will also declare the BNetzA and BfDI to be responsible for the Data Act. Further disputes are therefore inevitable. And all of this is happening against the backdrop of an enforcement vacuum in Germany. As of today, users will not be able to complain as planned, nor have companies been threatened with the penalties of up to four percent of company turnover or 20 million euros for violations as provided for in the Data Act.

State data protection officer called for

The Hamburg State Data Protection Commissioner, Thomas Fuchs, emphasized in a statement a few days ago that he considers himself responsible for Data Act matters relating to personal data for now: “Every complaint is investigated by the department that is also responsible for data protection supervision of the respective responsible body. This is in line with the aim of Art. 37 para. 3 of the Data Act to assess data use in accordance with the GDPR and the Data Act in a uniform manner.” He can “enforce the right with orders if necessary.” Violations could sometimes be punished with fines, he emphasized.

Carolin Loy, head of the Digital Economy Division at the Bavarian State Office for Data Protection Supervision, who is responsible for the Data Act, expressed a similar view. She explained in the latest episode, 142, of the c't data protection podcast Auslegungssache that her authority has set itself up, is in contact with companies in the state, and accepts complaints. In the episode, Loy explains the Data Act in detail and gives both companies and users tips on how to deal with it.

(hob)