My Data = Your Data? How the EU Data Act May Influence IoT and Cloud Offerings in the European Union and Beyond

By Kristina Ehle &  Sana Ashcroft, Morrison Foerster

Overview – The Strategy of the European Union for a “Society Empowered by Data”

The efficient processing and sharing of data whether in a B2C, B2B, or G2B context are important factors for the success of the digital transformation of the private and public sectors around the world. The expansion of Internet-of-Things (IoT) technologies that converge the physical and digital worlds, including devices and solutions such as smart home appliances, out-of-clinic health-monitoring devices, smart manufacturing with connected machinery and robots, energy and security management systems for buildings, or supply-chain management solutions, will play a decisive role in creating the future data economy.

The Commission of the European Union has acknowledged the potential that data-driven innovations, such as IoT solutions, create for the EU single market, and has outlined the EU’s ambition to “become a leading role model for a society empowered by data to make better decisions in business and the public sector” in its European strategy for data published in February 2020. As part of this strategy, in February 2022, the Commission published its proposal for a Data Act, which is the second main proposal following the Data Governance Act (DGA). Like the DGA, the draft Data Act is meant to complement the existing legal framework for the EU data economy, including the General Data Protection Regulation (GDPR) on personal data, the ePrivacy Directive, which regulates data stored in and accessed from terminal devices, the Free Flow of Non-Personal Data Regulation, which ensures that non-personal data can be stored, processed, and transferred anywhere within the EU and introduced self-regulatory codes of conduct for cloud switching, and the Open Data Directive.

While the Open Data Directive and the DGA aim to facilitate the re-use of publicly available data as well as certain categories of protected data held by public sector bodies, such as state, regional, or local authorities and agencies governed by public law, the Data Act aims to build a framework for sharing data generated by connected devices and related services.

The proposed Data Act has been heavily debated and discussed in the EU, including the Commission, the Council of the EU, which represents the governments of the EU Member States, and the European Parliament. As result, its scope and requirements are likely to change. The Presidency of the Council of the EU has already published a first compromise text and, on November 3, 2022, a second compromise text suggesting some material changes (the compromise text). We expect the final version of the Data Act to be adopted in the second half of 2023 and enter into force in late 2024. As it is designed as a regulation, the Data Act will be directly applicable in all EU Member States, without any transposition into national law, once it has been adopted.

Read more…