On 6 September 2024, the European Commission published FAQs to help stakeholders understand and implement the Data Act (Regulation EU 2023/2584), which will be enforced from 12 September 2025. The Data Act aims to set harmonized rules for accessing and sharing data, particularly in the context of IoT, across various sectors. These FAQs offer vital clarifications on how the Data Act interacts with existing legislation like GDPR, enforcement mechanisms, and specific considerations for IoT data.
Some of the covered aspects:
Interaction with GDPR
The Data Act does not directly regulate personal data, but GDPR applies fully when personal data is processed. In any conflict, GDPR rules take precedence (Article 1(5)). Data Protection Authorities (DPAs) will enforce compliance where personal data is involved. The FAQs also clarify that individuals do not need to approach separate authorities under both laws when handling personal data issues related to the Data Act.
IoT and Data Types
The FAQs clarify that the Data Act applies to raw and pre-processed data generated by connected IoT products. Data that is highly enriched, for example, through complex algorithms or protected by intellectual property rights, is not covered. The FAQs emphasize that only data generated after the Data Act takes effect will be subject to its rules. Additionally, IoT data types, such as ‘product data’ and ‘related service data,’ are defined to guide companies on what falls within the Act’s scope.
Enforcement and Trade Secret Protection
Data holders are required to provide access to data upon request, but they can refuse if sharing the data could cause serious economic harm by revealing trade secrets. The FAQs introduce a “trade secrets handbrake” mechanism to balance data access and trade secret protection, where data holders can negotiate confidentiality safeguards before sharing sensitive information.
Digital Markets Act (DMA) Interaction
The FAQs specify that while DMA “gatekeepers” cannot use the Data Act’s mandatory data-sharing rules, they are not entirely excluded from IoT data markets. The FAQ stresses that DMA gatekeepers are limited in using specific mechanisms but can still engage in voluntary data-sharing arrangements.
You can find the press release and the FAQ here. A detailed overview can be found at Ropes&Gray.
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy, digital and AI education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.