Data act

In “A Europe Fit for the Digital Age”

PDF version

In February 2022, the Commission published a proposal for a data act which aims to remove barriers to access data for both consumers and businesses in a context where the volume of data generated by humans and machines is increasing exponentially.

To that purpose, the draft law establishes common rules to govern the sharing of data generated by the use of connected products or related services (e.g. internet of things, industrial machines), to ensure fairness in data sharing contracts and to allow public sector bodies to use data held by enterprises where there is an exceptional need (e.g. public emergency). Furthermore, the data act introduces new rules to facilitate switching between providers of cloud services and other data processing services and put in place safeguards against unlawful international data transfer by cloud service providers. 

The Committee of the Regions (CoR) and the European Economic and Social Committee (EESC) both adopted their opinions on the EU data act in June 2022.

In the European Parliament, the Committee for Industry, Research and Energy (ITRE), the responsible committee appointed MEP Pilar Del Castillo Vera (EPP, Spain) as rapporteur for the data act in March 2022.  The EP plenary adopted the report with 500 votes to 23, with 110 abstentions in March 2023. 

In Council, Member States’ representatives (Coreper) reached a common position in March 2023. 

Following trilogue negotiations, Council and Parliament reached a political agreement on the final text in June 2023.  The main points of the agreed final text are:

  • Individual and business users of connected devices are granted the right to access and share data generated through their use of such connected devices (e.g. vehicles, home equipment) and related services. Manufacturers of such connected devices must ensure that the devices and related services are designed to facilitate the exercise of these rights. Data holders (i.e. manufacturers) can withhold or suspend data sharing when the confidentiality of trade secrets can be undermined. They can also refuse access to their data on a case-by-case basis.
  • Private sector data will need to be shared with public sector bodies and institutions in the EU based on exceptional needs, such as in public emergencies (e.g. floods, major cybersecurity incidents), when access to data is necessary to fulfil a specific task in the public interest as provided by law (e.g. official statistics) or when access to data is necessary for specific research purposes.
  • A number of new requirements placed on cloud providers will ensure that customers can switch between providers of cloud services and would not be 'locked in' with a provider, and will enable customers of cloud services to better negotiate their contracts.
  • The data act includes safeguards against unlawful international data transfers and measures to  promote the development of interoperability standards for data sharing and data processing, in line with the EU standardisation strategy.
  • The new rules will likely become enforceable around mid-2025, 20 months from the date of entry into force (instead of 12 months as initially proposed) to give industry more time to adjust.

Parliament formally endorsed the new legislation during its November 2023 Plenary. The text has been published in the Official Journal in December 2023. Following its entry into force, the Data Act will become applicable in 20 months, i.e. 12 September 2025.


Further reading:

Author: Tambiama Madiega, Members' Research Service,

As of 20/06/2024.