5 minute read 8 Sep 2022

The Data Act - the next step in the implementation of the European data strategy.

Olga Rentflejsz

EY Poland, EY Law, Senior Associate, Manager, Attorney at law

Olga is an attorney at law specializing in privacy.

Alicja Guzy

EY Poland, EY Law, Associate

Alicja specializes in personal data protection and intellectual property law.

5 minute read 8 Sep 2022
The Data Act regulates issues related to access to data and the possibility of their transfer in a relationship between entrepreneurs, as well as issues related to the facilitation of access to data by public sector bodies in order to solve important social and political problems.

For the coming years, the European Union has planned a series of measures aimed at ensuring that the economy's development potential can be fully realized using data and making the EU a leader in the data-driven society. The Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act; hereinafter "DA")[1] is another of the acts being adopted as part of the European Data Strategy, presented by the European Commission (hereinafter "EC") in February 2020. 

The Data Act provides new rights and obligations for a wide range of actors, including individuals, businesses and the public sector. The EC recognized the problem concerning micro, small and medium-sized enterprises, who often find it difficult to access data vital for development. As a result, the DA addressed issues related to access to data and the possibility of data transfer between entrepreneurs (particularly with regard to data generated by products connected to the so-called IOT[2]), as well as issues related to gaining access to data by public sector bodies in order to solve important social and political problems. 

The draft DA was published on 23 February 2022 and is currently awaiting further steps in the legislative process. According to the draft, the DA is expected to be applied twelve months after its entry into force.

We want to unleash the huge benefits that the responsible use of data and digital technologies can bring to every one of us. At the same time, we want safe use of data and technologies. A use that works for people and respects our fundamental rights.
Margrethe Vestager
Executive Vice-President of European Commission Brussels, 23 February 2022

New obligations for entrepreneurs

The addressees of the new obligations will primarily be manufacturers of products and providers of related services (i.e. digital services, including software, that are included in or interconnected with a product in such a way that their absence would prevent the product from performing its functions) marketed in the EU (hereinafter "IOT manufacturers"). Specific issues that IOT manufacturers will have to take into account are:

  • ensuring the default ease and security of user access to the data generated by the product;
  • ensuring that the user has direct access to the data generated as a result of the user's use of the product or related service, or, if this is not possible, providing the user with the data free of charge upon request;
  • providing the user with information in a clear and comprehensible format covering at least the information specified in the DA;
  • limit the ability to store user access information beyond that necessary for the proper execution of the request and for the security and maintenance of the data infrastructure.

The entity receiving the data will be required to process it only for the purposes and under the conditions agreed with the user, and to delete it when it is no longer necessary for the agreed purpose. The DA regulations provide special rules for the disclosure of information that is a trade secret, indicating that such disclosure shall be made only on condition that all special measures necessary to keep it confidential are taken. 

Product – a tangible, movable item, including where incorporated in an immovable item, that obtains, generates or collects, data concerning its use or environment, and that is able to communicate data via a publicly available electronic communications service and whose primary function is not the storing and processing of data.

Related service – a digital service, including software, which is incorporated in or inter-connected with a product in such a way that its absence would prevent the product from performing one of its functions.

Unfair terms in business-to-business contracts

Implementing the EC's demands for transparency and fairness, the DA will introduce detailed solutions governing data access and use, liability and data protection measures, as well as termination of data obligations. Micro, small or medium-sized enterprises who are parties to data contracts will gain protection when provisions are imposed on them unilaterally and are unfair in nature. In a situation where such an enterprise is a party to the contract, the unfair provision will not be binding on it (a construction similar to the regulation of abusive clauses, which do not apply to consumers). The burden of proof of the one-sidedness of the imposition of the provisions will be on the party that supplied a contractual term - it should be expected that, for the most part, this will be the manufacturer of the IOT, which proposes the contract based on its own template (similar to entrepreneurs on the Internet who face abusiveness charges). The DA will include a catalog of provisions that are considered unfair, taking into account their purpose or effect. 

The data indicate that


of entrepreneurs in the EU used cloud services in 2021.

Making data available based on exceptional need

The DA will regulate the possibility for public sector bodies and Union institutions, agencies or bodies to use the data in an exceptional need, which the DA understands will occur in the following circumstances:

  • when the requested data is necessary to respond to a public emergency;
  • when the request for data is limited in time and scope and necessary to prevent a public danger or to help restore the baseline after such danger has occurred;
  • when the lack of available data prevents the entity from performing a specific task in the public interest and expressly indicated in the law, but only in situations where the entity has been unable to obtain such data by alternative means or where obtaining the data in accordance with the procedure provided for in the DA would significantly reduce the administrative burden on data holders or other companies.

The data holder will be obliged to make the data available to the requesting authority without undue delay. In cases of exceptional need, as a rule, data will be made available free of charge. The DA will also introduce restrictions on the use by public sector bodies of data obtained in this way, indicating that the data can be used only in accordance with the purpose indicated in the request for data, and that it must be destroyed immediately after the purpose for which it was obtained has ceased.

Change of processing service provider

Aiming to enable customers to make a smooth transition between services of the same type, processing service providers (i.e. cloud service providers) will be required to remove commercial, technical, contractual and organizational obstacles that make it particularly difficult for customers to switch providers. Consequently, the DA will require that the customer's rights and the provider's obligations with regard to switching be clearly defined in a written contract, with the inclusion in such a contract of at least:

  • clauses allowing the customer to switch to a data processing service offered by another provider or to transfer all data directly or indirectly to a local system (in particular, clauses allowing the establishment of a mandatory maximum transition period of 30 calendar days, during which the data processing provider assists in the switching process and ensures full continuity of service provision);
  • a detailed specification of all categories of data and applications that can be exported during the switching process;
  • a minimum period during which data can be recovered (at least 30 calendar days, beginning after the end of the transition period).

The DA will also introduce a process for phasing out switching fees. Ultimately, customers should not incur any fees in such a process.

Data interoperability

The DA aims to ensure interoperability, that is, the ability of two or more data spaces, communication networks, systems, products, applications or components to exchange and use data to perform their functions. To do so, data space operators will be required to meet the act's requirements, which include sufficiently describing the content of the data set or technical means of accessing the data (such as application programming interfaces), as well as the obligation to ensure the interoperability of smart contracts in the services and activities they perform. The DA elaborates much more about smart contracts, pointing out the essential requirements for such contracts in terms of data sharing. The provider of an application using smart contracts (or, in its absence, the entity running the activity that provides smart contract implementation services in the context of a data contract) will have to meet requirements for resilience, secure termination and interruption, data archiving and continuity, and access control.

Smart contracts -  are computer programs on electronic ledgers that execute and settle transactions based on pre-determined conditions. They have the potential to provide data holders and data recipients with guarantees that conditions for sharing data are respected.

Implementation and enforcement of the data act

Each member state will be responsible for selecting or establishing a competent authority responsible for the implementation and application of the DA. Among the authority's tasks, there will be duties to promote awareness of the rights and obligations under the DA, but also to conduct investigations with regard to the application of the DA and to impose fines when violations are found. Individuals and legal entities will gain the right to file a complaint with the relevant competent authority in a member state if they find that their rights under the DA have been violated.

Direct at your mail

Subscribe EY newsletters



While the legislative process for the Data Act is still underway, there is already a fair amount of criticism from both business and the public sector. In May 2022, the EDPB[1] and the EDPS[2] issued a joint opinion on the published draft, in which they expressed their concerns about the insufficient clarification of the relationship between the DA and the GDPR[3], paying particular attention to the references in the DA to both non-personal data and personal data. The creators of the act are still to face many challenges, not only in the area of privacy, so it is still uncertain when the DA will be adopted. The Data Act is intended to be a sector-neutral act, so its provisions will affect a wide range of entities - it is worth following its developments in order to prepare the business for the new rules in due time.


  • Article references

    [1] Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act), COM/2022/68 final.

    [2] IOT / Internet of Things (in English: Internet of Things) - a term by which is meant a group of devices connected to a network (e.g., the Internet), communicating with each other, collecting and sharing data with each other.

    [3] European Data Protection Board (EDPB).

    [4] European Data Protection Supervisor (EDPS).

    [5] Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27th 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.


About this article

Olga Rentflejsz

EY Poland, EY Law, Senior Associate, Manager, Attorney at law

Olga is an attorney at law specializing in privacy.

Alicja Guzy

EY Poland, EY Law, Associate

Alicja specializes in personal data protection and intellectual property law.