On 12 September, the European Commission’s EU Data Act became applicable forcing many businesses operating within the continent to reconsider their approach to data management.

The legislation, which took effect on 11 January 2024, before becoming applicable on 12 September, is part of an overarching European Commission data strategy, and complements the Data Governance Regulation of November 2020.

According to the Commission, the Act establishes rules clarifying who can create value from data, and under which conditions, as well as rules concerning the use of data generated by devices connected to the Internet of Things.

Laura Petrone, GlobalData principal analyst specialising in technology regulation, believes the scope of the act is quite ambitious. “It aims to ensure a fairer allocation of data among the different players in the EU digital economic space and greater availability of data to reuse in the EU market. To achieve that, it wants to shift data control away from manufacturers and large cloud providers to users of connected products and services and smaller EU companies.

“For example, cloud providers must enable efficient switching between platforms and support interoperability through open standards. Technology companies must also be prepared to hand data to public sector bodies in cases of exceptional need, like public emergencies,” says Petrone.

The Data Act forms part of a continuing effort by European regulators against, what they consider, Big Tech overreach. Though aimed squarely at US tech companies, the new legislation adds yet a further layer of regulatory complexity for foreign multinationals operating in Europe already dealing with obligations under the GDPR, NIS2 Directive on Cybersecurity, the Digital Services Act and the Digital Markets Act.

Petrone advises businesses to implement a review of their data processing services to determine the extent to which the new regulation applies and prepare to be compliant, for example, by updating their contractual terms to meet the requirements. But it’s not all bad news for large corporates. “They must also be ready to seize opportunities in these changes, such as attracting new customers who can transition from the strongest players,” she adds.

Shaun Hurst, principal regulatory advisor for regulatory compliance platform Smarsh, agrees that the Act may present opportunities for businesses to access valuable data and develop innovative services, as well as necessitate urgent actions to protect trade secrets and update contractual arrangements.

“For certain Internet-of-Things devices and services, “access by design” must be integrated, ensuring data is readily and securely accessible to users. Although there are longer transition periods for these requirements, it’s essential businesses start the process now,” says Hurst.

Hurst advises businesses providing connected devices and services to update contracts and transparency measures to define data access rights accurately. He says contracts should clearly communicate the type of data generated, how it’s stored and how users can access it.

Businesses will need to establish compliance processes to handle data requests from users, third parties or government bodies efficiently—and will face the prospect of compensation requests in the case of any breaches.

Anita Hodea, associate at law firm Katten Muchin Rosenman UK LLP explains the breadth of the Act encompasses all data processing activities, covering both personal and non-personal data. Where personal data is involved, the GDPR takes precedence, ensuring privacy and protection remain intact.

“The introduction of new terms, such as “data holder”, and limited guidance on their application mean organisations must carefully define roles, governance and responsibilities to comply with both frameworks, warns Hodea.

“For companies, the Act requires designing products for accessible and secure data, enabling fair third-party sharing and improving transparency,” she says.

In a blog post about the new Act, Chris Gow, Senior Director, EU Public Policy Government Affairs at Cisco highlights how the Act introduces overlapping and complex requirements for transferring non-personal data, especially for companies handling mixed data sets.

“Data privacy and security must always come first, but rules for transferring data across borders should be balanced and based on actual risks. When companies work with datasets that include different types of data, following GDPR rules on cross-border data transfers should be enough, without needing to meet requirements from the Data Act on top. These added layers of regulation impose significant administrative burdens without a corresponding increase in security or risk management,” he writes.

While the Act aims to level the playing field for European companies, many believe the added complexities of such regulation may have a counter effect. Indeed, Gow urges the European Commission to instead focus on regulatory simplification and targeted reform, which would strengthen Europe’s position in AI and digital innovation.

In his blog, Gow sums up the need to roll back regulatory complexity: “Simplified data rules, better protection for trade secrets, and a balanced approach to international data flows will help European companies compete globally, boost innovation, and ensure that the benefits of the digital economy are shared by all.”