EU is embarking on another expedition of a regulation about which a brief summary is being provided here.
This act is called “The Data Act on harmonized rules on fair access to and use of data”. It should be implemented from 12th September 2025.
This act has been also adopted as UK’s” Data (Use and Access) Act 2025″ in UK and received the royal assent on June 19, 2025
This law builds upon existing data protection laws but focuses on enabling responsible data sharing, promoting innovation, and enhancing public services.
The objective of the regulation is to ensure that users of a connected product or related service can access, in a timely manner, the data generated by the use of that connected product or related service and that those users can use the data, including by sharing them with third parties of their choice.
It imposes the obligation on data holders to make data available to users and third parties of the user’s choice in certain circumstances.
It also ensures that data holders make data available to data recipients under fair, reasonable and non-discriminatory terms and conditions and in a transparent manner.
This Regulation adapts rules of contract law and prevents the exploitation of contractual imbalances that hinder fair access to and use of data.
This Regulation also ensures that data holders make available to public sector bodies, where there is an exceptional need, the data that are necessary for the performance of a specific task carried out in the public interest.
In addition, this Regulation seeks to facilitate switching between data processing services and to enhance the interoperability of data and of data sharing mechanisms and services.
This Regulation should not be interpreted as recognising or conferring any new right on data holders to use data generated by the use of a connected product or related service.
Currently the GDPR like laws recognize “Personal Data” and impose restrictions on its sharing by Consent or legitimate interest etc. The “Data covered under this regulation” is what we have been recognizing as “Transactional Data” which belongs “Jointly” to the individual (User) and the organization (Data Fiduciary). Naavi has been insisting that such personal data does not exclusively belong to the data principal (data subject) and its disposal can be governed as a joint contract.
It appears that this new regulation may shed little more light on this concept and validate what we have adopted as “Jurisprudence”.
We can perhaps view this legislation as an extended rule on “Personal Data Disclosure”.
But as is customary, EU/UK have made it an elaborate law by itself with 49 articles in the EU version and 200 provisions in the UK version and it will be analysed ad nauseum in the days to come.
Penalties under EU version can reach up to €20 million ( £17.5 million for UK law) or 4% of a company’s total annual worldwide turnover, whichever is higher.
Besides financial penalties, the Data Act also allows for non-monetary measures such as warnings, reprimands, temporary or permanent bans on data processing, and orders to rectify, restrict, or erase data. Enforcement is primarily at the national level within each EU member state, though data protection authorities (ICO for UK) retain jurisdiction for violations involving personal data.
If an organization outside the EU/UK provides goods or services to individuals within the EU/UK, they may need to comply with the EU Data Act. If deemed applicable, organizations should implement necessary measures to comply with the Act’s requirements, such as establishing procedures for data access requests, data portability, and data sharing.
The EU/UK Data Act may also have implications for international data transfers, requiring organizations to ensure compliance with the Act’s provisions when transferring data outside the EU.
Watch out for more discussions on this.
Naavi