This summer, the EU has taken several decisions that have implications for companies whose products or services generate data and/or process personal data, briefly described below. Feel free to contact us if you have questions or would like advice on related matters.
During the Swedish Presidency, on 27 June 2023, it was announced that the Council of the European Union (the Council) and the European Parliament (the Parliament) reached a provisional agreement on the final text of a regulation on rules for access to and use of data, the so-called Data Act. The final version, result of the provisional agreement, is now subject to linguistic scrutiny and must then be adopted by the Council and the Parliament separately. The Council has announced its intention to adopt the act as soon as possible. Once adopted and published in the EU’s Official Journal, the regulation will enter into force and become applicable as of the date specified in the legal text (normally 12-24 months after entry into force).
The Data Act applies to data generated by connected devices, e.g. smart household appliances and smart industrial machinery, and regulates the access to and use of generated data, which today normally belong to the manufacturers of connected products. The regulation aims to ensure the users of a connected product or service to access the data generated by them.
The Data Act is part of the EU's strategy to become a leader in the data-driven society and to create a single market for data and is the second legislative initiative resulting from the strategy. The first initiative resulted in the Data Governance Act, applicable as of September 2023. While the Data Governance Act creates structures and processes to facilitate data sharing between businesses, individuals and the public sector, the Data Act provides a framework for accessing and using data generated by the use of products and services, in all economic sectors. The interaction between the Data Act, the Data Governance Act and the GDPR is addressed in the regulation.
Vinge is monitoring the continued legislative process.
Link to the Council’s press release.
On 10 July 2023, the Commission adopted its adequacy decision for transfers of personal data to the US. An adequacy decision concerns transfers of personal data to countries outside the EU and means the level of protection of personal data in the concerned country, is considered to be essentially equivalent to the level of protection under the GDPR within the EU/EEA.
In 2020, the Court of Justice of the EU invalidated the previous decision on adequacy of protection under the EU-US Privacy Shield. The ruling led to discussions between the Commission and US authorities on a new data protection framework. The result of the negotiations, the EU-US Data Privacy Framework, provides new binding data protection measures for companies that participate and addresses the data protection issues identified by the Court of Justice of the EU. The new framework includes limited access to personal data by US intelligence agencies and establishes a specialised Data Protection Review Court available to EU citizens.
According to the Commission's decision, an adequate level of protection is assumed for transfers to the US on the condition that the data importer participates in the EU-US Data Privacy Framework, i.e. the data importer has certified its participation in the framework and committed to comply with the binding safeguards. This means that the Commission considers transfers of personal data to American companies covered by the EU-US Data Privacy Framework can take place without any additional security measures. Whether the Court of Justice of the EU agrees with the Commission on the enhanced level of protection, we will only find out if and when the new data protection framework is subject to a case before the Court.
The US authorities responsible for certification and compliance are the US Department of Commerce and the US Federal Trade Commission. The Commission and US authorities will regularly evaluate the EU-US Data Privacy Framework and the first review will take place before the end of July next year.
Link to the Commission’s press release.
