HighlightsPrivacy espresso seriesResourcesJuly 20, 2023Complying with the Data Act: differences and similarities with the GDPR

In this privacyespresso episode, the fourth of our series on the EU data regulatory framework, we discuss with the PrivacyRules expert for Germany, Volker Wodianka, about the Data Act, focusing on its scope and requirements.

First of all, Volker stress that the Data Act is a Regulation, so it will enter into force as it is at the EU level exactly as it happened with the GDPR. The aim of this new framework is to harmonize how to use non-personal data and to make them available to individuals at the EU level.

To make a more stringent parallel with the GDPR, also here the market principle needs to be respected, so anyone addressing the EU market will have to comply with it. Additionally, it is very interesting to read the differences between personal and non-personal data provided by the GDPR considering this new Regulation. In any case, it is worth mentioning that only midsized to big companies are involved (minimum of 250 employees).

Focusing on the key requirements of the Data Act, Volker warns that, in principle, the idea is ensuring access rights also here. So, the scope is to deliver data in terms of interoperability, so companies’ efforts should aspire at making it technically possible.

Additionally, the Data Act contains a duty to inform on how data will be used that recalls the GDPR’s requirements. Similarly, companies will also have to implement data protection measures to transfer data. This last requirement cannot be compared to the EU data protection clauses, but still, technical and organizational measures are a requirement.

Another key part regards the surveillance authorities’ access capabilities. Of course, this power is common in many countries and, as the GDPR, the Data Act tries to limit such intrusion. However, even this regulation authorizes surveillance access under special circumstances, such as in case of an emergency and/or for the public interest. The issue here is that such cases are too broadly defined, and it is easy to receive different interpretations from country to country. Of course, there might be overlaps with the GDPR in the way in which authorities are allowed to access data, but this should be kept separate.

To conclude, Volker also underlines that the Data Act’s fines can be pretty heavy, so it is relevant to inform the stakeholders as soon as possible about its requirements. A good approach may be the one of expanding GDPR measures to non-personal wherever this regulation has similar requirements. Similarly, with regard to the right to be informed, companies shall make sure to use proper features to fulfil the requirement. In general, there are many requirements of this Regulation that are already placed by the GDPR so with a little extension or revision of the already done work companies may easily find themselves compliant with this new law.