On 11 January 2024, the new Data Act officially entered into force starting a 20-month transition window. This means companies have until September 2025 to comply.
We have published an overview to address what you need to know about the Data Act, how it may affect you and next steps.
For those who prefer a shorter digest, here are the key takeaways:
- Name: Regulation on harmonised rules on fair access to and use of data ("Data Act")
- What does it do: The Data Act aims to set out a framework for sharing of data, ease the switching between providers of data processing services, introduce safeguards against unlawful data transfer and provide for the development of interoperability standards for data to be reused between sectors.
- It applies to datasets – with or without personal data. In case of conflict, GDPR prevails.
- The Data Act applies to:
- Manufacturers of connected products (e.g. smart devices such as medical devices and wearables etc) who offer their products to the EU market and providers of related services.
- Users (natural or legal persons) in the EU of connected products or related services.
- Public sector bodies, who may request access in exceptional circumstances.
- Providers of data processing services to customers in the EU (e.g. cloud service providers).
- Participants in data spaces and vendors of applications or professionals using smart contracts.
- As a Regulation, the Data Act will apply automatically across EU member states. However, there will be local law variations, including in relation to enforcement.
- The Data Act has extra-territorial effect (similar to the GDPR).
And finally, a special flag to our medical device clients:
- The legislation itself explicitly refers to "medical and health devices" as possibly being connected products that would be caught (Recital 14). They will be so if they "obtain, generate or collect … data concerning their performance, use or environment" and communicate that data (the connection element).
Examples of medical devices that generate health data that will be within the scope of the Data Act:
- health and lifestyle apps (including those that are connected to wearable devices) tracking activities related to the user's exercise, diet, health condition, etc;
- devices and appliances that facilitate health monitoring, intervene and treat illnesses (for e.g. insulin pumps, glucose monitors, ECG monitors or blood pressure monitors, biosensors, etc); and
- medical devices used for diagnostic purposes (e.g. for the analysis of blood samples) or for medical care (e.g. in-ward heart monitors, connected MRI or ultrasound scanners etc).
The clock is now ticking and the Data Act will become applicable in September 2025. Organisations operating in the medical device space will have to check to what extent they are covered by the Data Act and, if they are, budget for and start to work on the implementation of the relevant changes.
Organisations operating in the medical device space should consider any interaction between existing legislation they companies are subject to (including the GDPR and other medical regulations imposing rules and restrictions to the management of health records and patient access to information) and the Data Act.
If you have any questions or would like our assistance in considering the scope of the Data Act to your organisation, please get in contact.
Sign up to our email digest