Breaking Down The EU Data Act
A tear down of the risk and impacts of this new regulation.
The General Data Protection Act (GDPR), enacted in 2018, was the world’s first overarching data privacy law. It established a precedence of due care for the collection, handling, processing, and storage of European Union (EU) citizens’ personal data. The law necessitated major changes for any company doing business with EU citizens, and set the foundation for ensuing data privacy and protection laws.
In 2022, the European Commission proposed new legislation that would give EU citizens even greater control over their personal data. It was called the Data Act, and it became law on January 11, 2024.
In this article, we’ll break down the Data Act and consider its impacts on the cyber attack surface.
Back in 2018, companies worldwide were in a frenzy to comply with the EU’s General Data Protection Regulation (GDPR). The new law drastically changed data handling practices for any organization processing personal data of individuals residing in the EU. Companies spent months and millions of dollars updating processes and tools that would help them meet and maintain compliance. But the GDPR was only the first stepping stone in what’s to become a long line of data-focused laws meant to strengthen data protection and privacy rights for individuals.
Countless additional laws and frameworks have followed the passing of the GDPR, notably in the EU, the European Data Governance Act (signed into law on June 23, 2022) and Europe’s Digital Decade initiative, which helps EU Member States follow leading practices that help achieve safe and responsible digital transformation. The newest regulation, the Data Act, was formally adopted by the Council of the European Union and endorsed by the EU’s Parliament in late 2023, passed into law in January 2024, and will be enforceable in mid-2025.
According to the European Commission’s press release, “The new rules define the rights to access and use data generated in the EU across all economic sectors and will make it easier to share data, in particular industrial data.
The Data Act will ensure fairness in the digital environment by clarifying who can create value from data and under which conditions. It will also stimulate a competitive and innovative data market by unlocking industrial data and by providing legal clarity as regards the use of data.”
What is the EU Data Act?
In clear terms, what is the EU Data Act, and what does it mean? Practically speaking, the Data Act creates rules that enable consumers and businesses to access, use, and share personal data generated during the use of connected products, mainly Internet of Things (IoT) devices. It forces manufacturers of connected devices to design their products in a way that makes it straightforward to access the data upon request, by the data owner or holder, and by any business or service to which the data owner/holder has granted permission.
The Data Act also applies to suppliers of related services (e.g., the software used in the connected device), data holders and providers (e.g., the businesses that store/process data on behalf of the manufacturer), and public sector entities (when there is an “exceptional need”).
Rights for Data Owners
In short (and first and foremost), the Data Act gives data rights back to data owners.
Let’s say you are an EU citizen with a connected toothbrush. In theory, this toothbrush has been spitting out (pun intended) some data about the state of your oral health. You, as a consumer, have access to some of this processed data (Yippe! You brushed for two minutes, two times per day, for eight days straight!). But getting access to the metadata is much more challenging (until the Data Act becomes law).
So what, you may ask? At present, the toothbrush manufacturer is collecting (and likely sharing or selling, albeit — hopefully — anonymized or pseudonymized) data about your brushing habits and using the data to create new revenue streams. They’re harvesting your habits.
However, it might benefit your dentist to see this metadata and use it to help you prevent or manage oral problems. At present, it would be hard for you — the toothbrush owner and user — to get all data related to your use of the connected toothbrush. And if you do manage to get it, it might be in an unusable format. Furthermore, the manufacturer might not even be able to generate a comprehensive report, given that the data could be scattered across various components of the system.
But with the enforcement of the Data Act, connected toothbrushes will have to be designed in such a way that the data owner can request access to all their data and/or transfer it securely to their dentist. Importantly, the law also states that the data must be provided free of charge and in a ubiquitously machine-readable format.
Imagine the same scenario in regard to car maintenance and repairs; access to diagnostic data could be very useful to a third-party mechanic of your choice. The new laws make it easier for you and your repair person to get your hands on all that data.
The Data Act gives users (data owners) additional rights, as well. The regulation specifies that users will have greater control over how manufacturers can leverage data generated by their operation of a connected device. For example, users should be able to prevent or limit the inclusion of their data in marketing campaigns, the manufacturer’s revenue-generating activities, and how/where the data is processed. The act also requires manufacturers to comply with all user data access requests as well as transfer requests to third parties.
The same standards apply to businesses when the business is generating data on behalf of another business. For example, in the case of cloud providers, cloud processing services, and other data processing/data handling services, providers must now support data interoperability when or if the user — in this scenario, a business “user” — chooses a new provider.
Greater market opportunity
In addition to data access and data sharing obligations, the Data Act prohibits unfair contract terms that prevent anyone but connected device manufacturers (and other data generators) and their data service providers from benefiting from the data.
Going back to our car example, under the Data Act, car makers must release the data generated through the operation of the car to the owner and/or a third-party repair facility if requested to do so; they can no longer force EU owners/operators of these cars to use only manufacturer-managed repair facilities and/or manufacturer-built components.
Further, one of the stated intents of the Data Act is to spark greater innovation. With broader access to connected device data, entrepreneurs can create new aftermarket products and services. The press release about the regulation states that the Data Act “makes a significant contribution” to “advancing digital transformation” and ensuring fair market pricing as well as more effective business decisions and planning that result from data access.
No hindrance to normal operations
A main stipulation of the Data Act is product design; manufacturers must now build their connected products and services in such a way that data access is guaranteed. However, manufacturers are prohibited from designing the product/service so that data access interferes with the normal and intended operation of the device. In other words, a manufacturer cannot build a product that is effectively ineffective after its data is accessed.
While it is not specifically spelled out in this legislation, there is sure to be some follow-on addendum that prevents manufacturers from adding insecure backdoors to products in the name of data access, thereby creating easier attack paths. At least, let’s hope there is. While the law, in part, makes a case for a stronger economy, it first and foremost claims to focus on protecting personal data, even widening the definition of “personal data” beyond what is defined in the GDPR.
Attack surface considerations
It’s no secret that connected devices and the data they generate have increased the cyber attack surface. Data is a valuable commodity. And both legitimate businesses and attackers relish in the overabundance of data made available as a result of our digital economy. So while the Data Act is an effort to give some control back to data owners, it also potentially opens up more doors to misuse and abuse. Manufacturers/providers must be cognizant of product design changes that facilitate unauthorized data access. Data owners must take responsibility for any data they request; if a manufacturer/provider securely transfers data to an owner who then stores or uses it insecurely, the data is at risk of theft, tampering, and more. If the requestor is a business rather than a consumer, insecure storage or use of this data could result in a major data breach.
Businesses are, as a result of many prior laws and regulations (including the GDPR), better acquainted with data protection and privacy protocols. However, they still need to improve their data protection game — too much data is lost to weak protections already.
But for consumers…generally speaking, the average citizen has neither the desire nor the expertise to safeguard what will likely be highly coveted by cyber criminals. While the idea of returning data rights to data owners is a positive step, let’s hope that some enterprising individuals have ideas on how to penetrate the consumer data privacy and protection market in a way we haven’t seen before. Individuals — consumers — will need help when presented with the responsibility for hardened data access controls.