Dwinity Blog

The latest news & insights on Dwinity

  • May 7, 2024
Data Act Regulations

The Data Act Regulations: Overview and Impact

Since the introduction of the Data Act, which came into force on January 11, 2024, and will be applicable in September 2025, there have been several regulations governing data usage and sharing in the European Union. These regulations cover various aspects, from design requirements to protective measures against misuse. This article examines the key provisions of the Data Act and their implications on businesses and consumers.

Data Act Mandates: Ensuring Accessibility and Interoperability in Connected Products by 2027

A key element of the Data Act is the design requirements for connected products and the timing of their market entry. Article 3(1) and Article 4(1) stipulate that connected products and services must be designed in such a way that the relevant data, including necessary metadata, is easily, securely, and freely accessible by default. This access is facilitated by a comprehensively structured, commonly used, and machine-readable format. (CMS Law, 2024)

These requirements come into effect from the first quarter of 2027 and aim to improve the interoperability mentioned in Article 2 and reduce the lock-in effect that often binds consumers to certain products or services. Articles 22-32 and 33-36 contribute to a further reduction of the lock-in effect by regulating short notice periods, technical support services and the gradual abolition of switching fees (after a transitional period, their collection is no longer possible). (CMS-Law, 2024)

New design standards and key requirements for connected products after 2026

The clear design requirements for connected products apply to those brought onto the market after September 12, 2026. Affected products are all devices that collect data about their usage or environment and then communicate this data via an electronic communication service, a physical connection or access to the device. Particularly in the B2B or B2C sector. Products not affected are those that are primarily intended for displaying or playing content or for recording and transmitting content. (Dunn, Gibson, 2024)

Promoting access and fair compensation for Data Sharing

Another important domain of the Data Act concerns access to data and the sharing of it. According to Article 5 (1) and Article 8 (4), users can demand that their data be passed on directly and exclusively to third parties, so-called data recipients. This is often accompanied by a service in return. This is described in Article 9 (1) and states that the data controller may demand consideration with an appropriate margin from the data recipient. The provision on consideration in Article 8 (4) does not apply if the data recipient is a small/medium-sized company or a non-profit research organization. This promotes the development of follow-up and additional services such as insurance or external repair services. (Ackermann, Dr. Sonja & Schwarz, Dr. Tim Jonathan, 2024)

Art. 7 para. 7 and Art. 5 para. 10 regulate this right of data controllers to refuse or suspend the transfer of data if necessary measures are not taken and an agreement cannot be reached. However, this decision must be justified, communicated to the user or third party in writing without delay and forwarded to the competent authority, stating the specific facts of the case. According to Article 4 (13), the data controller itself may only use the non-personal data generated by the customer based on a contractual agreement, the data license agreement.

Article 3 (2) and (3) are part of the right of access and establish pre-contractual information obligations regarding data access and the use of non-personal data by the data owner. This makes it clear that the use of such data may only take place based on a contractual agreement. (O’Keeffe, Eoghan, 2023)

New contractual terms and transition periods under the Data Act

The Data Act also introduces new contractual terms and transition periods. Article 8(6) clarifies that the obligation to disclose data to third parties does not compel the data owner to disclose trade secrets. In addition, contractual terms for new contracts will automatically take effect from September 12, 2025, while for existing contracts before this date, regulations will come into force on September 12, 2027. (Dunn, Gibson, 2024)

Safeguarding privacy and access rights in the new digital era

A central aspect of the Data Act is data protection and the prevention of misuse. Article 15 regulates the right to data access for public entities, while Article 32 ensures protection against unlawful access and government transfer. Furthermore, to ensure the protection of data, data processing service providers must take appropriate technical, organizational and legal measures to prevent international transfers and access from third countries to non-personal data stored in the EU. (CMS Law, 2024)

The Data Act smart contract requirements

Article 36 sets out requirements for the use of smart contracts regarding their implementation of data transmission procedures. As a result, the Data Act expects a high degree of robustness and access control mechanisms from an application provider, which are security measures.

As a result, the Data Act not only distinguishes between digital contracts and smart contracts that use distributed ledger technology but may also have an impact on existing contracts on public blockchains. (CMS Law, 2024)

New regulations aim to rein in data power abuse

Finally, the Data Act contains special provisions for gatekeeper companies, i.e. companies that hold a dominant market position in a certain area. Although these companies are allowed to receive data, they are subject to restrictions on their use, particularly regarding central cloud services. This is intended to curb the abuse of data power by dominant companies. (Dunn, Gibson, 2024)

Emerging Challenges Posed by the Data Act

One of the biggest challenges is the implementation and administration of the law. System integration, resource scarcity and complex reporting requirements make the process cumbersome. Companies face the challenge of managing manual processes and finding temporary solutions, which increases the risk of errors. Additionally, the lack of data management structures exacerbates this problem. Data quality and reporting are other key concerns.

Internal centralized control weaknesses jeopardize data integrity, while inadequate guidance on data security could lead to incorrect conclusions by policymakers and the public. The lack of a clear legal basis for processing personal data can lead to conflicts and confusion over data protection and privacy, particularly considering the General Data Protection Regulation (GDPR). This is because public sector access to private data must be carefully balanced to protect the privacy of data subjects while still meeting the need for data for public purposes. The question of appropriate compensation for the provision of data also remains controversial.

On a business level, the Data Act requires significant adjustments to existing business models, which is a challenge for companies inside and outside the EU. This is because international relationships will be affected, so the impact and regulatory consistency are other issues that need to be addressed. This is because the law aims to reduce dependence on US companies, which could lead to tensions between the Americas and the European Union.

Ensuring fairness and competitiveness in the market, which is usually not given by gatekeeper companies, requires measures to promote interoperability and prevent unfair behavior. Hand in hand with this, the Data Act could affect competition in the market and inhibit innovation, especially if companies are reluctant to invest in new technologies and business models due to the new regulations. This often depends on the size and adaptability of the company, as smaller, less competitive companies lack the resources.

Storing data on centralized cloud services increases the risk of data breaches as sensitive data is stored in a central location. A data leak or security breach could have a serious impact on the privacy of those affected. Especially as companies are also heavily dependent on a single provider. After all, if there are outages or problems with the provider, this can lead to interruptions in business operations and jeopardize data integrity.

Dwinity’s Solutions to Challenges of the Data Act

A promising solution to many of these problems could lie in decentralized data storage. These are currently inaccessible to consumers and difficult for companies to integrate. However, there are innovative providers such as Dwinity that are developing mass-market solutions in this area.

Seamless integration into existing systems and processes

Dwinity offers seamless integration into existing systems and processes through node linking and SDKs. Dwinity solves the biggest problem, centrality, by storing data on a decentralized platform instead of centralized cloud platforms, where data is stored across a distributed network of nodes. The nodes reduce the risk of data leaks and privacy breaches because the data is not stored centrally in one place.

The decentralized nature gives users full control over their data and allows them to decide how and where it is stored. It is designed to minimize technical difficulties and alleviate resource constraints among participating organizations by providing a user-friendly infrastructure for data management. This is also reflected in the automation of Dwinity’s complex reporting requirements and enables efficient compliance. It also ensures a high level of data quality and reporting. This is ensured using intelligent data validation mechanisms and automated quality checks.

In addition, there are integrated tools for monitoring and optimizing data integrity to eliminate internal control weaknesses and improve the accuracy of reporting. The implementation of data protection regulations and privacy-by-design – i.e. data processing operations that best comply with data protection – go a long way to ensuring that the processing of personal data is in line with data protection regulations.

Encryption and access controls ensure GDPR compliance

As a result, encrypted data transmission and access controls are provided to minimize data protection conflicts and ensure compliance with the General Data Protection Regulation. To provide easy system integration, resulting in fair competitiveness, Dwinity supports companies in adapting their business models to the requirements of the Data Act by providing flexible “monetization models” (Data Control, Data Gold, Data Cash) and transparent compensation mechanisms. The platform enables companies and users to recognize the added value of their data and determine appropriate compensation for its use.

By ensuring that data owners are fairly and equitably compensated for the use of their data, Dwinity promotes a sustainable and trustworthy data economy. These compensation mechanisms also reduce the potential for disputes under the Data Act through smart contracts between different parties and promote a harmonious data ecosystem. The platform provides a secure and efficient solution for resolving disputes and supports regulatory compliance through automated compliance checks and audits. Another solution lies in supporting regulatory compliance through robust compliance tools and integrated reporting capabilities.

Cross-border data management and transfer in accordance with local data protection laws

Dwinity enables cross-border data management and transfer in accordance with the respective data protection laws and promotes international cooperation in the regulation of data flows. With the help of decentralization, robust access controls and emergency protocols (decentralization à redundant storage, “data replication”) have been implemented to regulate public sector access to private data and protect the privacy of data subjects.

The platform provides secure data sharing mechanisms for public purposes while ensuring compliance with legal regulations and ethical standards. Dwinity solves the aforementioned problem of freedom of competition and innovation by creating a fair and open data market that facilitates the participation of different entities and supports the development of new technologies and business models. At the same time, it provides a dynamic and scalable data management infrastructure that helps companies to develop innovative solutions and strengthen their competitive advantage.

Dwinity is a pioneer in the field of data governance

In summary, Dwinity is a pioneer in the field of data governance and offers innovative solutions to the many challenges of data regulation. By championing the principles of decentralization, security, transparency, fairness and compliance, Dwinity is paving the way for a more ethical, inclusive and sustainable data ecosystem. With its comprehensive suite of tools and technologies, such as Data Control, Data Gold and Data Cash, Dwinity empowers individuals and organizations to unlock the full potential of their data while ensuring privacy, security and regulatory compliance.


CMS Law-Now. 2024. „An overview of the Dat Act.” Cms-LawNow. Accessed April 17, 2024. https://cms-lawnow.com/en/ealerts/2024/01/an-overview-of-the-data-act

Dr. Sonja Ackermann, M. Jur. & Dr. Tim Jonathan Schwarz. 2024. “The Data Act is coming and contains extensive regulations on the use of data for connected products and services”. Taylor Wessing. Accessed April 17, 2024. https://www.taylorwessing.com/en/insights-and-events/insights/2023/12/newsflash-commercial

Eoghan O’Keeffe. 2023. “Final text of the EU’s Data Act approved. Lexology. Accessed April 17, 2024. https://www.lexology.com/library/detail.aspx?g=1deb9bb4-9820-4dc3-94e6-93f8c62ca414

Gibson Dunn. 2024. “The EU Data Act, an IoT and Cloud Sector Paradigm Shift, Becomes Reality”. Gibson Dunn. Accessed April 17, 2024. https://www.gibsondunn.com/wp-content/uploads/2024/01/eu-data-act-an-iot-and-cloud-sector-paradigm-shift-becomes-reality.pdf

Foto: © Dragon Claws – stock.adobe.com

Dwinity Logo
Dwinity Logo