As the EU Moves to Cut Red Tape, Data Act Compliance Date Looms

The EC launched its AI continent action plan April 9. Among other things, the plan states that the EC will hold a consultation to "inform the preparations of our broader evaluation on the need to simplify digital legislation."

Asked whether that evaluation could have implications for the Data Act, AI Act and GDPR, an EC spokesperson said in an April 10 email that the organization is "looking at all our rules to see how we can simplify processes and make Europe easier and faster from the business perspective."

The EC is combing through legislation to see how it can reduce bureaucracy for small, mid-sized enterprises (SMEs) and large firms, as well as easing, for example, reporting requirements, said the spokesperson. It's also considering whether laws overlap.

The EC is "very committed to the principles of the AI Act," said the spokesperson. It favors the EU's risk-based approach but is also "looking at whether there is extra administrative burden or some reporting obligations that we could cut to make it easier for businesses." As part of that exercise, the spokesperson said, there could be potential adjustments to the GDPR, but it's too early to say what they would be.

An EC communication on simplifying regulation and quickening its pace includes a digital package where the EC will assess whether its digital laws adequately reflect the needs and constraints of SMEs. The EU's data union strategy "will address existing data rules to ensure a simplified, clear and coherent framework for businesses and administrations to share data seamlessly and at scale, while respecting high privacy and security standards."

Meanwhile, organizations must start preparing for the Data Act, Hogan Lovells attorneys said in one of a series of podcasts and video sessions. Among other things, the law will change the way companies do business concerning connected devices, they noted. Nearly every company that produces products that connect to the internet, such as smartwatches and medical devices, will be covered, data protection attorney Christian Tinnefeld said.

The point of the legislation is to change the imbalance between entities that hold data and users who create it, Tinnefeld said in the video: It will give users, rather than device makers, more control over how data is used. The EU is seeking a new data economy across its territory by destroying data silos and allowing a free flow of information, he added.

Entities that must comply include digital device makers, software creators, companies leasing those products, users (individuals and commercial), B2B customers, contractors who run a manufacturer's application, Tinnefeld said.

Depending on where an organization sits in a product ecosystem, it must have a clear idea of what data it collects, how and where it's being used and where the data is going, Tinnefeld said. He recommended that companies first identify the digital products and services that fall under the Data Act, and then carry out data mapping exercises akin to those they do for the GDPR. This is a "real project," not a "lawyer's exercise," he said.

What if the Data Act is amended before its compliance date?

"Companies will need to adapt again to this changing environment," emailed Tanguy Van Overstraeten, a Linklaters data protection attorney. The changes should ultimately benefit companies if they result in simplification, he said. Businesses that acted promptly to compete "may feel frustrated, however, as their competitors will gain additional time to make adjustments."

In addition, it's possible that the Data Act's effective data of Sept. 12 would simply be postponed to allow companies more preparation time, "but this seems difficult to implement without such a short period of time," said Van Overstraeten. The Data Act necessitates preparatory actions, including creating processes, drafting contract documents and implementing technical data transfer solutions, he said. "Many companies might not be ready on time."