The EU Data Act became law on 11 January, and will apply throughout the EU from 12 September 2025, 20 months after its publication in the EU Official Journal. Manufacturers of connected devices will be required to comply with the EU Data Act, which obliges them to share data with users and third parties who request it. During public emergencies, firms must also provide unrestricted access to data.
Connected devices, such as blood glucose monitors, collect data on their environment. Data-sharing requirements will create challenges for manufacturers and companies will need to devise sound strategies for secure and defined data transfer. Legislative interplay is exacerbating these operational complications, as the EU Data Act covers all data—personal and non-personal—while the General Data Protection Regulation (GDPR) regulates personal data. The lack of concrete definitions for personal and non-personal data makes it hard to apply the legislation correctly. Also, sharing data could compromise intellectual property and trade secrets, which has raised concerns.
The EU Data Act permits access to be restricted under certain circumstances, such as to safeguard intellectual property and trade secrets. But to authorise this clause, a data holder must establish that it is highly likely to suffer serious damage. This evidence cannot be a general disclaimer and manufacturers have to make a policy on what, and why, the data cannot be shared.
Source: Medtech Insight (an Informa product)