New laws on data

The EU Data Act and the EU Artificial Intelligence Act are both extraterritorial in scope, potentially affecting many businesses even when they do not have a physical presence in the EU.

• The Data Act applies to non-EU entities that handle data related to individuals, businesses or products within the EU.
• The EU AI Act applies to the non-EU providers and deployers of AI systems whose outputs will be used in the EU. It also covers any non-EU providers or distributors of AI who make AI systems or models available in the EU.

The EU Data Act

The Data Act, which applies to the sharing of both personal and non-personal data, aims to promote the development of data-driven economies and societies to encourage competition and innovation, while safeguarding the rights and interests of data users. This will primarily impact the manufacturers of connected products sold on the EU market.

Some key provisions of the Data Act

• Rules for data access and sharing between businesses (B2B) and between businesses and consumers (B2C). These relate mainly to non-personal data from connected products – i.e. products that can collect, generate or transmit data – and related services.
• A service switching regime enabling customers to move quickly and easily from one provider of data processing services to another.
• Fairness obligations for data-sharing contracts between data holders and data recipients. The act bans unfair contractual terms concerning data access and use.
• Interoperability requirements to ensure that data can flow seamlessly between sectors, EU member states and the providers of data processing services.

The Data Act includes provisions for fines and penalties for non-compliance, which will be set by individual member states. Fines could be substantial and in some countries may be in line with GDPR fines (up to 4% of annual turnover).

The provisions of the EU Data Act will begin to apply from 12 September 2025.

The EU AI Act

The AI Act aims to establish uniform requirements for the development and use of AI systems, balancing innovation with the protection of individuals. It will impose significant regulatory burdens on businesses.

Businesses should assess their risk levels and AI practices to ensure their AI systems meet the new standards. They will need to maintain detailed records, monitor AI performance, and report any serious incidents and malfunctions to relevant national authorities. The potential penalties for non-compliance are substantial, with the highest fines set at €35m or 7% of worldwide annual turnover, whichever is higher. The provision of incorrect, incomplete or misleading information may incur a penalty of up to €7.5m or 1% of worldwide annual turnover, whichever is higher.

The EU AI Act entered into force on 1 August 2024 and will apply after 1 August 2026.

Key considerations for businesses

All businesses offering products or services in the EU should determine whether they need to change their data strategies or data governance and management practices to comply with the Data Act and the AI Act.

• Identify connected products, services and systems that may be affected by the legislation.
  o  Given the extraterritorial effect of both acts, businesses should be sure they fully understand the extent of their use or offering of products and services, to ensure that their internal processes and procedures enable compliance.
  o  As the AI landscape is rapidly evolving, a watching brief may be needed to stay on top of additional developments in relevant jurisdictions.
• Evaluate current practices to highlight any gaps in compliance. It is particularly important to identify the risk levels of different AI systems.
• Implement appropriate data governance and management practices, including compliance training.

The EU AI Act is the world’s first comprehensive law to regulate AI. Many commentators believe it will influence AI and data regulation globally, just as key aspects of the GDPR have been reflected in data privacy laws around the world. International businesses that opted to comply with the GDPR on a global basis may take the same approach to the AI Act, adopting its standards worldwide to achieve consistency in compliance and maintain market access and credibility.