CNIL Advises on EU Data Act Rules
French watchdog CNIL, which has a new role in regulating data sharing and use under the EU Data Act, set out rules of the road Monday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The act establishes a European framework for organizing the sharing and use of data from connected devices, strengthening user rights and creating obligations for stakeholders, CNIL said, according to a translation.
The measure aims to create a more open and competitive data economy by making fair rules on access to and use of personal and non-personal data generated by connected devices, the DPA said. It specifies who can use which data and how.
The act allows anyone who owns or uses any connected device to access the data it generates and makes it easier to share the information with other actors, CNIL said.
Implementation of the regulation must be coordinated with the GDPR, and if there's a conflict between the two, the latter prevails. Implementation also must consider the Data Governance Act, which established trusted intermediaries to encourage voluntary data sharing, CNIL said.
Most of the provisions of the Data Act have applied since Sept. 12, but others take effect in 2026 and 2027, the DPA said.
The Data Act applies to all data produced by the use of connected objects and the services associated with them, whether personal or not, CNIL noted. When personal data is involved, its processing must comply with the GDPR.
It also applies to public and private stakeholders, such as manufacturers who design or produce a connected device or an associated service, and data holders who generate or hold the data, CNIL said.
In addition, the regulation covers users of the devices and associated services, whether they're private individuals or companies, the watchdog said. They can exercise their rights under data regulations, including the right to request access to the data generated by the use of their connected device or service.
The measure similarly applies to recipients -- people or organizations, other than users -- who receive data from the data controller to carry out an economic activity, CNIL said. This type of transmission could occur following a user's request to transfer their data to a third party.
The regulation targets other actors as well, including public sector bodies, agencies and institutions, EU institutions and data processing service providers such as cloud computing services.