The EU's 2030 Digital Agenda sets the course for a European digital future, with accompanying new legislation. This new legislation brings numerous changes and obligations for various organizations and is therefore also relevant for M&A practice, as the scope of due diligence investigations will expand significantly as a result of the new legislation.

Legal Data Due Diligence

We're now accustomed to conducting privacy due diligence based on regulations such as the General Data Protection Regulation (GDPR). However, a privacy due diligence review will now be too narrow in scope. Before conducting due diligence, it's important to understand which regulations are relevant to a transaction, what obligations this entails for organizations, and (potentially) the risks for a buyer. Therefore, consult our online tool at www.legaldataduediligence.nl to determine, prior to a transaction, which EU data laws may apply to the target. This blog provides M&A practitioners with guidance on the Data Act and the Data Governance Act (DGA). For each law, we discuss the core obligations, scope, risks, and considerations for M&A practitioners.

Difference between Data Act and Data Governance Act

Before delving deeper into the Data Act and the Data Governance Act (DGA) , it's important to understand how these regulations relate to each other. Both aim to increase access to data and are part of the broader European data strategy. The difference in purpose between the Data Act and the DGA lies in their focus and approach to the European data economy. They address different aspects of data use, management, and sharing. The DGA emphasizes trust, governance, and infrastructure to create a solid foundation for data sharing in the EU. The Data Act focuses on establishing rights, obligations, and access to data to ensure a fair and competitive data economy.

Key Differences

Data Act

The Data Act aims to optimize the use of government, business, and citizen data by facilitating data sharing and migrating to different cloud services. To achieve this objective, the Data Act has a broad scope. For example, the regulation targets the following individuals and organizations:

• Manufacturers of IoT devices and providers of related services placed on the European market
• Data holders
• Recipients of data
• Public authorities (and EU bodies)
• Providers of data processing services (cloud services)

The Data Act entered into force on 11 January 2024 and will apply in September 2025.

Data holders and data recipients

Two key market participants covered by the Data Act are "data holders" and "data recipients." Data holders typically include providers of connected products and related services (such as the software required for the product to function). Connected products are connected to the internet and obtain, generate, or collect data about their performance, usage, or environment. They are also called "smart" devices or "Internet of Things" (IoT) devices (think of cars, smart home devices, robots, virtual assistants, etc.). Data holders therefore include, for example, car manufacturers, but also providers of household appliances such as refrigerators or smart lighting. They may use this data, but according to the Data Act, they must also make it available to others. If you purchase, rent, or lease such a product (and are therefore a user within the meaning of the Data Act), the manufacturer collects all the data generated by the product. This information allows the manufacturer to launch new (improved) products and/or strengthen its competitive position. However, this information can also be of interest to other market participants and government bodies to promote scientific research, innovation, and competition. The Data Act makes it easier for them to receive this data. The recipients of this data are the "data recipients." These can be all kinds of individuals/organizations (think, for example, of energy suppliers who want to receive data on the use of cars or other devices), as long as they are not the users, do not already possess a large amount of data (think of companies like Google, Meta, etc.), and the data is not used to develop competing products.

What are the core obligations?

- Access and (mandatory) data portability (Articles 3 to 12)
The Data Act grants users of devices and related services (both B2B and B2C) rights, strengthening their legal position regarding data accessibility and portability. For example, Article 3 of the regulation imposes obligations regarding the design and manufacture of IoT devices and related services, ensuring that their data are easily accessible and interpretable. Certain contractual agreements must also be made in this regard. Articles 5 and 6 also introduce provisions facilitating data sharing with third parties, and Article 9 requires that agreed-upon fees for making data available be non-discriminatory and reasonable.

- Unfair contractual terms (Article 13)
Companies are free, if they are obligated to provide data, to make agreements with another company regarding access and use of data, or liability and remedies in the event of breach or termination of data-related obligations. However, Section 13 of the Data Act clarifies when contractual terms can be considered unfair. This is the case, for example, with unilaterally imposed contractual terms.

- Making data available to public authorities and bodies of the European Union (Articles 14 to 22)
Under Section 14 of the Data Act, data controllers are obligated to make data available to the relevant public authority(ies) if there is a demonstrable exceptional need to use it. When this is the case, how public authorities should submit this request, how this request should be complied with, etc., are addressed in the subsequent sections.

- Switching to another (cloud) service (Articles 23 to 31)
According to Article 23, data processing services (such as cloud services) must implement certain measures to enable their customers to switch to another data processing service. For example, the customer's rights and the service provider's obligations must be documented, and the provider must provide reasonable assistance with the switch. From January 12, 2027, providers of these services will no longer be allowed to charge their customers any switching fees at all.

- International government access and transfer of non-personal data (Article 32)
The GDPR already sets requirements regarding the international transfer of personal data. The Data Act also imposes requirements on international government access and transfer of non-personal data. This means that international government access and access by third-country governments, as well as transfer of non-personal data stored in the EU, must be prevented if there is no such obligation.

- Interoperability (Articles 33 to 36)
Providers of data and data services must meet requirements to promote interoperability of data, data sharing mechanisms and services.

Does the law apply to the target?

The Data Act determines who, under what conditions, and on what basis has the right to use product data or data from a related service. As previously demonstrated, this encompasses a broad scope. It applies, in particular, to manufacturers of "smart products" (data holders) and parties that receive data from these manufacturers (data recipients), as well as SaaS, IaaS, and PaaS service providers.

What are the risks (fines, etc.)?

The Data Act requires Member States to designate a supervisory authority and impose sanctions for non-compliance with the regulation. These sanctions must be notified to the Commission by 12 September 2025. The Netherlands intends to implement the Data Act through the EU Data Regulation Implementation Act. This act has not yet been finalized and must be submitted to the House of Representatives. However, the proposal aims to appoint the Netherlands Authority for Consumers and Markets (ACM) as the supervisory authority, which can impose an order subject to periodic penalty payments or a fine of up to €1,030,000 (or 10% of the offender's annual turnover, whichever is greater) for infringements.

What should you pay attention to during a transaction?

• Is the target a data controller within the meaning of the Data Act?
• Is the target a provider of a data processing service within the meaning of the Data Act?
• Is the target obligated to make data available to users, third parties, or government agencies?
• Does the target, if necessary, make the data available in accordance with the requirements of the Data Act?
• If the target has trade secrets, has the target agreed with the user and/or the third party on technical and organisational measures to protect them?
• In B2B relationships: does the target have contracts with data recipients that set out the arrangements for making the data available?
• Do the contracts contain unfair contractual terms?
• Are agreed fees for making data available non-discriminatory and reasonable?
• If the target is a provider of a data processing service: has the target taken the measures referred to in Articles 25 to 30 to enable customers to switch to another (provider of a) data processing service?

Managing Director

The Data Governance Act (DGA) is a European Union legislative initiative aimed at providing a robust framework for data management and sharing within the EU. The DGA aims to create a more trusted and transparent data economy, enabling businesses, citizens, and governments to share and reuse data in a secure and controlled manner. The DGA entered into force on June 23, 2022, and formally came into effect on September 24, 2023.

What are the core obligations?

As with the Data Act, "data" as defined in the DGA includes both personal and non-personal data. The key obligations under the DGA can be summarized as follows:

- Conditions for the reuse of certain government data that cannot be made available as open data

This could include, for example, the use of health data for research. The DGA prohibits agreements that grant exclusive rights to the reuse of this data or restrict the availability of data for reuse by other entities. Furthermore, requested fees for reuse must be transparent, non-discriminatory, proportionate, objectively justified, and not restrict competition.

- A registration and supervisory framework for the provision of data brokerage services

Data brokerage services must meet certain requirements, and providers must notify the competent authority that they wish to offer such services. This generally does not apply to non-profit entities that collect data for public interest purposes and make it available on the basis of data altruism.

- A framework for the voluntary registration of entities that collect and process data made available for altruistic purposes (non-commercial purposes)

The DGA encourages data altruism and states that Member States can implement regulations to facilitate it. Organizations that engage in data altruism can be registered in a public register of recognized data altruism organizations. To be eligible, they must meet certain conditions. If the application is approved, the DGA states that they must meet certain transparency requirements and requirements to protect data subjects and data holders.

- A framework for the establishment of a European Data Innovation Board

Does the law apply to the target?

The director-major shareholder (DGA) also has a broad scope. It applies to government agencies, businesses, and citizens alike. The main obligations relate to three different areas. It must be determined whether the target meets one (or more) of these qualifications.

1. The DGA primarily focuses on obligations regarding protected data of government agencies. The obligations in that chapter must be met if the target is a government agency that holds data protected on the basis of:
   a. The trade secret;
   b. Statistical confidentiality;
   c. The protection of the intellectual property rights of third parties; or
   d. The protection of personal data.
2. Next, the requirements for data brokerage service providers are discussed. These are services aimed at establishing commercial relationships for the purpose of data sharing between parties. They are required to register.
3. The Managing Director also considers organizations that have registered as recognized organizations for data altruism. If companies facilitate data exchange without a commercial purpose, this falls under data altruism. They can register voluntarily and must then meet certain requirements.

What are the risks (fines, etc.)?

Member States must also establish individual rules regarding sanctions for non-compliance with the regulation. These rules are contained in the Data Governance Regulation Implementation Act. The ACM (Netherlands Authority for Consumers and Markets) is designated as the supervisory authority in this Act. In the event of a violation of the DGA, the ACM may impose a penalty payment order or a fine of up to €1,030,000 (or 10% of the offender's annual turnover, whichever is greater).

What should you pay attention to during a transaction?

• Does the DGA apply to the target?
• Does the target provide services that can be classified as data mediation services within the meaning of the DGA?
• If the target provides data mediation services, is it registered in accordance with the obligations under the Managing Director?
• Is the target registered in a public national register of recognised data altruism organisations?
• Does the target meet the conditions for providing data mediation services under Article 12 DGA?
• If the target is a recognised data altruism organisation, does it meet the transparency requirements of Article 20 DGA?
• If the target is a recognised data altruism organisation, does it meet the requirements for the protection of data subjects and data holders under Article 21 DGA?

Conclusion

The new EU data legislation discussed will have a significant impact on M&A practices, primarily on the due diligence process. In many transactions, the scope of due diligence will need to be expanded to include "Legal Data Due Diligence." This will first determine which new EU data legislation applies to the target, then determine whether the company complies with the new EU data legislation, and finally, identify any risks of non-compliance.

The new EU data legislation is particularly complex and requires specialized knowledge. If a target company fails to comply with the obligations under the legislation in question, this can significantly impact a company's valuation and purchase price, as the costs and resources required for compliance can be substantial. Moreover, failure to comply with these regulations can lead to significant fines, license revocation, and reputational damage. Therefore, specialized due diligence in this area is essential.

Before embarking on a sales process, sellers are wise to check whether new EU data regulations apply or will apply to the company. After all, before a sale, a seller still has control over how an organization complies with new EU data regulations and can therefore better manage the costs and implementation method. If an organization does not comply with applicable EU data regulations, a potential buyer will assign a higher amount to the risk and costs associated with the implementation.

Want to know more? Contact one of our specialists.