The EU Data Act came into force on January 11, 2024. The Data Act is part of the European Commission’s data strategy released in February 2020 and obliges manufacturers of connected products to make use-related data available in certain circ*mstances. It also requires providers of data processing services (such as cloud services) to facilitate customers switching to a different provider, for instance, by providing minimal transitional services. Most of the new rules will apply as of September 12, 2025.
Connected products and extraterritoriality
Under the Data Act, connected products comprise products that obtain, generate or collect data concerning their use or environment, and that are able to communicate this data via electronic communications, physical connection or on-device access (such as IoT devices, e.g., connected home devices, medical devices or vehicles).
Obligations under the Data Act will mostly fall upon manufacturers of connected products placed on the EU market and providers of related services, irrespective of their place of establishment. Such companies – except micro, small or medium-sized enterprises – will be required to make use-generated data accessible to the user and to third-parties of the user’s choice.
Key Impacts for In-Scope Businesses
The Data Act will impactmanufacturers of connected productsandproviders of data processing services (including cloud services)with the key obligations below:
Obligations for Manufacturers of Connected Products Placed on the EU Market
- Designthe product or service in a way that the use-generated data is easily accessible to the user;
- Provide informationto the user about the data to be generated by the use of the product or service and how this may be accessed, retrieved or erased,priorto entering the contract with them;
- Upon request of the user, provide the use-generated data to the user or to athird-party, if the data is not directly accessible from the product or related service;
- Provide the data to the third-party chosen by the user underfair, reasonable, transparent and non-discriminatory terms, to be formalized in a contract.The Data Actprohibits businesses from unilaterally imposing on other businesses “unfair” contractual termsconcerning access and use of data1. Such provisions also apply when a company is required to make data available to another company under EU or Member State law.
- Manufacturers or providers of related services may, on a case-by-case basis,refusethe sharing of specific data identified astrade secrets.2The refusal to share data may occur only inexceptional circ*mstances, where they are highly likely to suffer serious economic damage from the disclosure despite the technical and organisational measures taken by the user. The refusal must be based onobjective elements(including the nature and level of confidentiality of the data at hand), duly substantiated and provided in writing to the user, and also notified to the national competent authority.
- Manufacturers or providers of related services may apply appropriate technical protection measures, including smart contracts and encryption, to prevent unauthorised access to the data.However,smart contracts used to automate data-sharing are subject to certain requirements such as safe termination and interruption.
- Users and third-parties areforbiddenfrom using the data to develop products thatcompetewith the product from which the data is generated and from using the use-generated data to deriveinsightsabout the economic situation, assets and production methods of the manufacturer. Third-parties are only allowed to use the data for the purposes and under the conditions agreed with the user.
- Legal persons may be required to share data they hold with public sector bodies inexceptional circ*mstances, such as public emergencies, where the data could not be otherwise obtained by the public sector body in a timely and effective manner.
Obligations for Providers of Data Processing Services, Including Cloud Services
- Facilitate customers switchingto other providers of the same service type, which includes refraining from imposingcommercial, technical, contractual or organisational obstacles to a change of provider. In practice, this means that cloud providers will be required to provide certain minimum transitional services to customers which will be subject to limitations on charges which the providers can charge for their assistance. Such obligations will not apply where the main features of the service have been built to accommodate specific needs of an individual customer. These obligations have extraterritorial applications and apply to providers of data processing services, irrespective of their place of establishment, who provide service to customers in the EU.
- Takeadequate technical, legal and organisational measures toprevent international and third-countrygovernmental access and transfer of non-personal dataheld in the EU, if such transfer or access is illegal under EU or Member State law.
Fines
Member States shall lay down rules on penalties applicable to infringements of the Data Act. Fines shall be effective, proportionate and dissuasive. Data protection authorities may impose fines within their scope of competence as provided for in the GDPR (up to EUR 20 million or 4% of the total worldwide turnover of an entity for the preceding financial year, whichever is higher).
Next Steps
Most obligations under the Data Act will apply as of September 12, 2025. Obligations relating to the design and manufacturing of connected products will apply to the products and connected services placed on the market after September 12, 2026.
What Businesses Should Be Doing Now
Manufacturers of connected products and providers of related services are advised tocritically assesstheir practices around providing data to users in view of the requirements of the Data Act and prepare aroadmapfor implementation of compliance measures.
Providers of data processing services are likewise advised to consider the need for any changes to their practices (including technical and contractual measures) around switching and transitional assistance, interoperability and governmental access and transfer of non-personal data.
Privacy rules such as the GDPR, as well as cybersecurity regulations such as sectoral rules applying to medical devices and connected vehicles, may already apply in relation to products and services within the scope of the Data Act. In addition, new cyber rules are likely to be adopted soon with regard to connected devices – see ourLegal Updateon the draft EU Cyber Resilience Act from October 2023.
Furthermore, it is unclear how the Data Act will interact with other recently adopted pieces of legislation, such as the Digital Markets Act (“DMA”). In particular, the DMA has its own provisions on data portability, and the Data Act prevents “gatekeepers” designated under the DMA from receiving user data. This illustrates how competition law and data-related rules are increasingly interconnected in the EU and often require a combined legal assessment.
These existing and forthcoming provisions should be taken into account when developing a compliance strategy.
1A contractual term is unfair if it "grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing". The Data Act lists terms which are always considered unfair (e.g., those excluding or limiting liability for intentional acts or gross negligence) and those that are presumed to be unfair.
2The Data Act relies on the definition of trade secrets in theTrade Secrets Directive (EU) 2016/943, which means that any business relying on the trade secrets exception must show that the information in question is subject to appropriate safeguards, among other things.