Data Act Deep Dive: Part 1

What is the Data Act?

The Data Act (Act) is a new European Union (EU) regulation that centres on "data", which comes into effect on 12 September 2025. This represents yet another aspect of the EU Digital Reforms package, which regulates the digital world we live and work in. The Act's primary goal is to make it easier and fairer for EU 'users' (i.e. residents and businesses) to access and share data generated by manufacturers and providers of connected products and smart objects (e.g. smart devices, machines, vehicles, and apps that collect data when used). These harmonised rules also aim to ensure fairness in the digital environment and stimulate competitiveness while safeguarding the interests of those who invest in data-generation technologies. Further information on the Act is available in the European Commission's FAQs document (FAQs).

What 'data' is within the scope of the Act?

The central plank of the Act is data, which means: "any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording".

Data will be generated by manufacturers or service providers of "connected products", "related services" and/or "virtual assistants" which are defined as follows:

• Connected Products, also called the "Internet of Things, " are products that generate, obtain, or collect data about their use, performance, or environment and can communicate this data via a cable-based or wireless connection. The primary function of a connected product (in scope of the Act) cannot be the storing, processing or transmitting data (Article 2(5) of the Act). Connected products include smart home appliances, consumer electronics, industrial machinery, medical devices, smartphones and TVs.
• Related Services means a digital service. There are two main requirements for a service to qualify as a related service: (1) a two-way data exchange between the related service and the connected product; and (2) the related service must affect the connected product's "functions, behaviour or operation". The FAQs give examples of services that transmit data or process commands to a product, such as an app to adjust the brightness of lights or to regulate the temperature of a fridge.
• Virtual Assistants are defined by Article 2(31) of the Act as software that can process demands, tasks or questions, including those based on audio, written input, gestures or motions, and that, based on those demands, tasks or questions, provides access to other services or controls the functions of connected products.

Data in-scope of the Act

The type of data covered by the Act is wide-ranging; it includes raw and pre-processed data (i.e. raw but usable data) and specifically:

• product data and related service data
• readily available data
• relevant metadata
• personal and non-personal data (however, personal data remains subject to the GDPR).

The type of data informs the applicable obligations imposed on the data holder. For example, data holders must: (i) provide users with direct access to "product data and related service data" (Article 3 of the Act); and (ii) give indirect access to users or third parties to "readily available" data or "relevant metadata" (Articles 4 & 5 of the Act).

Data outside the scope of the Act

Not all data is within the scope of the Act. The Act excludes:

• data that is inferred or derived from pre-processed data. For example, information inferred or derived from data arising from additional investments could include information derived by means of sensor fusion, which infers or derives data from multiple sensors, collected in the connected product, using proprietary, complex algorithms and which could be subject to intellectual property rights
• data produced by sensor-equipped products when users record, transmit, display, or play content.

Who is caught by the Act?

The Act applies to manufacturers, service providers, users, data holders, cloud service providers, third parties and government bodies. See the glossary of terms for more information (below). The key concepts under the Act are "data holders", "data processing service provider" and "users":

• User: Under the Act, users are given rights of use, access and data switching. Users are defined as any natural or legal person who owns a connected product or has temporary rights to use that connected product, has been contractually transferred, or receives related services.
• Data holder: Data holders are obliged to comply with the Act's data access and sharing provisions. A "data holder" is a "natural or legal person that has the right or obligation... to use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a related service" (Article 2(13) of the Act). As such, a key requirement to be a data holder is to have control over access to readily available data.
• Providers of a "data processing service": Providers of data processing services will also be subject to the obligations of data switching and interoperability under the Act. The term data processing service means "any digital service provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised or distributed nature that can be rapidly provisioned with minimal management effort or service provider interaction" (Article 2(8) of the Act). The term is almost identical to the definition of "cloud-computing service" under the NIS2 Directive.While organisations may be forgiven for assuming that the definition applies to cloud computing services only, the provisions of Chapter V of the Act make it clear that the concept is broad and can apply to services which are: (i) custom-built to the specific needs of a customer or developed for a customer; and (ii) which are not offered at broad commercial scale. Therefore, SaaS providers may be caught as data processing service providers. It is important to highlight that, as a general rule, a company cannot be a data holder and user of the same data.
• Third parties: A third party is a person who receives data from a data holder upon request of a user. Data holders are only obliged to share readily available data upon a user's request with a third party if that third party is located in the EU. According to the FAQ, non-EU operators do not come within the scope of being a data recipient (i.e. to receive data requested by a user).

What is the Territorial Scope of the Act?

The Act has an extra-territorial effect. Therefore, it applies to manufacturers and service providers who place connected products or related services on the market in the EU, irrespective of the place of establishment of those manufacturers or providers (Article 1(3)(a) of the Act). Additionally, data holders outside the EU that "make data available" to data recipients in the EU will be caught by the Act (Article 1(3)(c) of the Act). This reinforces the Act's market-oriented approach to addressing compliance throughout the entire lifecycle of a connected product or related service. It also aligns with elements of existing EU laws which govern the processing of data (such as the GDPR).

When does the Act Apply? Key dates

More information to follow

Part 1 of our Data Act Deep Dive series is intended to provide an introductory overview of the Act.

The Act marks a transformative shift for organisations that process all types of data (both within and throughout the EU) by promoting fairness and innovation in the digital economy. While new value from connected devices and related services may be unlocked, it will be important for organisations to ensure compliance with the Act to avoid regulatory fines in the future.

Later in this series, stay tuned as William Fry's Technology team uncovers some of the Act's key features:

• Part 2: Data Access and Use
• Part 3: Data Switching and Interoperability
• Part 4: B2B Unfair Contractual Terms

Contributed by Aoife Keenan and Caroline Keaveny