Enforcement Era Of The Data Act Begins: What It Means For Dispute Resolution

On 12 September 2025, the EU Data Act (Regulation (EU) 2023/2854) became applicable across the EU. Finland’s complementary enforcement legislation, the Act on the Supervision of Data Management and Data Sharing (laki datan hallinnan ja jakamisen valvonnasta 1148/2025), entered into force on 1 January 2026.

The Data Act establishes rules on access to and sharing of data generated by connected products and related services. In brief, data holders must make readily available data accessible to users free of charge, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real time. Upon user request, data holders must also make data available to third parties of the user’s choice, and in business-to-business relations under fair, reasonable, and non-discriminatory terms. Users and third parties must not use data received from the data holder to develop competing connected products, and third parties must process data only for the purposes agreed with the user. Where data sharing involves trade secrets, the data holder may withhold or suspend sharing if the necessary confidentiality measures are not agreed or implemented, providing a duly substantiated written decision and notifying the competent authority.

For companies dealing with connected products and data sharing, understanding who enforces the Act and how is every bit as important as understanding the substantive obligations themselves.

Enforcement is already live in practice: the first Data Act complaint lodged with Traficom concerned a Swedish data holder’s refusal to provide a Finnish company with certain data free of charge, and Traficom transferred the case to the competent Swedish authority, illustrating both the cross-border operation of the complaint mechanism and the kind of substantive questions that will define the Act’s early enforcement history.

Traficom at the Centre

Finland’s designated data coordinator is the Finnish Transport and Communications Agency (“Traficom”), which is also the primary competent authority for supervision and enforcement under the Data Act. The Act primarily targets manufacturers of connected products, data holders, users, third parties, and providers of data processing services, all of whom are now subject to Traficom’s supervisory mandate.

Two additional authorities hold more limited roles. The Consumer Ombudsman is responsible for the supervision of certain pre-contractual information duties where a trader provides information to a consumer, while the Finnish Competition and Consumer Authority promotes data literacy among consumers. Traficom, in contrast, promotes data literacy among undertakings and communities.

These authorities must cooperate with the Data Protection Ombudsman and other relevant authorities when performing their tasks under the Data Act. In practice, this cooperation will be most critical in cases that involve both data access and the processing of personal data, where the respective mandates of Traficom and the Data Protection Ombudsman overlap.

More Than Just Fines: The Full Administrative Toolbox

The enforcement discussion often tends to focus on administrative penalty payments, but Traficom’s toolkit is considerably broader.

Information and inspections

Traficom may require addressees to provide proportionate information needed to verify compliance with the Data Act, and the addressees must do so without undue delay, in the requested format, and free of charge, irrespective of any confidentiality obligations that would otherwise apply. Traficom also has inspection powers where a breach is suspected, including access to premises used for business or professional activities (but not private homes), and the right to review, copy, and temporarily take possession of relevant business correspondence, accounting records, and other documents. One important safeguard is that Traficom’s powers do not extend to documents containing confidential lawyer–client correspondence, preserving professional privilege. Where necessary, Traficom may also request police assistance to perform its statutory tasks.

Compliance orders and coercive measures

Where Traficom finds a breach, it may issue a remark or warning, order the infringing party to cease the breach or correct errors and omissions, or prohibit a measure contrary to the Data Act, setting a reasonable deadline for compliance. These orders can be reinforced with a conditional fine or a suspension threat (though a conditional fine may not be used to enforce an information request against a natural person where there is reason to suspect a crime and the information relates to that suspected criminal offence).

Risk-based approach

Traficom may prioritise its supervisory activities and may decide not to investigate a matter that only has minor significance for compliance, with any such decision to be made as promptly as possible. Albeit not expressly stated, this could potentially mean that SMEs facing minor technical breaches are unlikely to be the authority’s primary focus.

Penalty payments

As a general rule, an administrative penalty payment for a Data Act infringement may reach up to 2% of the undertaking’s turnover in the preceding financial year or, for a natural person who is not an undertaking, up to 2% of taxable earned and capital income, capped at EUR 2,000. For more serious infringements, including core obligations such as the fundamental duty to make data available and prohibitions on using data to develop competing connected products, the cap rises to 4% of turnover or 4% of taxable income capped at EUR 4,000 for natural persons.

A penalty payment will not be imposed if the breach is minor or if imposing it would be manifestly unreasonable.

The ne bis in idem principle is also applicable, i.e. no penalty payment may be imposed if the same act is subject to criminal proceedings or has resulted in a final judgment. Note that ne bis in idem as applied here concerns criminal proceedings; it does not preclude civil proceedings from running in parallel. Penalty payments are also time-barred five years after the infringement, or, for a continuing infringement, five years after it ceased.

Features of Administrative Dispute Resolution

For readers not familiar with the distinctions between administrative and civil proceedings in Finland, bringing a complaint to Traficom differs in important respects from ordinary civil litigation.

Who investigates

Any natural or legal person may lodge a complaint with the competent authority, and the authority must keep the complainant informed of progress and the outcome. In civil litigation, the claimant bears primary responsibility for investigating and proving the case. In administrative enforcement, by contrast, Traficom conducts the investigation. That said, in civil proceedings, the general Finnish “loser pays” rule applies, meaning the losing party typically bears the other side’s legal costs, which is a significant financial consideration when weighing up whether to pursue parallel civil litigation.

Coercive powers

Traficom may issue compliance orders backed by coercive measures, which has no direct equivalent in ordinary civil litigation, where the core remedy is typically a court judgment and, where available, interim injunctive relief.

Proceedings in writing

Administrative proceedings before Traficom are conducted predominantly in writing under the general framework of the Finnish Administrative Procedure Act (hallintolaki 434/2003). This avoids the cost and unpredictability of oral hearings.

No settlement

Unlike civil proceedings, administrative enforcement before Traficom does not, as a matter of general administrative procedure, permit the parties to settle the case between themselves and have Traficom close it on that basis. Traficom retains control over how and whether to dispose of a case, and a private agreement between the parties does not compel the authority to bring proceedings to an end. This is an important practical distinction for businesses weighing up regulatory complaints against civil litigation.

Immediate effect of compliance orders

A Traficom decision, other than a penalty payment decision, may be ordered to remain in force and to be complied with even if appealed, unless the appellate authority decides otherwise. This is a notable feature: a compliance order can bite immediately, without waiting for the conclusion of appeal proceedings.

Where and how to appeal

A common question in Finnish administrative law is whether a prior request for rectification is required before appealing to the administrative court. Under the Finnish Enforcement Act, the rectification request route only applies in relation to Traficom decisions concerning registration under Article 19(5) of the Data Governance Act. For all other decisions under the Data Act framework, appeals go directly to the administrative court under the Act on Judicial Procedure in Administrative Matters (laki oikeudenkäynnistä hallintoasioissa 808/2019). There is therefore no general requirement to seek rectification first before appealing a Data Act enforcement decision – a practically important distinction.

Trade Secret and Data Sharing Disputes

There is an inherent tension in the Data Act. The Act promotes sharing of data. This prima facie includes data qualifying for trade secret protection, which the data holder has a clear interest in not disclosing outside the company at all.

The public debate has identified trade secret disputes as likely to be among the most common triggers for complaints to Traficom. The example of trade secrets disputes can usefully illustrate how the complaint mechanism operates in practice.

When can a data holder withhold or suspend sharing?

Where data sharing involves data that the data holder considers a trade secret, the data holder may require the user or third party to take the measures necessary to preserve the confidentiality of that data before sharing takes place. If no agreement is reached on the necessary measures, or if the user or third party fails to implement the agreed measures or undermines the confidentiality of the trade secrets, the data holder may withhold or, as the case may be, suspend the sharing of data identified as trade secrets. The data holder’s decision must be duly substantiated and provided in writing to the user or third party without undue delay, and the data holder must also notify the competent authority.

How the complaint mechanism operates

Where a data holder withholds, suspends, or refuses sharing on trade secret grounds, the user or third party may lodge a complaint with Traficom, without prejudice to their right to seek judicial redress. Traficom must decide without undue delay whether sharing must start or resume, and on what conditions.

This is worth pausing on. Traficom’s task here goes beyond a purely procedural check: it must engage substantively with the trade secret claim to the extent necessary to determine whether sharing should be ordered and under what safeguards. At the same time, Traficom’s competence and the courts’ competence are concurrent rather than sequential. The substantive question of whether specific data actually qualifies as a trade secret under the Trade Secrets Act (liikesalaisuuslaki 595/2018) and whether the data holder’s classification, refusal, or suspension was legally justified can be pursued before the courts in parallel. Where a Traficom decision is appealed, it is ultimately for the appellate court to determine the issue with binding effect within the Data Act framework. A data holder facing a complaint should therefore be aware that Traficom will assess the merits of the trade secret claim when deciding whether to order resumption, not merely verify that a written decision was provided.

Looking Ahead

The enforcement framework of the Data Act gives Traficom teeth. For businesses operating in Finland, understanding the full range of Traficom’s powers, from information demands and inspections to binding compliance orders and penalty payments, is essential for sound compliance planning.

Several open questions will shape how the framework operates in practice. How will Traficom prioritise its early cases and what precedents will those first decisions set? Will certified dispute settlement bodies emerge in Finland, offering a faster alternative to regulatory complaints and litigation? How will the division of competence between Traficom and the Data Protection Ombudsman develop in cases involving mixed datasets? And can there be overlap between court litigation and administrative disputes?

It is also worth noting that the enforcement landscape may shift further. The Commission’s November 2025 Digital Omnibus proposal would introduce a new ground for data holders to refuse disclosure of trade secrets to users where there is a high risk of unlawful acquisition, use, or disclosure to third countries, or entities under their control, that are subject to jurisdictions with weaker protections than those available in the EU. The proposal would also introduce enhanced complaint mechanisms, while maintaining safeguards against misuse of the refusal mechanism, including the data holder’s obligation to demonstrate in a duly substantiated manner that disclosure poses a high risk and to notify competent authorities. This is a reminder that the Data Act framework is still evolving and worth following closely.

At Hannes Snellman, we are closely monitoring the regulation of data in the EU and Finland. In addition to substantive knowledge on the Data Act and related regulations, our experts have significant experience in handling both civil and administrative disputes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.