The EU Regulation on harmonized rules on fair access to and use of data (Data Act) entered into force on January 11, 2024. The Data Act introduces new rules regarding the access, use and sharing of data generated by connected products or related services, as well as new obligations to ensure fairness in the data economy. The Data Act will have an important impact on companies globally and across sectors. Subject to particular provisions, organizations covered by the Data Act will need to comply with their obligations by September 12, 2025. Below, we outline the 10 things that organizations need to know about the Data Act and the steps they need to take to comply.

1. What Is the Purpose of the Data Act?

The Data Act aims to remove barriers to the internal market for data by laying down a harmonized framework to facilitate and promote the access, sharing, and use of data. Accordingly, the Data Act intends to foster innovation by enabling easier access to data, while providing individuals with more control over the data that is generated through their use of connected products and related services.

2. Who Does the Data Act Apply to?

The Data Act notably applies to:

  • Users of connected products or related services;
  • Manufacturers of connected products placed on the EU market and providers of related services;
  • Data Holders;
  • Data Recipients;
  • Providers of data processing services providing such services to customers in the EU;
  • Public sector bodies, the Commission, the European Central Bank and Union bodies (together "Public Sector bodies");
  • Participants in data spaces and vendors of applications using smart contracts and persons whose trade, business, or profession involves the deployment of smart contracts for others in the context of executing an agreement.

Please note that the Data Act has an extraterritorial effect and applies irrespective of the place of establishment of the Manufacturers of connected products, Providers of related services, Data Holders, and Providers of data processing services.

3. What Do the Terms "Connected Product" and "Related Services" Relate to Under the Data Act?

  • "Connected product" is defined as (i) an item that obtains, generates, or collects data concerning its use or environment and that is able to communicate such data via an electronic communications service, physical connection, or on-device access, and (ii) whose primary function is not the storing, processing, or transmission of data on behalf of any party other than the user. In a nutshell, this includes connected devices and Internet of Things (IoT), such as smart cars, smart home appliances, connected wearables, connected toys, connected medical and health-related, devices, intelligent industrial machines, etc. Conversely, personal computers, servers, tablets, smart phones, cameras, etc. are outside of the scope of the Data Act.
  • "Related service" is defined as a digital service, other than an electronic communications service, which is connected with the connected product in such a way that its absence would prevent the connected product from performing one or more of its functions, or which is subsequently connected to the product to add to, update, or adapt the functions of the connected product. In a nutshell, this includes applications connected to IoT, control software, etc.

Virtual assistants which interact with a connected product or related service fall within the scope of the Data Act.

4. Which Obligations Does the Data Act Impose?

The Data Act distinguishes different actors who will have to comply with their own set of rules. We examine below the obligations that will apply to the main actors subject to the Data Act.

4.1 Users

Users are any natural or legal persons that own or lease a connected product or receive related services. They have the right to access their data from connected products or related services and to share it with third parties, including Data Recipients (i.e., natural or legal persons who are not the User and who are acting for purposes which are related to that their trade, business, craft or profession, to whom the data holder makes data available). However, Users must:

  • Not use the data obtained to develop a connected product that competes with the connected product from which the data originates, nor share such data with a third party with the intent to compete.;
  • Not use the data to derive economic situation, assets, and production methods of the manufacturer or where applicable, the Data Holder;
  • Not use coercive means or exploit technical gaps to obtain access to data.

4.2 Data Holders

Data Holders are natural or legal persons who have the legal right or obligation, to use and make available data, including product data or related service data. They are typically the manufacturers of the connected products and/or the providers of related services; however, this may not always be the case. They must notably:

  • Provide Users with information regarding the data generated by the connected product and related service and how this is used;
  • Design connected products and related services (with the latter, including under certain conditions, software that is connected to a product) in a way that enables direct and easy access to product data and related service data, including the relevant metadata;
  • Make data, including relevant metadata, readily available to Users or under certain conditions, a third party designated by Users without undue delay, and where relevant and technically feasible, continuously and in real-time;
  • Make data available to another business (Data recipient); provide fair, reasonable, non-discriminatory and transparent access to such data; and must not charge excessive fee for doing so;
  • under certain conditions, share data, including relevant metadata, with Public sector bodies, when there is an exceptional need to use that data for the performance of a specific task carried out in the public interest, such as official statistics, or mitigation or recovery from a public emergency.

Note that the data access may be restricted, in particular:

  • Users and the Data Holders may contractually restrict or prohibit data access if it threatens product security or adversely impacts health, safety, or security;
  • Users and Data Holders may agree to the implementation of proportionate technical and organizational measures necessary to preserve the confidentiality of trade secrets.

Additionally, entities, that offer connected products or related services in the EU and that are not established in the EU, must designate a legal representative in an EU Member State.

4.3 Providers of Processing Services

Providers of Processing Services are providers of digital services provided to customers that enable ubiquitous and on-demand network access to a shared pool of configurable, scalable, and elastic computing resources of a centralized, distributed, or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction. It covers notably providers of cloud and edge computing services. They must notably:

  • Take measures to enable customers to switch to a different provider of the same service or to on-premises ICT infrastructures, which includes removing pre-commercial, commercial, technical, contractual, and organizational obstacles;
  • Include a series of mandatory clauses in their contract to facilitate such switching;
  • Provide information on available procedures for switching and porting the data processing service and reference to an up-to-date register containing details of all data structures and data formats, as well as the relevant standards and open interoperability specifications in which the exportable are available;
  • Make available on their website information about the jurisdiction to which the ICT infrastructure deployed for the data processing of their individual services is subject, and a description of the technical, organizational, and contractual measures implemented to prevent international governmental access to or transfer of non-personal data where these could create a conflict with EU or Member State laws;
  • Not impose any switching charges on their customers from January 12, 2027;
  • Adopt technical measures to facilitate the switching.

5. Which Data Is Covered by the Data Access Obligations Under the Data Act?

The data access obligations apply to "Product data" and "Related service data":

  • "Product data" refers to data generated by the use of a connected product that the manufacturer designed to be retrievable via an electronic communications service, physical connection, or on-device access, by a user, data holder, or a third party; and
  • "Related service data" refers to data representing the digitization of user actions or of events related to the connected product, recorded intentionally by the user or generated as a by-product of the user's action during the provision of a related service by the provider.

In practice, these cover all data generated from the use of a connected product or a related service that is readily available to the data holder. This applies to both personal and non-personal data, including relevant metadata. However, inferred or derived data are out of scope.

6. How Does the Data Act Interplay With the Data Governance Act and the General Data Protection Regulation?

The Data Act is part of the European Strategy for Data, and it complements the Data Governance Act (DGA). More specifically, while the DGA creates the processes and structures to facilitate data sharing, the Data Act specifies who is entitled to use connected product or related service data, under which conditions, and on what basis.

The Data Act is fully consistent with and complements the General Data Protection Regulation (GDPR) rules. In particular, the Data Act enhances the GDPR right for data portability with regard to connected products to the extent that this right will cover both personal and non-personal data. However, the Data Act does not constitute a legal basis, within the meaning of the GDPR, for the processing, providing access, or making available personal data.

7. What Do Organizations Subject to the Data Act Need to Do?

Organizations subject to the Data Act will notably need to:

  • Ensure that connected products or related services are designed in a way that allows to fulfil data access obligations;
  • Ensure that Data Processing Services are designed in a way that allows effective switching;
  • Draft notice on the data generated by the connected product and/or related service;
  • Draft notice on data processing services switching;
  • Implement internal procedures and processes to respond to any data access request;
  • Identify and document the data that needs to be protected as trade secrets, and the necessary measures that need to be implemented to protect them;
  • Review Terms & Conditions;
  • Review data sharing agreement(s);
  • Identify and implement adequate technical, organizational and legal measures to address international governmental access and transfer restrictions.

8. By When Do Organization Need to Comply With the Data Act?

The Data Act will be applicable from September 12, 2025.

9. Who Will Supervise and Monitor Compliance With the Data Act?

Each EU Member State must designate one or more competent authority(ies) responsible for supervising and monitoring compliance with the Data Act. If a Member State designates more than one competent authority, it must also designate a data coordinator among these authorities to facilitate cooperation among them.

The European Data Innovation Board, established by the DGA, will support the consistent application of the Data Act.

The European Commission has the power to adopt delegated acts to supplement the Data Act, and to issue guidelines on certain concepts and processes enshrined therein.

10. What Are the Risks in Case of Non-compliance?

Penalties for infringement of the Data Act will be defined at national level by each EU Member State. EU Member States must report to the European Commission on the rules implemented in that respect by September 12, 2025.

Infringements of the obligations related to data sharing could be sanctioned by the administrative fines provided by the GDPR, namely administrative fines up to 20,000,000 EUR or up to 4% of the total worldwide annual turnover.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.