A New European Legal Framework with Rules for Data Access, Switching Cloud Providers and Interoperability
What Is the Data Act and Why Does it Matter?
The Data Act (Regulation (EU) 2023/2854) is a new EU regulation providing harmonised rules on access to data, switching cloud providers and interoperability requirements across the EU.
It is widely expected that the Data Act will have a significant impact on most companies doing business in the EU and will require significant preparation.
The Data Act, which will apply from 12 September 2025 onwards, will be relevant far beyond the EU's borders, including in the UK and the U.S., where no comparable legislation exists at present.
Context and Objectives
The adoption of the Data Act takes place in the context of the EU's ambitions to boost the EU's data economy and to create a Digital Single Market. The intended role of the Data Act is to set requirements for the use and value creation of data by providing users of connected products or services with more rights, and increasing competition in digital markets, especially by strengthening SMEs' competitive position.
To that end, the Data Act defines the conditions for a right of access to product and service data generated by connected products and related services. In this context:
- The Data Act provides safeguards against unlawful third-party use, the disclosure of trade secrets and unfair contractual provisions (Chapter 1).
- International and third-country governmental access and transfer of nonpersonal data held in the EU is subject to restrictions. In addition, the Data Act provides for interoperability standards on providers of cloud and other data processing services to facilitate switching (Chapter 2).
- Noncompliance can lead to penalties set and enforced by EU countries (Chapter 3).
Scope
From a business perspective, most of the provisions of the Data Act will apply to data holders, i.e., typically (but not always) manufacturers of connected products and providers of related services, if they place products or services on the EU market (and to data holders making data available to data recipients in the EU), irrespective of their place of establishment. However, the Data Act's provisions on data sharing only apply to users located in the EU.
Relationship With the GDPR
The Data Act is without prejudice to the GDPR and the ePrivacy Directive 2002/58, including with regard to the powers of supervisory authorities and the rights of data subjects. The Data Act complements the rights of access and data portability under Articles 15 and 20 of the GDPR. In the event of a conflict between the Data Act and EU or national law on the protection of personal data or privacy, the law on the protection of personal data or privacy will prevail.
Timeline
Most of the Data Act rules will enter into application as from 12 September 2025.
The obligation to design connected products/related services in such a way that product and related service data is accessible by default will apply as from 12 September 2026.
The rules on unfair contractual terms related to data access and use between companies will apply as from 12 September 2027 to contracts concluded on or before 12 September 2025 if they are of indefinite duration, or due to expire at least on 11 January 2034.
While these may appear to be rather generous timelines, several categories of actors may face significant redesigns of their products and services, which should be initiated as soon as possible.
To view the full article, click here .
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.