The EU Data Act is a regulation designed to reshape the European data economy by establishing harmonised rules for data access, sharing and portability.
Read moreThe EU Data Act is a regulation designed to reshape the European data economy by establishing harmonised rules for data access, sharing and portability. Soon, products placed on the EU market must be designed to allow easy data access for users and third parties. This may require redesigning hardware or software to enable data portability and implementing technical safeguards like encryption and smart contracts.
While the Act complements the EU GDPR, it focuses on non-personal and user-generated data — particularly that from connected devices and the Internet of Things (IoT) products and services.
Following its adoption in January 2024, the Act will enter into force on 12 September 2025 — although the requirements for data access by design will come in from September 2026.
Here, Eleanore Beard explains whether the Act will affect your business, its key provisions and what could happen if you’re not compliant.
What is the Internet of Things?
The IoT refers to devices — or ‘things’ — that have sensors, software or other technologies that enable connection and data exchange with other devices and systems over the internet.
This includes the likes of drones, smart meters, smart speakers, connected TVs, smart lights, smart thermostats, smart doorbells, medical devices (such as smart blood pressure monitors) and much more.
It can also include the offline products from which data can be retrieved, such as plug-in devices.
Will the EU Data Act affect my UK business?
Since the EU Data Act (Regulation (EU) 2023/2854) has extraterritorial reach, it’ll directly affect UK businesses — especially those with operations, clients or data flows within the EU.
Scope & applicability
The Act applies to:
- Manufacturers of connected products (e.g., smart appliances, industrial machinery and vehicles).
- Providers of related digital services (e.g., apps that control devices).
- Cloud and data processing service providers.
- Public authorities (in specific circumstances).
The EU has said that: “The Data Act gives users of connected products (businesses or individuals that own, lease, or rent such a product) greater control over the data they generate, while maintaining incentives for those who invest in data technologies. In addition, it lays down general conditions for situations where a business has a legal obligation to share data with another business”.
Key provisions of the EU Data Act
Data access & portability
To comply with the Act’s requirements, any company that makes a connected product or provides related services (i.e., a data holder) must have a contract with the user (such as a sales contract, rental contract or related service contract) that defines the rights regarding the access, use and sharing of the data that’s generated by the connected product or related service. It’s important to note that the data holder can’t use any non-personal data generated by the product without the user’s agreement.
Data holders must provide the user with information on the type of data that they’ll generate when using the connected product or related service (including the volume and collection frequency) and users should be able to request access to the data through a simple process. Data holders must also make the data available to users for free.
Notably, the data obtained can’t be used to develop a competing connected product. The Data Act doesn’t prohibit competition in related or aftermarket services. However, there’s no obligation under the Data Act for a data holder to share data with third parties that are based outside the EU.
The Act will mean that:
- Users (individuals or businesses) gain the right to access and share data that they’ve generated by using connected devices and related services.
- Data must be provided free of charge, in real-time and in a machine-readable format.
- Users can instruct data holders to share data with third parties.
- Data holders may only use data if contractually agreed with the user.
Fair contractual terms
The Data Act aims to protect EU businesses against unfair contractual clauses, especially where there’s a power imbalance. It lists a number of terms that are always considered to be unfair — for example, the exclusion or limitation of the liability of the party that unilaterally imposed the term for intentional acts or gross negligence and of terms that are presumed to be unfair (e.g., those that would inappropriately limit remedies in the case of non-performance of contractual obligations or liability in the case of a breach of those obligations or extend the liability of the enterprise on which the term has been unilaterally imposed).
The entity wanting to impose the presumptively unfair terms must be able to justify this term.
Switching providers & interoperability
The Data Act aims to make switching cloud and edge providers free, fast and fluid. Interoperability refers to the standards, protocols and technologies that allow data to be exchanged between devices and make use of information. This ensures that providers offer technical and contractual compatibility, reducing the barriers to transfers.
Where you provide on-demand network access, you’ll need to ensure that you:
- Facilitate easy switching between providers.
- Remove technical and contractual barriers.
- Design with interoperability in mind (using standard interfaces or data formats).
Notably, the Act will remove all switching charges from 12 January 2027.
Business-to-government data sharing
The Act will allow public sector bodies to access data held by private businesses under certain conditions and where there’s exceptional need (for example, during public emergencies) as well as in non-emergency situations where the data would be in the public interest (the example that the EU has given is for drivers’ GPS systems to help with traffic flows).
Public authorities may request data without compensation during emergencies (such as pandemics and natural disasters) and with fair compensation for non-emergency public interest tasks.
The Act also allows for cross-border data flows but introduces safeguards against unlawful access to non-personal data by foreign or non-EU governments. This requires judicial authorisation and compliance with EU law, although law enforcement and legitimate international cooperation isn’t affected by these provisions.
The public body can’t request the same data more than once.
Protection of trade secrets & IP
Data holders aren’t required to disclose trade secrets unless safeguards are in place. Disclosure can be refused if it risks serious economic harm, subject to review by competent authorities.
Interaction with GDPR
While the GDPR governs personal data, the EU Data Act covers both personal and non-personal data. In cases that involve mixed datasets, GDPR obligations remain fully applicable.
What happens if I fail to comply with the EU Data Act?
Non-compliance with the Act could make you subject to the EU members local sanctions regime. Where there’s personal data involved, you could face GDPR-level fines of €20m or 4% of global turnover.
Additionally, non-compliance with the access rules could lead to civil claims and reputational risks.
Key considerations for businesses that provide products and services in the EU
We’d recommend that you:
- Identify affected products and services and assess data flows.
- Update contracts tor terms to reflect data access rights and licensing terms.
- Implement technical infrastructure for real-time data access.
- Review cloud service agreements for portability compliance.
- Implement risk and conflict controls.
- Prepare internal procedures for responding to data requests.
- Identify and safeguard trade secrets and IP before data sharing.
Talk to us
The EU Data Act represents a significant shift in how data is governed, accessed and shared across the European market.
Remember — IoTs also contain personal data. So along with the EU Data Act, businesses that operate within the EU or offer products or services to EU users must also comply with the data protection obligations both within the EU and the UK’s data protection rules.
If you need any help with EU Data Act or GDPR compliance and your obligations, our specialist data protection team is here to support your journey to compliance.
Talk to us by giving us a call on 0333 004 4488, sending us an email at hello@brabners.com or completing the contact form below.
Eleanore Beard
Eleanore is a Legal Director and Data Protection Practitioner in our commercial team.
Read more
Talk to us
Loading form...
Related insights
Designed to amend the UK’s existing data privacy regime, the DUA Act will affect the UK GDPR, PECR and the Data Protection Act 2018.
Read more
The Product Regulation and Metrology Act is ushering in a new era for consumer protection and market oversight, laying the foundations for significant regulatory change.
Read more