EU Data Act entering into force ‘should spur business action’

Amsterdam and Munich-based data law experts Andre Walter and Stephan Appt of Pinsent Masons said that the new Data Act could require a wide range of businesses across sectors to update terms of use relating to their connected products and amend data sharing and licensing agreements, among other things.

The Data Act, proposed by the European Commission in 2022 as a core component of the EU's data strategy, was adopted by EU law makers in the European Parliament and Council of Ministers late last year. It came into force on 11 January 2024, though the provisions in the regulation will only begin to apply from 12 September 2025.

The Data Act provides for both business-to-consumer and business-to-business data sharing in respect of data obtained, generated, or collected by connected products or from related services.

‘Data holders’ – a term that applies to a broad variety of businesses, including vehicle and consumer goods manufacturers, providers of commercial infrastructure, healthtech and medical device businesses, and providers of industrial machinery – face a general duty to give users of their products or services access to their product or service data under conditions specified in the Act, which include that the data is provided free of charge and in “a comprehensive, structured, commonly used and machine-readable format”. There are carve outs to the duty, including those that provide protections for trade secrets and which concern cybersecurity.

Users can also request that the data is shared with third parties – ‘data recipients’ – with data holders obliged to make the data available on fair, reasonable and non-discriminatory terms. The Act provides for data holders and data recipients to enter into contractual arrangements governing access to and the use of the data, under which data holders can seek reasonable compensation, while the legislation also sets out contract terms – including in respect of exclusions and limitations on liability – that will automatically be considered unfair and therefore unenforceable by data holders if they unilaterally impose those terms on recipients.

The Data Act further gives public sector bodies qualified powers to require data holders to provide them with data. That power applies if the bodies can demonstrate an exceptional need for the data in the context of using that data to carry out its statutory duties in the public interest. The legislation lists the steps public bodies must take when making such requests and further outlines the steps data holders must take to comply. Data holders are entitled to “fair compensation” where they share data with public bodies, while the regulation also provides for public bodies to share the data it receives with research organisations or statistical bodies.

Other rules contained in the Data Act set out standards for smart contracts to promote the interoperability standards for data to be shared, while the legislation further promotes the interoperability of and switching between ‘data processing services’, including those offered by data centre operators and cloud service providers, and also sets out rules on unlawful third-country governmental access and transfer of non-personal data.

The provisions under the Data Act will take effect in stages: most of the provisions will begin to apply from 12 September 2025, but provisions relating to designing connected products and related services in a manner that makes data available to the user by default will only apply for products and related services placed on the market after 12 September 2026. The rules on unfair contract terms will initially only apply to contracts concluded after 12 September 2025, but from 12 September 2027 those rules will also apply to contracts concluded on or before 12 September 2025 provided that they are of indefinite duration or due to expire at least 10 years from 11 January 2024.

“The Data Act is a wide-ranging piece of legislation that has major implications for thousands of businesses across sectors across the EU,” said Andre Walter of Pinsent Masons.

“The first step businesses should take is to undertake scoping to determine whether the Data Act applies to their products or services. An impact analysis can further help those businesses determine which specific provisions are pertinent to them,” he said.

 “For businesses that will be classed as ‘data holders’ under the Data Act, a data classification exercise will be useful to determine which data is protected by other areas of law, such as trade secrets and other intellectual property, and therefore will not need to be shared under the new legislation,” Walter said.

Stephan Appt added: “A particular concern will be to reconcile GDPR and its privacy-by-design principle with the access-by-default principle under the Data Act. Those who still aren’t clear on which of the data generated by their products and services may qualify as personal data under GDPR will see themselves between a rock and a hard place as they may be at risk of violating either one, GDPR or Data Act, which both come with an equally hefty sanctions regime.”

According to Walter, many data holders will also need to consider “revising their terms of use for connected products and related services or for data processing services”. He said contract remediation may also be required for existing data sharing and licensing agreements “to reflect the new requirements around, for example, fairness and non-discrimination or switching charges”.

Appt added: “For would-be data recipients, the Data Act coming into force should be the spur to consider which data could be liberated under the regulation and used for developing or improving their own products and services.” 

Pinsent Masons' synopsis of the Data Act