Definitions

The Data Act provides definitions for terms including processing, data processing service, data recipient, and harmonized standard. It also clarifies that some terms are the same as the definitions provided for under the EU's General Data Protection Legislation (GDPR), notably personal data, data subject, and profiling. Under the Data Act, data is defined as 'any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual, or audiovisual recording.' Importantly, a user is described as 'a natural or legal person that owns a connected product or to whom temporary rights to use that connected product have been contractually transferred, or that receives related services.' On the other hand, a data holder is defined as an individual who has the right to 'use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a related service,' in line with the provisions of the Data Act and relevant EU or national law. 

The Data Act describes connected products as any 'item that obtains, generates, or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection, or on-device access, and whose primary function is not the storing, processing, or transmission of data on behalf of any party other than the user.' Any mentions of connected products or related services should be understood to include virtual assistants insofar as they interact with a connected product or related service. In relation to this, product data is defined as the data produced by a connected device which can be retrieved 'via an electronic communications service, physical connection, or on-device access' by users, data holders, or third parties. The Data Act also defines various entities to which its provisions apply, including enterprises, defined as natural or legal persons that, in relation to contracts and practices covered by the Data Act, act 'for purposes which are related to that person's trade, business, craft, or profession.' 

Scope

The Data Act establishes rules to allow users to access and reuse the data generated by the use of their connected devices and applies to the following entities: 

• manufacturers of connected products placed on the market in the EU and providers of related services, irrespective of the place of establishment of those manufacturers and providers; 
• users in the EU of connected products or related services as referred to above; 
• data holders, irrespective of their place of establishment, that make data available to data recipients in the EU; 
• data recipients in the EU to whom data is made available; 
• public sector bodies, the European Commission, the European Central Bank, and EU bodies that request data holders to make data available where there is an exceptional need; 
• providers of data processing services (providers), irrespective of their place of establishment, providing such services to customers in the EU; and 
• participants in data spaces and vendors of applications using smart contracts and persons whose trade, business, or profession involves the deployment of smart contracts for others in the context of executing an agreement. 

Limitations

The Data Act does not apply to or preempt voluntary arrangements for the exchange of data between private and public entities, in particular voluntary arrangements for data sharing. The Data Act also clarifies that it does not apply to areas that fall outside the scope of EU law and in any event does not affect the competence of the Member States concerning public security, defense, or national security, regardless of the type of entity entrusted by the Member States to carry out tasks in relation to those competences, or their power to safeguard other essential functions, including ensuring the territorial integrity of the State and the maintenance of law and order. The Data Act does not affect the competence of the Member States concerning customs and tax administration or the health and safety of citizens. 

The Data Act is without prejudice to EU and national legal acts providing for the protection of intellectual property rights as well as those that aim to promote the interests of consumers and ensure a high level of consumer protection, protecting their health, safety, and economic interests. 

Interaction with EU data protection law

The Data Act is without prejudice to EU and national law on the protection of personal data, privacy, and confidentiality of communications and integrity of terminal equipment, which shall apply to personal data processed in connection with the rights and obligations laid down therein, in particular the GDPR and the Directive on Privacy and Electronic Communications (the ePrivacy Directive). This includes the powers and competencies of supervisory authorities and the rights of data subjects. The Data Act emphasizes that its provisions must complement those of other EU and national laws, notably the GDPR and the ePrivacy Directive. In the event of a conflict between the Data Act and EU law on the protection of personal data or privacy, or national legislation adopted under such EU law, the relevant EU or national law on the protection of personal data or privacy shall prevail. 

Commenting on its interaction with other EU legislation, Wim notes that the Data Act "fits into the EU's digital transformation strategy by creating a legal framework for ensuring fairness in the allocation of value from data among various actors in the data economy, as well as by fostering access to and use of data." Wim adds that the Data Act "supplements and interacts with a range of different data laws in the EU, including: 

• The GDPR, which regulates individuals' privacy and the processing of their personal data; 
• The Free Flow of Non-Personal Data Regulation, which ensures that non-personal data can be stored, processed, and transferred anywhere in the EU; 
• The Database Directive, which provides for the sui generis protection of databases that have been created as a result of a substantial investment, even if the database itself is not an original intellectual creation protected by copyright; 
• The Platform to Business Regulation, which imposes transparency obligations, requiring platforms to describe for business users the data generated from the provision of the service; 
• The Open Data Directive, which sets out minimum rules on the re-use of data held by the public sector and of publicly funded research data made publicly available through repositories; 
• The Data Governance Act which aims to facilitate the voluntary sharing of data by individuals and businesses and harmonizes conditions for the use of certain public sector data; and 
• The Digital Markets Act which requires providers of core platform services identified as 'gatekeepers' to provide, inter alia, more effective portability of data generated through business and end users' activities." 

Overview of key provisions

Wim comments that "the Data Act is really a 'potpourri' of data access and sharing rules, focused on a) Internet of Things (IoT)/connected products and related services, and b) data processing services - mainly cloud and edge services." He continues by highlighting that the main benefits for users include "that they are entitled to a) access and use data that is generated through their use of the products or related services, and b) share that data with third parties of their choosing. In addition, customers of cloud and edge services will now find it easier to switch service providers, which helps ensure access to competitive and interoperable data processing services in the EU." 

Data sharing and access rights

Chapter II of the Data Act sets out the obligations and rights of users, data holders, and third parties regarding data access. The Data Act establishes that before concluding a contract for the purchase, rent, or lease of a connected product, the seller, rentor, or lessor, which may be the manufacturer, must provide the following information, among others, to the user in a clear and comprehensible manner: 

• whether the connected product is capable of generating data continuously and in real time; 
• whether the connected product is capable of storing data on-device or on a remote server, including, where applicable, the intended duration of retention; and 
• how the user may access, retrieve or, where relevant, erase the data, including the technical means to do so, as well as their terms of use and quality of service. 

In addition, providers of related services must provide users with certain information in a clear, comprehensible manner before concluding a contract for the provision of such services, including: 

• the nature, estimated volume and collection frequency that the prospective data holder is expected to obtain, and, where relevant, the arrangements for the user to access or retrieve such data; 
• the nature and estimated volume of related service data to be generated, as well as the arrangements for the user to access or retrieve such data; 
• the identity of the prospective data holder; 
• the means of communication that make it possible to contact the prospective data holder quickly and communicate with that data holder efficiently; and 
• how the user can request that the data be shared with a third party and, where applicable, end the data sharing. 

Importantly, the scope of these obligations does not apply to data generated through the use of connected products manufactured or designed, or related services provided by a microenterprise or a small enterprise, in certain circumstances. In contrast, these obligations apply to data generated through the use of connected products manufactured by or related services provided by an enterprise that has qualified as a medium-sized enterprise for less than one year and to connected products for one year after the date on which they were placed on the market by a medium-sized enterprise. Any contractual term that excludes the application of, derogates from, or varies the effect of user rights will not be binding on the user. 

Access requests

In regard to access rights, data holders must make readily available data (and any metadata necessary to interpret and use the data) available to users who cannot directly access it from the connected product or related service. This should be done without undue delay in an easy, secure, and free-of-charge manner. Data must be in a comprehensive, structured, commonly used, and machine-readable format and, where relevant, technically feasible, continuously, and in real time. Users should be able to request access by electronic means where possible. In addition, upon request by a user or a party acting on their behalf, data holders must make readily available data and metadata available to a third party under the same conditions as above. Importantly, however, users and data holders can contractually restrict or prohibit access to, use, or further sharing of data if this processing could undermine the security requirements of the connected product and result in health, safety, or security risks of natural persons.

The Data Act confirms that users must not use any of the data obtained from a request to develop a connected product that competes with the connected product from which the data originates, nor must they share data with third parties for the same purpose. Users and third parties must also not use coercive means or abuse gaps in the technical infrastructure of a data holder, which is designed to protect the data, to obtain access to data. More generally, the Data Act stipulates that any processing of personal data must comply with existing EU and national laws, such as the GDPR, and data holders must not make non-personal product data available to third parties for commercial or non-commercial purposes, other than the fulfillment of their contract with the user.

Third parties

Third parties must process the data made available to it only for the purposes and under the conditions agreed with the user and subject to EU and national law on the protection of personal data, including the rights of the data subject insofar as personal data is concerned. The third party must also erase the data when no longer necessary for the agreed purpose, unless otherwise agreed with the user in relation to non-personal data. According to Wim, this will be a challenge as third parties will need to "implement internal processes for ensuring that the data is used in accordance with the user's wishes." However, Wim adds that "it is unclear how users will be able to verify that the third party is honoring their agreement." 

Making data available

The Data Act sets out conditions under which data holders must make data available to data recipients, as well as compensation between the parties for making the data available. In particular, where data holders are obliged to make data available to a data recipient, they must agree to the arrangements for making the data available and shall do so under fair, reasonable, and non-discriminatory terms and conditions and in a transparent manner. With regard to compensation, the Data Act outlines that this may depend on the volume, format, and nature of the data, and should take into account the costs incurred in making the data available and any investments in the collection and production of data. However, compensation must not exceed the costs incurred in making data available for data recipients that are small or medium-sized enterprises (SME) or not-for-profit research organizations. 

The Act stipulates technical protection measures to prevent unauthorized access to data. Data holders may apply appropriate technical protection measures, including smart contracts and encryption, to prevent unauthorized access to data but such measures must not discriminate against user rights. Users, third parties, and data recipients must not alter or remove such technical protection measures unless agreed upon with the data holder. Furthermore, the Data Act outlines scenarios in which third parties or data recipients must comply with requests from data holders.

Unfair contractual terms and making data available to public bodies

Chapter IV of the Data Act addresses contractual terms which, if unfair, will not be binding. The Act outlines terms that will be considered unfair including gross deviation from good commercial practice in data access and use, contrary to good faith and fair dealing, and inappropriately limiting remedies in the case of non-performance of contractual obligations or liability in the case of a breach of those obligations. 

Public sector bodies, the Commission, the European Central Bank, and EU bodies data sharing

If a public sector body, the Commission, the European Central Bank, or an EU body demonstrates an exceptional need, they may send a request for access to the data holders. Exceptional needs include where: 

• the data requested is necessary to respond to a public emergency; 
• the data is required to complete specific tasks in the public interest, such as to produce official statistics or to mitigate or recover from a public emergency; and
• bodies have exhausted all other means to obtain such data. 

Wim comments that "in some cases, data holders and public sector bodies will have different views on what constitutes an 'exceptional need,' which may result in less data sharing than initially anticipated by the EU lawmakers." 

In relation to providing public sector bodies, the Commission, the European Central Bank, and EU bodies with access to data, the Data Act does not affect obligations under EU and national law 'for the purposes of reporting, complying with requests for access to information or demonstrating or verifying compliance with legal obligations.' The provisions under the Data Act also do not apply to those bodies 'carrying out activities for the prevention, investigation, detection, or prosecution of criminal or administrative offenses or the execution of criminal penalties, or to customs or taxation administration.'

Responding to requests

Data holders must respond to requests without undue delay but can decline or seek modification no later than five working days after the receipt of a request for the data necessary to respond to a public emergency and, in any event, no later than 30 working days after the receipt of such a request in other cases of an exceptional need, on any of the following grounds: 

• the data holder does not have control over the data requested; 
• a similar request for the same purpose has been previously submitted by another body and the data holder has not been notified of the erasure of the data; and
• the request does not meet the conditions laid down in the Data Act.

Where the public sector body, Commission, European Central Bank, and EU bodies wish to challenge a refusal, or the data holder wishes to challenge the request and the matter cannot be resolved by a modification to the request, the matter will be referred to the competent authority. Importantly, where the data requested includes personal data, the data holder must anonymize the data, unless compliance with the request to make data available requires the disclosure of personal data. In such cases, the data holder shall pseudonymize the data. 

Compensation

Data holders will also be entitled to fair compensation covering the costs incurred to comply with the request including, where applicable, the costs of anonymization, pseudonymization, and aggregation of technical adaptation. However, this does not apply in the case of an exceptional need to complete specific tasks carried out in the public interest. If a body disagrees with the amount of compensation, they can lodge a complaint with the competent authority.

Switching between data processing services and interoperability

The Data Act allows customers to easily switch to a data processing service covering the same service type, to switch to on-premises ICT infrastructure, or to use several providers at the same time. Providers must not impose and must remove any pre-commercial, commercial, technical, contractual, and organizational obstacles that inhibit customer rights. Wim highlights that key challenges for providers include "to ensure, depending on the type of service, a) that the switching customer enjoys 'functional equivalence' in the use of the new service; and b) compatibility with open interoperability specifications, while making open interfaces available free of charge. Service providers will need to consider carefully how they can operationalize these requirements." 

The rights of the customer and the obligations of the provider must be clearly set out in a written contract and must include clauses allowing the customer, upon request, to switch to a data processing service offered by a different provider or to port all exportable data and digital assets to an on-premises ICT infrastructure no later than the mandatory maximum transitional period of 30 calendar days. Providers must provide reasonable assistance to the customers and third parties authorized by the customer during this period, ensuring a high level of security. The maximum notice period for initiation of the switching process must not exceed two months. 

Information obligation of providers and contractual transparency on international access and transfer

Providers of data processing services are obligated to provide customers with information on the available procedures for switching and porting data to the data processing service, including the available switching and porting methods and formats as well as restrictions and technical limitations known to the provider. They must also provide customers with a reference to an up-to-date online register hosted by the provider with details of all the data structures, data formats, and the relevant standards and open interoperability specifications.

There are further contractual transparency obligations on international access and transfers, and providers must ensure that information is kept up-to-date and is available on their websites. A list of such websites must also be included in the contracts for all data processing services offered by the provider. The information available should detail the jurisdiction to which the ICT infrastructure deployed for data processing is subject and a general description of the technical, organizational, and contractual measures adopted by the provider to prevent international governmental access to or the transfer of non-personal data held in the EU, where such access or transfer would conflict with EU law or the national law of the relevant Member State. 

Switching charges

From January 11, 2024, to January 12, 2027, providers may impose reduced switching charges on the customer for the switching process but may not impose any charges from January 12, 2027. The reduced switching charges must not exceed the costs incurred by the provider that are directly linked to the switching process concerned. 

International governmental access and transfer

Chapter VII stipulates that providers must take all necessary measures to prevent international and third-country governmental access and transfer of non-personal data held in the EU where such transfer or access would create a conflict with EU or national law. Any decision or judgment of a third-country court or tribunal and any decision of a third-country administrative authority requiring a provider to transfer or give access to non-personal data falling within the scope of the Data Act held in the EU will be recognized or enforceable only if based on an international agreement in force between the requesting third country and the EU, or any such agreement between the requesting third country and a Member State. If no such international agreement exists, a transfer can only take in very specific circumstances, such as where the third-country system requires the reasons and proportionality of such a decision or judgment to be set out and requires it to be specific in character, such as by establishing a sufficient link to certain suspected persons or infringements. 

Addressees of a decision or judgment may ask the opinion of the relevant national body or authority competent for international cooperation in legal matters, and that body or authority may consult the Commission. Addressees may also ask the opinion of the relevant national body or authority if they consider that the decision or judgment may impinge on the national security or defense interests of the EU or its Member States. If addressees do not receive a reply within one month, or if the opinion of such body or authority concludes that the conditions laid down in Article 32 are not met, addressees may reject the request for transfer or access to non-personal data on those grounds. On the other hand, if such conditions are met, providers must provide the minimum amount of data permissible, on the basis of the reasonable interpretation of that request by the provider or relevant national body or authority, as well as inform the customer about the existence of a request of a third-country authority to access its data before complying with that request, except where the request serves law enforcement purposes. 

Wim describes that a "particularly thorny question is whether cloud service providers dealing with mixed data sets will be able to marry the restrictions on foreign governments' access to non-personal data (in Article 32 of the Data Act) with the restrictions on transfers of personal data in (Chapter V of) the EU GDPR. Cloud companies may be required to perform a risk assessment that is separate from, and additional to, a possible transfer impact assessment for EU GDPR purposes." 

Interoperability

The Data Act provides that all participants in data spaces must adhere to specific requirements to facilitate the interoperability of data. These requirements include describing dataset content, use restrictions, licenses, data collection methodology, and technical means to access such data sufficiently. The Commission is empowered to adopt delegated acts to ensure compliance with the requirements for interoperability and must take the advice of the European Data Innovation Board (EDIB) into account.

Further specifications of harmonized standards for the interoperability of data processing services include enhancing the portability of digital assets between different data processing services that cover the same service type and ensuring no adverse impact on the security and integrity of data processing services and data. This covers cloud interoperability, cloud data portability, and cloud application aspects. 

In relation to smart contracts, the Data Act outlines specific requirements for their use. Specifically, the Data Act stipulates that such contracts must, among other things, have a high level of robustness and access controls, safe termination and interruption operations, and data archiving and continuity, as well as ensuring consistency with the data sharing agreement terms agreed upon.

Enforcement

Supervisory authorities

EU Member States will designate one or more competent authorities responsible for the enforcement of the Data Act. If multiple authorities are designated, Member States should designate one as the coordinating competent authority to ensure the consistent application of the provisions of the Data Act. Member States must communicate the names of all authorities to the Commission which will maintain a public register of such authorities. The EDIB will facilitate the cooperation between competent authorities and will advise the Commission on developing consistent practice of competent authorities. Competent authorities shall remain free from any external influence, whether direct or indirect, and shall neither seek nor take instructions from any other public authority or any private party. 

All independent supervisory authorities shall be responsible for monitoring the application of the Data Act and its provisions insofar as the protection of personal data is concerned. However, Wim notes that "the existing GDPR supervisory authorities will already be responsible for enforcement of the Data Act if processing of personal data is involved. This is likely to increase supervisory authorities' workloads."

Competent authorities have the power to request from users, data holders, or data recipients, or their legal representatives, falling under the competence of their Member State all information necessary to verify compliance with the Data Act. Any request for information must be proportionate to the performance of the underlying task and shall be reasoned. A competent authority that requests assistance or enforcement measures from a competent authority in a different Member State must submit a reasoned request. Upon receiving a request, the competent authority must provide a response and detail the actions taken or that are intended to be taken without undue delay. Competent authorities shall respect the principles of confidentiality and professional and commercial secrecy and shall protect personal data in accordance with EU or national law. Any information exchanged in the context of a request for assistance and provided pursuant to the provisions of the Data Act shall be used only in respect of the matter for which it was requested. 

Right to lodge a complaint and to an effective judicial remedy

Without prejudice to other administrative or judicial remedies, individuals have the right to lodge a complaint, individually or collectively, with the relevant competent authority in the Member State of their habitual residence, place of work, or establishment if they consider that their rights under the Data Act have been infringed. The competent authority will inform the complainant of the progress of the proceedings and of the decision taken.

Competent authorities shall cooperate to handle and resolve complaints, including by exchanging all relevant information by electronic means without undue delay. This cooperation shall not affect the specific cooperation mechanism provided for by the GDPR. Where a competent authority fails to act on a complaint, any affected individual shall, in accordance with national law, either have the right to an effective judicial remedy or access to review by an impartial body with the appropriate expertise. More generally, notwithstanding any administrative or other non-judicial remedy, any affected natural and legal person shall have the right to an effective judicial remedy with regard to legally binding decisions taken by competent authorities. 

Dispute settlements

Users, data holders, and data recipients can refer matters to a dispute settlement body. Member States must ensure that dispute settlement bodies are impartial and independent, have the necessary expertise, and can adopt decisions efficiently and in a cost-effective manner. Dispute settlement bodies must make the fees, or the mechanisms used to determine the fees, known to the parties concerned before they request a decision. Such bodies must adopt their decision on a matter referred to them within 90 days of receipt of a request. The decision must be issued in writing supported by a statement of reasons.

Where disputes are ruled in favor of the user or the data recipient, the data holder shall bear all fees and must reimburse that user or data recipient for any other reasonable expenses incurred in relation to the dispute settlement. On the other hand, where the dispute rules in favor of the data holder, the user or the data recipient will not be required to reimburse any fees or other expenses to the data holder, unless the dispute settlement body finds that they acted in bad faith. 

Dispute settlement bodies are also responsible for publishing annual activity reports that may include information on the most common reasons for disputes and the average time taken to resolve disputes. Bodies may also include recommendations as to how problems can be avoided or resolved in these reports.

Penalties

Member States shall lay down the rules on penalties applicable to infringements of the Data Act and shall take all measures necessary to ensure that they are implemented. Penalties provided must be effective, proportionate, and dissuasive. Member States must also take into account certain criteria for the imposition of penalties, including the nature, scale, and duration of infringements, actions taken by the infringing party to remedy the damage, and previous infringements by the infringing party. Member States must notify the Commission of those rules and measures by September 12, 2025, and shall notify it without delay of any subsequent amendment affecting them. The Commission will regularly update and maintain an easily accessible public register of those measures. 

For certain infringements of the Data Act, supervisory authorities may, within their scope of competence, impose administrative fines in line with the provisions of the GDPR.

Conclusion

The Data Act will be applicable from September 12, 2025. However, the obligation resulting from Article 3(1) - requiring connected products and related services to be designed and manufactured in such a manner that product data and related service data be directly accessible to the user - will apply to connected products and their related services placed on the market after September 12, 2026. Chapter IV which addresses unfair contractual terms will apply from September 12, 2027, to contracts concluded on or before September 12, 2025, provided that they are of indefinite duration or are due to expire at least 10 years from January 11, 2024. 

Isabelle Strong Editor
[email protected]

With comments provided by: 
Wim Nauwelaerts Partner
[email protected] 
Alston & Bird, Brussels