How the EU Data Act affects businesses and consumers

The Internet of Things (IoT) has seen exponential growth in Europe. In 2022, the IoT market in this region alone recorded a revenue of USD 47.7 billion in 2022. This upward trajectory is set to continue with the market expected to reach USD 122.7 billion by 2030.

This surge is not important just in monetary terms but also in terms of data generated. It is powered by an ever-increasing number of connected devices, from wearables, to home appliances, and industrial machinery and others, which are expected to generate about 175 zettabytes of data by 2025.

The European Union’s Data Act (EU Data Act) aims to maximize the potential of this vast data reserve by laying down comprehensive rules on who can use and access various types of data and under which conditions.

The EU Data Act is a European Union regulation that establishes guidelines for data handling, sharing, and usage across the EU. It covers personal and non-personal data and specifically addresses data generated by IoT devices, referred to as “connected products” under the regulation, as well as related services.

The Data Act defines who can create value from data, specifying that parties beyond the original manufacturers or data holders — like service providers and end-users — can access data generated by connected products and related services under specific conditions. It aims to regulate sharing of data in a manner that protects the data while making data portability and interoperability easier.

The regulation enables more data to be securely available for use by a wider variety of entities, supporting the objectives of the Digital Markets Act (DMA) to foster innovation and a competitive digital economy.

The regulation defines “data” as “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording.”

This scope captures an array of data types generated in the digital space, specifically data that is:

• generated from connected products or services, including the metadata necessary to interpret and use that data, and data produced by a related virtual assistant
• processed by data processing services, such as cloud computing and edge computing services, which handle and store vast amounts of data for various applications
• held by the private sector that is necessary to respond to a public emergency or to perform a specific task carried out in the public interest

The definition of data includes both personal and non-personal data. However, Art. 1(5) of the regulation specifies that it will not affect the applicability of the EU’s data protection laws that govern personal data, viz. the General Data Protection Regulation (GDPR) and ePrivacy Directive. Instead, it complements the GDPR, which takes precedence in matters relating to personal data, while the EU Data Act focuses on non-personal data.

The Data Act was agreed by the co-legislators in June 2023 and has been in force since January 11, 2024. This Act will become applicable September 12, 2025.

As a regulation, it becomes immediately enforceable in all EU member states upon its effective date, and does not require each country to implement it into national law.

The Data Act sets out several objectives to enhance the data economy of the EU:

• Enables users of connected products to access the data generated by these devices
• Enables public sector bodies to access and use data held by the private sector to help respond to public emergencies
• Protects European businesses, especially small and medium-sized enterprises, from unfair contractual terms related to data-sharing imposed by larger corporations
• Simplifies the process for customers to switch between cloud service providers without facing prohibitive barriers
• Safeguards against unlawful requests by third-country authorities for the transfer of or access non-personal data stored within the EU
• Introduces measures to promote the development of interoperability standards for data sharing and data processing services

Art. 1(3) stipulates that the regulation applies to:

• manufacturers of connected products and suppliers of related services placed on the market in the EU
• users of such connected products or related services located in the EU
• data holders (legal or natural persons) that make data available to data recipients in the EU
• data recipients in the EU to whom data are made available
• public sector bodies, the European Commission (EC), the European Central Bank, and EU bodies that request data holders to make data available where there is an exceptional need to that data for the performance of a task carried out in the public interest and the data holders that provide those data in response to such request
• providers of data processing services offering such services to customers in the EU
• participants in data spaces and vendors of applications using smart contracts and persons whose trade, business, or profession involves the deployment of smart contracts for others in the context of executing an agreement

Similarly to the GDPR, it equally applies to EU and non-EU businesses, even if they are not established or present in the European Union, if they:

• offer connected products, related services, or data processing services to customers in the EU; or
• are data holders under the regulation that make data available to data recipients in the EU

Under the Data Act, the term ”user” encompasses any natural or legal person who owns, rents, leases a connected product or receives a related service. The regulation confers several significant rights to these users.

Users have the right to access data generated by their use of a product or service in a timely manner and to share this data with third parties of their choice, except for third parties that are designated gatekeepers under the DMA.

Under Recital 30, the user should be free to use the data for any lawful purpose, including switching service providers

Art. 3 stipulates the minimum information the user must receive before concluding a contract to buy, rent, or lease a connected product or obtain a related service. This information includes, among other things:

• the type, format, and estimated volume of product data that the connected product can generate
• whether data will be generated continuously and in real-time
• details about whether the connected product can store data on-device or on a remote server, including how long it will retain the data
• how the user may access, retrieve, or erase the data
• whether the data will be used by the manufacturer or service provider, or if a third party may use the data and for what purpose
• the trading name and address of the prospective data holder and details of any other data processing parties
• means of communication available for contacting the data holder efficiently
• the process for requesting that data be shared with a third party and to end the data sharing
• the user’s rights to lodge a complaint regarding any infringement of the regulation’s provisions
• information on whether the data includes trade secrets and the identity of the trade secret holder if different from the data holder
• the duration of the contract with the data holder and the conditions for its termination

If users believe their rights under the regulation are being violated, they have the right to lodge a complaint with the competent authority. Art. 39 of the Data Act further provides the right to an effective judicial remedy with regard to legally binding decisions of a competent authority, and judicial remedy or review by an impartial body where a competent authority fails to act on a complaint brought forward under the regulation.

The EU Data Act lays down certain requirements and obligations for four categories of persons affected: data holders, users, third parties, and data processors.

The EU Data Act defines a data holder as any legal or natural person who has the right or obligation, under the regulation or applicable EU/national law, to use data and make certain data available.

The responsibilities of data holders are designed to ensure broad access to data while protecting its integrity and confidentiality of the information.

Data holders must ensure that data generated through the use of connected products and related services is accessible to users (and to third parties at a user’s request). This accessibility should be direct whenever possible, and, where users cannot directly access the data, data holders should make it accessible without undue delay. Products and services must be designed and manufactured in a way that facilitates this data accessibility. However, if the data in question is protected as a trade secret, it must only be disclosed under conditions that preserve confidentiality.

In exceptional cases, such as a public emergency or for tasks in the public interest, data holders must make data available to public sector bodies or EU institutions. These bodies may further share the data for non-commercial scientific research or statistical and analytical purposes under specific conditions.

Data provided to users and public bodies should be free of charge. If the data is provided to a third-party recipient, it must be for a reasonable, contractually agreed upon compensation that considers the cost of collecting, producing, and making the data accessible, as well as the size of the recipient’s enterprise and guidelines from the European Commission.

Data holders must not use data to derive insights about the economic situation or to undermine the commercial position of the user. This provision protects the competitive integrity of data users.

Where personal data is involved and the user is not the data subject under the GDPR, the data can only be made available if there is a valid legal basis under the GDPR. This stipulation ensures that the data holder’s obligations under the EU Data Act align with the broader data protection requirements under the GDPR.

These obligations collectively ensure that data holders manage data responsibly, prioritize user access and rights, and respond appropriately to broader societal needs while maintaining compliance with established data protection laws.

The EU Data Act confers rights on users and imposes certain obligations on them to ensure the integrity and fairness of the data economy.

Users must handle the data they receive responsibly, without compromising the security of the connected product or related service. This means they should avoid actions that might compromise the functional integrity or security protocols of these systems. The regulation also explicitly prohibits users from using the data they receive to develop a competing product.

If the data involves trade secrets or confidential information, users are required to take appropriate measures to maintain confidentiality. This includes adhering to agreed-upon protocols, which could result in restrictions on data sharing.

While users have the right to share their data with a third party, they are prohibited from sharing the data with any entity designated as a gatekeeper under the DMA.

These obligations emphasize the need for users to handle data responsibly, respecting the legal frameworks intended to foster a secure and competitive market environment.

Under Recital 35 of the EU Data Act, data generated through the use of a connected product or related service should only be made available to third parties at the explicit request of the user.

Third parties who receive data at a user’s request must not use the data:

• in a way adversely affects the security of the connected product or related service
• in a way that undermines the confidentiality of trade secrets
• to develop competing products or sharing it with another party for that purpose; or
• to derive insights on the economic situation of the data holder

Third parties are bound by the same restrictions as users regarding sharing that data gatekeepers under the DMA and are prohibited from doing so. Third parties may also not share data with another third party unless permitted by a contract with the user.

When it comes to personal data, third parties must comply with the GDPR. They are not permitted to process personal data for profiling purposes unless it is strictly necessary to provide a service that the user has explicitly requested.

By setting out these obligations, the EU Data Act seeks to ensure that third parties engage in responsible data practices, respect user choices, and contribute to a healthy, competitive market for data-driven products and services.

The Data Act places specific obligations on data processing services, which include but are not limited to networks, servers, cloud services providers, and other virtual or physical infrastructure and software that enable digital operations.

Data processing services must enable their customers to switch to a different data processing service provider or to use multiple providers simultaneously. To accomplish this, they must remove commercial, technical, contractual, and organizational barriers that could hinder such transitions. These services must ensure that the data remains secure during the switching process in accordance with applicable EU and national laws.

The EU Data Act permits data processing services to charge customers “reduced switching charges” for a period of three years until January 12, 2027. After this date, they cannot impose any switching fees on customers.

Data processing services must inform customers on how to switch to another service and share a current online resource that details the exported data’s data structures, data formats, standards, and interoperability specifications.

They are required to implement appropriate technical, legal, and organizational measures to prevent the international and third-country governmental access and transfer of non-personal data held within the EU, where such transfer or access would contravene EU or member state laws.

The EU Data Act and the GDPR are complementary regulatory frameworks, each playing a critical role in shaping Europe’s digital economy with respect to data management and protection.

The Data Act enhances the GDPR, particularly in the area of data portability. Under the GDPR, the right of subjects to receive their data (data portability) allows them to move their personal data between controllers under certain conditions, namely:

• it applies only to personal data that a data subject has provided to a controller; or
• where the processing is based on the data subject’s consent or on a contract.

The Data Act expands this concept by applying data portability not just to personal data but also to non-personal data generated by the use of connected products and related services. This expansion enables consumers to access and transfer a broader scope of data generated by their devices, thus enhancing consumer control over both personal and industrial data.

In Recital 7, the Data Act clarifies that it does not introduce a new legal basis for the processing of personal data by the data holder. It does not permit data holders to provide access to personal data or make it available to a third party when merely requested by a user who is not the data subject. This is significant in maintaining the integrity of the GDPR’s protections, ensuring that the Data Act does not inadvertently allow for personal data to be accessed or transferred without proper legal grounds.

In scenarios where the user is not the individual to whom the personal data pertains (i.e., not the data subject) but is an enterprise, the user assumes the role of a data controller under the GDPR. As a data controller, the user must establish that they have a legal basis for processing the personal data, such as obtaining explicit consent from the data subject.

The regulation outlines directions for establishing enforcement authorities and the penalties that may be levied for infringement.

Each EU member state has the autonomy to designate one or more competent authority to enforce the Data Act. Member states may choose to establish new authorities specifically for this purpose or extend the mandate of existing authorities to include enforcement rights under this regulation.

Supervisory authorities that are already established under the GDPR will be responsible for monitoring the application of the Data Act with respect to personal data. Where the regulation applies to the European Commission, European Central Bank, or EU bodies, the European Data Protection Supervisor will be responsible for monitoring its application.

The regulation empowers both natural and legal persons to actively participate in the enforcement process with the right to lodge a complaint (Art. 38) and right to an effective judicial remedy (Art. 39).

Each EU member state holds the authority to determine its own rules regarding penalties for infringement of the Data Act and the necessary measures to implement them (Art. 40). Member states must communicate these rules and their implementation measures to the European Commission by September 12, 2025.

While determining penalties, member states must consider the recommendations and criteria of the European Data Innovation Board, including, among other things:

• nature, gravity, and scale of the infringement
• any actions the infringing party has taken to reduce or remedy the damage caused by the infringement
• any prior infringements by the infringing party
• financial benefits that the infringing party gained or losses they avoided as a result of the infringement
• other aggravating or mitigating factors applicable to the case
• infringing party’s annual turnover in the EU in the previous financial year

For infringements related to the rights and obligations of data holders, users, and third parties under Chapters II, III, and V of the Data Act, the supervisory authorities responsible for monitoring the application of the GDPR have the power to impose administrative fines in accordance with the GDPR. These penalties can be substantial, reaching up to EU 20 million or up to 4% of a company’s annual worldwide turnover for the preceding financial year, whichever is higher.

For infringements related to the obligations for making data available to public sector bodies, the European Commission, the European Central Bank, and EU bodies under Chapter V, the European Data Protection Supervisor may impose fines under Regulation (EU) 2018/1725. These fines can reach up to EU 50,000 per infringement and up to a total of EU 500,000 per year.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.