Is your company ready for the Data Act ?

The Data Act (Regulation (EU) 2023/2854) marks a profound shift in how data, including non-personal data, is accessed, used, and shared within the European data economy by introducing a comprehensive framework that promotes fair and balanced data-sharing through common rules for data generated by connected products and related services across the EU.

It also introduces important safeguards against unfair contract terms in data-sharing agreements and facilitates switching between data processing services. 

The Data Act came into force on 11 January 2024 and introduces a uniform set of rules that will apply directly across all EU Member States as of 12 September 2025 for most of them.

The Data Act focuses on data in relation to the use of connected products or related services.

• A “connected product” is defined as any item that obtains, generates, or collects data about its usage or environment and is capable of transmitting such data via electronic communication services, physical connections, or on-device access and whose primary function is not storage, processing, or transmission of data on behalf of any party other than the user. Examples of connected products are IoT products, vehicles, wind turbines, industrial machines, etc.
• A “related service” is a digital service connected to the operation of a connected product that impacts its functionality, such as by transmitting data or commands to the device. Two conditions must be met to be considered as a related service: (i) there must be a two-way exchange of data between the connected product and the service provider and (ii) the service must affect the connected product’s functions, behaviour or operation (e.g., an app to regulate the brightness of lights).

The scope of the Data Act encompasses both private and public entities that operate or manage connected products and related services within the European Union. Therefore, the Data Act will have a significant impact on a wide range of actors operating in technology, manufacturing, cloud services, and data analytics.

B2B and B2C data sharing

The Data Act grants users of connected products the right to access data generated by those products and to share that data with third parties of their choice.

Manufacturers and service providers must ensure that connected products are designed and configured in such a way that users can exercise their rights easily, securely, and in a structured and commonly used format. The Data Act further establishes specific provisions governing circumstances in which data holders are obligated to grant access to data upon request by authorized data recipients. While facilitating greater data availability and fostering data-driven innovation, the regulation also recognizes the rights of data holders to seek reasonable compensation for providing such access, ensuring a fair balance between promoting data sharing and protecting the legitimate interests of data owners.

Contractual fairness

Unfair contractual terms relating to data access, usage, or liability, which have been unilaterally imposed by one undertaking on the another (e.g., deny the other party adequate remedies in case of a breach) are prohibited by the Data Act. A clause is considered unfair if it significantly deviates from established principles of good commercial practice regarding data access and use, thereby breaching the standards of good faith and fair dealing.

The Regulation goes further by explicitly identifying certain clauses as either inherently unfair or presumptively unfair. Clauses falling within the blacklist are categorically prohibited.

To assist stakeholders in ensuring compliance, the European Commission has released non-binding Standard Contractual Clauses (SCCs) and Model Contract Terms (MCTs).

B2G data sharing

The Data Act also foresees for public bodies to access data held by private entities under certain terms and conditions where there is an exceptional need. This means that a public sector body may oblige a data holder to make available certain data without undue delay to respond to a public emergency.

Cloud switching

The Data Act aims to enhance competition in the market for cloud and edge services requiring providers to facilitate customer switching between different data processing services. As from 12 January 2027 all switching costs must be eliminated. As a result, providers will not be able to charge their customers for the operations that are necessary to facilitate the switching between data processing services (for a more in-depth analysis, please refer to our previous e-zine).

Each Member State must designate at least one competent authority for the enforcement of the Data Act. These authorities are expected to coordinate closely with existing sectoral and data protection regulators since the Data Act reinforces but does not replace the GDPR.

In Belgium, the government has indicated that the Belgian Institute for Postal Services and Telecommunications (BIPT) will be the national authority.

Each member state must also set out penalties for violations of the Data Act. Examples of penalties are warnings or reprimands, orders for compliance and fines. These sanctions must be effective, proportionate, and dissuasive. So far, Belgium has not yet enacted a legislation in that respect.

The Data Act brings challenges mainly for manufacturers of connected products and data processing service providers.

Companies must assess whether their activities fall within the scope of the Data Act.

If so, they are required to ensure that data generated by connected devices is made accessible to users in a secure and structured manner. This obligation may necessitate technical adjustments to product design and the implementation of new data governance policies.

Existing commercial contracts must be reviewed and, where necessary, amended to eliminate unfair terms and ensure alignment with the requirements of the Data Act. This includes updating cloud service agreements to comply with new rules on provider switching and interoperability.

Companies must clearly communicate what types of data are collected, how that data is stored, and how users may exercise their rights of access. In certain cases, connected products and related services must be designed in accordance with the principle of “access by design” ensuring that data is readily and securely available to users.