Data Act

The EU Data Act is a landmark regulation forming part of the EU’s broader data strategy. Its goal is to create a fair, competitive and innovative data economy by ensuring broader access to and sharing of data generated in the EU. It introduces rights for users, obligations for manufacturers, service providers and data holders, and rules on data contracts, portability and interoperability.

The Data Act applies from 12 September 2025 across the European Union. Certain provisions – e.g. cloud switching obligations – will become stricter over time, with free-of-charge switching required by 12 January 2027.

The GDPR focuses on the protection of personal data and individual privacy rights. The Data Act, by contrast, has a broader scope, covering both personal and non-personal data. It regulates data access, sharing, and portability obligations.

Where both apply, the two must be applied concurrently. For mixed datasets, GDPR provisions prevail, and joint controllership situations may arise.

Sanctions are set by individual EU Member States but must be effective, proportionate and dissuasive. Many are expected to align with GDPR penalties, meaning fines can reach up to €20 million or 4% of annual global turnover. Competent authorities will oversee enforcement, and users may lodge complaints in their country of residence, work, or establishment.

The Data Act applies to:

• Manufacturers of connected products (e.g. smart vehicles, tools, IoT devices) placed on the EU market

• Providers of related digital services (including apps controlling connected products)

• Data processing services such as cloud and edge providers

• The regulation applies regardless of where the company is established, as long as products or services are made available in the EU.

The EU Data Act applies from 12 September 2025, with staggered timelines for certain obligations (e.g. free cloud switching by 2027).

“Data” is defined broadly as any digital representation of acts, facts, or information — including sound, visual, and audiovisual content. The Act makes minimal distinction between personal and non-personal data.

Users have the right to access the data they generate:

• Free of charge

• In real time

• In a machine-readable format

• Directly from the product, where feasible (“Data Access by Design”)

Yes. Upon request, data holders must provide data to third parties (“data recipients”) under fair, reasonable, and non-discriminatory (FRAND) terms. This strengthens user control and prevents gatekeeping.

Data sharing must:

• Preserve trade secrets

• Prevent the creation of competing products

• Apply confidentiality and proportionality safeguards

Unilaterally imposed unfair contract terms are invalid. This particularly affects B2B agreements on access, liability, and exclusivity. Companies should review and adapt contracts to ensure compliance.

Data must be shared with EU/national authorities under “exceptional need” circumstances (e.g. public emergencies, or tasks in the public interest). Requests must be limited in scope, justified, and subject to strict timelines (as short as 5 days in emergencies).

Providers must:

• Remove barriers to switching providers

• Support interoperability

• Use standard contractual clauses

• Ensure that by 2027, switching is free of charge

Non-compliance can lead to:

• Administrative penalties by national authorities

• Contractual invalidation

• Significant fines (potentially GDPR-level)

• Operational disruption due to user or authority claims