With all the excitement over the EU’s AI Act and the UK’s data protection reforms, there is another piece of legislation coming into force soon which may have been somewhat overlooked – the EU’s so-called Data Act. It’s quite a complex piece of legislation and if you start looking into it you’ll end up down a rabbit hole, so we’ll try to keep things simple in this article.
Also known as Regulation (EU) 2023/2854, the Data Act establishes new harmonised rules on access to data, switching cloud providers and interoperability requirements across the EU. Data in this context means both personal and non-personal data.
It applies to companies operating and managing connected products or related services in the EU, even if they are not based in the EU.
What does the Regulation do?
The new rules enable users of connected products to access the data generated by these devices and to share such data with third parties. Products put on the market after 12 September 2026 must be designed with this data sharing in mind, although there is flexibility about how data can be provided to a consumer. Certain pre-contractual information must also be given to consumers.
Public sector bodies will be able to access and use data held by the private sector to help respond to public emergencies such as floods and wildfires, or when implementing a legal mandate where the required data is not readily available through other means.
For contracts entered into after 12 September 2025, the Data Act bans unfair contractual terms in data sharing contracts that one contracting party unilaterally imposes on the other. A standard term can be considered unfair if its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing. The Act also includes a blacklist (terms which are always unfair) and a grey list of clauses (unfair unless shown not to be). It isn’t clear how these requirements would apply to an English law contract. The European Commission is due to publish non-mandatory standard contractual clauses for data processing service contracts by 12 September 2025. From September 2027, these requirements will also apply retrospectively to any contract (ie not just those entered into after 12 September 2025) if they provide for an indefinite term or are due to expire 10 years from 11 January 2024 at the earliest. Contracts with consumers will be subject to consumer protection laws but the Data Act requires all B2B data sharing contracts to be on terms that are fair, reasonable and non-discriminatory (FRAND) and imposes a reverse burden of proof on data holders to prove that their terms and conditions are non-discriminatory. SCL readers will be aware that FRAND terms in the IP licensing area have been fraught with difficulty.
Furthermore, the Data Act aims to allow customers to switch seamlessly (and free of charge from January 2027) between different cloud providers. This aims to promote competition and choice on the market while preventing vendor lock-in. However, although fees related to the actual switching process will not longer be permitted, early termination charges can still be levied as long as they are proportionate with the loss a supplier makes because someone terminates a contract early, eg the balance of a subscription.
The Data Act also includes safeguards against unlawful requests by third-country authorities to transfer or access non-personal data held in the EU.
Finally, the Data Act introduces measures to promote the development of interoperability standards for data-sharing and for data processing services, in line with the EU’s standardisation strategy.
The Data Act reviews certain aspects of the Database Directive, which was created in the 1990s to protect investments in the structured presentation of data. It clarifies that the directive cannot be used to prevent data generated by a connected product or related service from being accessed.
Data holders will want to make sure that if they disclose data that it cannot be used to create competing products and/or train AI models. However, they will only be able to refuse requests to share their trade secrets in exceptional circumstances. But they can agree proportionate technical and organisational measures (for example, confidentiality agreements, model contractual terms, access protocols, technical standards, and codes of conduct) to protect their interests. There are limited rights to refuse disclosure altogether. As a result, as well as FRAND it is likely that there will be a lot of litigation in this area in future.
Enforcement
Each member state must assign at least one competent authority to enforce the Act. If a company is established in multiple member states, it will be subject to the regulator in the member state where it has its main establishment. Each member state must also set out penalties for violations of the Data Act, so they can vary between member states. The European Commission plays a supportive role in enforcement. It hosts the European Data Innovation Board, an expert group which facilitates cooperation between competent authorities, promotes best practices and common approaches in enforcement.
Non-EU companies need to appoint a representative in the EU, like the requirement under the GDPR.
What next?
The Data Act presents compliance challenges for companies, especially as its interaction with other EU and national laws is complex, such as with the EU Digital Operational Resilience Act, the GDPR, and the NIS 2 Directive, and the new Data Use and Access Act in the UK (which will introduce “smart data schemes”). The European Commission has made clear that the GDPR takes precedence over the Data Act. It has also published FAQs here which may help companies to plan.
Companies should work out if they come within the scope of the Data Act. If they do, they need to consider the design of their connected products in time for September 2026 and to make sure that data will be accessible by users. They also need to review their contracts to make sure that they don’t contain unfair terms and their business processes to make sure they can receive and deal with requests for data. Also consider if any data is a crown jewel and needs to be protected.
