The EU Data Act – empowering users, challenging data holders

The EU’s new Data Act[1] marks a significant reform in how data is accessed and shared across the union. Formally adopted in late 2023 and set to apply from 12 September 2025, this regulation redefines the data economy by giving users new rights over data they generate, while imposing significant responsibilities on entities that hold such data. As a result, the Data Act empowers users with the ability to benefit from their ‘own data’, namely the data created while using connected products and services, and simultaneously challenges data holders to adjust their practices and business models.

What is the Data Act?
The Data Act is a regulation developed as part of the EU’s broader digital strategy and its effort to build a fair data economy[2]. Building on previous initiatives such as the Data Governance Act and operating together with data protection frameworks such as the GDPR, it sets out to create a more coherent set of conditions for the digital market. Unlike the GDPR, which focuses on the protection of personal data, the Data Act is concerned with access to and use of both personal and non-personal data, generated by connected devices and related services. Its overarching purpose is to ensure the fair distribution of the value of data among those who create and use it. As the European Commission explains, a key goal is to “create fairness in the data economy and empower users to reap value from the data they generate using the connected products that they own, rent or lease”[3]. This means defining who can use certain data and under what conditions, to ensure users and businesses gain a stronger position in relation to the data they collectively generate.

The Data Act introduces common rules for a range of types of data relationships, from business-to-consumer and business-to-business data sharing, especially in the context of IoT  devices, to business-to-government data access, and portability between cloud services and international data transfers. Companies around the world that offer products or services in the EU will now need to comply with these rules for their EU operations, making the Data Act an important factor for also non-EU entities.

Empowering users
At the centre of the Data Act is a set of provisions that significantly empower users to access and use data they generate through their use of connected devices and related services. A “related service” includes software that is connected with a product such that, without it, the product cannot perform at least one of its functions, or that is connected later by the manufacturer or a third party to add, update or modify functions[4].

Under the Data Act, a user is any individual or entity who owns a connected product, has a contractual right to use it, or receives a related service. The owner, a lessee and a renter, can each qualify if their right is contractually stable.

The Data Act changes the current logic of data flows through the following main mechanisms:

• The device data access. For users who own, lease or rent a connected product, the Data Act grants them the right to access the data generated by that product during their use. This applies to various types of products, which includes connected vehicles, interactive toys, home appliances, industrial machines with sensors, etc. The products and services must be designed by default to enable users to easily retrieve raw or pre-processed data and relevant metadata “easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format”[5]. For example, the owner of a connected vehicle could access operational data that historically have been accessible only to the manufacturer’s authorised service centres.
• Sharing data with third parties. Beyond just accessing data themselves, users can transfer their data to third parties. Upon a user’s request, a data holder (such as the device manufacturer or service provider) is obliged to make the data available to a third-party designated by the user. This, for instance, enables users hiring an independent repair service that can use vehicle data for diagnostics.
• The Data Act requires that users are informed about the type, volume and format of the data generated using a product or related service, the manner in which such data may be accessed and whether the manufacturer, service provider or a third party has access to that data. The information is to be provided prior to the conclusion of the contract for the sale, rent or lease of the product, or for the provision of the related service.
• Protection against unfair terms. Under the Data Act, contractual terms relating to access and use of data, when unilaterally imposed on micro, small or medium-sized enterprises, are not binding if they are found to be unfair. An unfair term is one contradicting good commercial practice, contrary to the requirement of good faith and resulting in a significant imbalance in the rights and obligations of parties.

Challenging data holders
While users are expected to benefit, the Data Act imposes a wide range of new obligations on data holders. Compliance will be demanding and may require substantial adjustments in contract design, technology and overall business strategy.

A “data holder” is any natural or legal person that has the right or obligation to use and make available data from a connected product or related service. In practice, the data holder is the actor that lawfully obtains the data and controls the technical and contractual conditions for data access. Often this is the manufacturer or service provider, but this may also be a distributor, platform operator or maintenance provider. One device can produce multiple datasets with different data holders.

Key challenges for data holders include:

Contracts, terms and policy updates
Data holders should revisit their standard contracts, terms of service and overall data policies. Clauses that previously might have restricted data sharing or imposed certain conditions on users may now be invalid under the Data Act’s unfair terms rules. For instance, including clauses such as “the manufacturer may change data access rules at any time without consent” or “waives all liability for data inaccuracies” may now be considered unfair. Companies will need to ensure their contracts are compliant, mostly by making terms more balanced.

FRAND terms
Under the Data Act, when users request to share data with a third party, the data holder must deliver that data under fair, reasonable and non-discriminatory (FRAND) terms. This means that the data holders cannot favour their own services or certain business partners while blocking others without reasonable justification. Data holders are allowed to set up terms and conditions for such sharing, for example, to protect data security, privacy or to ensure proper use of the data[6].

Data accessibility by design
Data holders must ensure that their products and services are ‘data-accessible’ by design. If a connected device or service generates data, the user should be able to retrieve it by default. For data holders, this might mean building APIs or download functions into their products. If the data isn’t directly accessible by the user, the obligation is on the data holder to provide it without undue delay upon request[7].

 Cloud and data processing services
The Data Act significantly impacts data processing service providers, including cloud and edge computing (such as processing data closer to where it is generated, for example on local servers or gateways). Providers of Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS) and similar services must make it possible for customers to switch providers or transfer data and digital assets back to on-premises ICT infrastructure. They are required to remove contractual or technical obstacles, provide clear information on procedures and data formats and act in good faith during the process. The Data Act sets minimum contractual requirements aimed at ensuring data portability and interoperability and introduce the elimination of exit fees (to be phased out by 12 January 2027).

Government access and public-interest use
Chapter V of the Data Act establishes a mechanism for public sector bodies (and EU institutions) to request data from data holders on the basis of “exceptional need”[8]. Exceptional need exists, according to the Data Act, 1) to respond to a public emergency (personal data may be requested if non-personal data are insufficient) and 2) in other cases to perform a task in the public interest, but when only for non-personal data and only where the requester cannot obtain the data otherwise in a timely and effective manner under equivalent conditions. If these conditions are met, the data holder must make the data available without undue delay[9]. Data holders cannot purely rely on trade secrets as a blanket defence; instead, they must release what is deemed strictly necessary, protected only by confidentiality measures[10]. The risk is asymmetric. Disclosing too little breaches the law; disclosing too much may damage competitive advantage. Data holders therefore need systems, contracts and teams set up to comply, often with little room to negotiate.

In summary, the Data Act places compliance burdens on data holders. Practically every company dealing in connected products or data services will be affected in some way – from an auto manufacturer, a connected home appliance manufacturer to a data processing services provider. Each must assess how to enable user data access and portability, what contracts to revise and how their competitiveness might change when data flows more freely.

Cross-border and international aspects of the Data Act
Although not the central focus of the Data Act, there are also important cross-border implications to consider. As an EU regulation, the Data Act applies uniformly across all member states, thereby harmonising data sharing rules, although non-EU companies are not relieved from obligations. If a business outside the EU offers a connected product or data service to EU customers (for example, a UK-based connected device manufacturer selling in the EU), it will have to comply with the Data Act for those EU users. In this sense, the influence of the regulation will obtain a global reach.

As regards international data transfer, the Data Act contains provisions to ensure that when data does flow outside the EU, it remains protected[11]. For non-personal data stored in the EU, the Data Act guards against unlawful access by foreign governments. Cloud and data processing service providers must take measures to prevent third-country authorities from obtaining EU-stored data in breach of EU or member state law, analogous to how the GDPR requires safeguards for personal data leaving the EU. Now similar principles are applied to non-personal data generated by connected devices and related services.

While the Data Act is EU-centric, its effects and requirements will be felt internationally. Non-EU companies will have to factor in these cross-border elements when designing compliance programmes, such as dealing with conflicting laws, handling requests from EU authorities and maintaining data practices across different jurisdictions.

Another chapter of the new data paradigm
The EU Data Act represents a significant evolution in data law. By empowering users with rights to access and share the data they generate, the Data Act aims to unlock value in data that is currently locked-in. It is intended to boost innovation, competition and consumer choice. However, for data holders, the law brings compliance challenges and possibly disruptive changes to current business models. Companies that have built advantages around control of data will need to find new ways to compete in an environment where that data must be shared under new terms.

For businesses, this means careful compliance work and strategic thinking about data use. For users and society, the Data Act promises more access, choice, and economic value from the data that users collectively generate. As with any major regulatory change, the full impact will only become evident over time. It’s reasonable to consider the EU data landscape is undergoing a transformation that challenges data holders to evolve.

[1] Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act).

[2] https://digital-strategy.ec.europa.eu/en/policies/strategy-data

[3] https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained

[4] Article 2(6) of the Data Act.

[5] Article 3(1) of the Data Act.

[6] Recital 43 of the Data Act: “(…) parties should remain free to negotiate the precise conditions for making data available in their contracts within the framework for the general access rules for making data available. Terms of such contracts could include technical and organisational measures, including in relation to data security”.

[7] Article 4(1) of the Data Act.

[8] See Article 15 of the Data Act.

[9] Article 18 of the Data Act.

[10] Article 19(3) of the Data Act.

[11] Article 32 of the Data Act.