The EU Data Act: Implications and Preparation for Businesses

The European Union (EU) has initiated the rollout of new legislation, the EU Data Act (the Act). The Data Act, which came into force on January 11, 2024, is part of the EU's efforts to foster a more competitive and innovative data economy.[1] With the enforcement date scheduled for September 2025, this regulation will have profound implications for businesses by influencing how they manage, share, and protect their personal and non-personal data.[2] It is crucial for businesses to fully understand the Act’s provisions to take proactive steps to ensure compliance and leverage new opportunities. 

The Data Act represents part of the EU’s broader digital strategy, complementing other critical regulations like the General Data Protection Regulation (GDPR), the Data Governance Act, and the Digital Markets Act (DMA).[3] The European Commission has stated that the Act aims to make data more accessible, particularly non-personal data, to stimulate innovation and economic growth.[4] To accomplish this, the Act establishes rules for data sharing between businesses, consumers, and public sector bodies.[5] The Data Act builds on the Data Governance Act and introduces measures that grant individuals and businesses increased rights to data generated through their use of connected devices.[6]   

The Data Act has several objectives, which include: 

1. 1. Outlining the rights users have to access, use, and port data that they co-generate through their use of a connected product.[7] 
   2. Clarifying data sharing conditions when a business is required to share data with another business pursuant to the Data Act or another applicable law.[8] 
   3. Introducing measures to prevent unfair contractual terms in data-sharing agreements with parties having greater bargaining power.[9] 
   4. Making data accessibility more straightforward for public sector bodies in specific circumstances, including but not limited to public emergencies.[10] 
   5. Defining requirements for switching between data processing services.[11] 
   6. Introducing safeguards to prevent government bodies from accessing non-personal data in contravention of EU or national law.[12] 
   7. Establishing interoperability responsibility for participants in data spaces to fulfil criteria to allow data flow within and between data spaces.[13] 
   8. Requiring EU Member States to designate competent authorities to monitor and enforce the Data Act.[14] 

Key Connected Product Provisions 

As noted above, the Data Act covers a host of new requirements.  This article primarily focuses requirements related to connected device data sharing in Chapter II of the Act.  The Data Act seeks to “ensure[] that users of a connected product or related service in the Union can access . . . the data generated by the use of that connected product or related service and that those users can use the data, including by sharing them with third parties of their choice.”[15] It obligates the data holder to make data available to users, which can be individuals or businesses, and third parties that the user choses.[16] The Data Act defines “data holder” as:   

a natural or legal person that has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation adopted in accordance with Union law, to use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a related service.[17]   

“User” is defined as: 

a natural or legal person that owns a connected product or to whom temporary rights to use that connected product have been contractually transferred, or that receives related services.[18] 

 “Connected product” is:  

an item that “obtains, generates or collects data, concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access.” [19]  

Manufacturers’ design choices and EU or national law addressing “sector-specific needs and objectives or relevant decisions of competent authorities” should determine what data a connected product can make available.[20]  

While the Act promotes sharing of personal and non-personal data, trade secret holders may refuse data access to users because of potential harm from disclosure.[21]  Trade secret holders are encouraged to develop agreements with data users to preserve their trade secret rights. “Trade secrets shall be preserved and shall be disclosed only where the data holder and the user take all necessary measures prior to the disclosure to preserve their confidentiality in particular regarding third parties.”[22]  The data holder or trade secret holder, regardless of whether they are the same person, must identify the data (and metadata) sought as protected trade secrets and agree with the user on which measures are necessary to preserve confidentiality, including “model contract terms, confidentiality agreements, strict access protocols, technical standards and the application of codes of conduct.”[23]  If a recipient breaches the agreement or if the parties cannot reach an agreement, the businesses may withhold or suspend data sharing on a case-by-case basis to maintain the integrity of their intellectual property.   This exception applies in circumstances where the data holder who is also the trade secret holder can demonstrate that there is a high likelihood of it suffering “serious economic damage from the disclosure of trade secrets despite the technical and organisational measures taken by the user.”[24] To meet this requirement, the data holder must show the following objective elements:  

1. 1. enforceability of trade secrets protection in third countries,  
   2. the nature and level of confidentiality of the data requested, and  
   3. the uniqueness and novelty of the connected product. 

Data holders also must provide notice of the decision to withhold data to the user in writing and notify the appropriate authority that it has withheld or suspended data sharing.[25]  The notice should include a description of all the measures that have not been agreed upon or implemented, and/or which trade secrets have been breached.[26]   

As the Data Act approaches the enforcement date, businesses can take proactive measures to prepare.  First, they should assess their current data practices to ensure the ability to locate and share data in compliance with the Data Act. This review should include an assessment of all personal and non-personal data created and a review of all data-related contracts and assets to ensure they align with the Data Act’s requirements.  Additionally, businesses should consider the potential risks to trade secrets that may be impacted by compliance. Businesses should also consider how best to allow for effective interoperability between connected devices and take care to use technological measures such as data encryption to protect against cybersecurity risks. Next, businesses should ensure that their current and future contracts are in compliance with the Data Act’s provisions.  The European Commission will release model contractual terms and standard contractual clauses before September 12, 2025, which will help businesses measure and ensure compliance. Lastly, businesses should keep all impacted employees and stakeholders informed about any updates to applicable data management practices. By understanding the Data Act’s provisions and taking proactive steps to ensure compliance, businesses — both acting as users and as suppliers of connected products — can position themselves to thrive in the evolving data landscape. 

Endnotes