The Data Act: The EU Regulation On The Internal Market For Data

The Data Act is the EU regulation on the data generated by connected products and related services. These data power entire economies; the removal of barriers to data sharing would enhance competition and boost innovation in the digital sector. To this aim, in order to promote the exchange of data within the European internal market, the Data Act introduces a framework specifying who is entitled to use product data or related service data, under which conditions and on what basis.

The Data Act entered into force on 11 January 2024 and it will apply from 12 September 2025.



Purpose of the Data Act

The purpose of the Data Act is to promote the exchange and fair use of the data generated by connected products and related services. By removing the obstacles to data sharing, the EU legislator intends to foster competition, overcoming the vendor lock-in, and boost innovation: the availability of interoperable data would lead to improve existing products and produce new ones.

High-quality and interoperable data from different domains increase competitiveness and innovation and ensure sustainable economic growth.

Recital 1 - Data Act

Recital 119 clarifies that the objectives of the Data Act are ensuring fairness in the allocation of value from data among actors in the data economy and fostering fair access to and use of data in order to contribute to establishing a genuine internal market for data.

What data?

The Data Act concerns the data generated by the use of a connected product or a related service.

connected product’ means an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user;

related service’ means a digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the connected product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected product;

Article 2 - Definitions

The data generated or collected may be personal or non-personal data: the Data Act applies to both cases but without prejudice to Union law on the protection of personal data and privacy.

Data access rights

The cornerstone of the Data Act is the right of the user to access the data produced by using a digital product or service.
The right of the user to access data implies specific obligations for the manufacturer of the product:

  1. The manufacturer of the product is required to make data available to users under fair, reasonable and non discriminatory terms and conditions and in a transparent manner
  2. the product should be designed so to allow the user to access the data in a direct and easy way. When this is not possible, for instance for technical reasons, the data holder is required to make the data available to the user upon request.
  3. the user should be informed before purchasing the connected product of the data that the device is capable of generating, including type, format and the estimated value of such data.

As we are going to see, the Data Act establishes obligations not only for manufacturers, but more generally, for data holders too; who is the data holder ?

‘data holder’ means a natural or legal person that has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation adopted in accordance with Union law, to use and make available data.

Right to share data with third parties

The user has also the right to share data with third parties, either directly or by asking the data holder to make the data available to a third party of choice. A third party can be a consumer, an enterprise, a research organization or an entity acting in a professional capacity". Data can be shared with a third party only upon request of the user.

Obligations of the third party

The third party:

  • can share the data with other subjects only upon the agreement of the user;
  • has access only to the information necessary to provide the service requested by the user;
  • should not use the data to profile individuals unless this is strictly necessary to provide the service requested by the user;
  • is not a gatekeeper: the data holder does not comply with requests of making data available to an enterprise designated as gatekeeper by the Commission. Why? A gatekeeper is subject to specific requirements to contain its dominance on the market, which often involves an unmatched capacity to collect data. Therefore, according to recital n° 40, it would be disproportionate for data holders made subject to such obligations, to include gatekeeper as beneficiaries of the data access right. (See article on the Digital Markets Act).

Restrictions to data access

The right of the user to access the data has some exceptions, and so the obligation of the data holder to share those data with another business when requested.

Security of the connected product

Users and data holders may contractually restrict or prohibit accessing, using or further sharing data, if such processing could undermine security requirements of the connected product.

Article 4(2)

Trade secrets

Trade secrets shall be preserved and shall be disclosed only where the data holder and the user take all necessary measures prior to the disclosure to preserve their confidentiality in particular regarding third parties

Article 4(6)

The data holder may identify some data as trade secrets and negotiate with the user proportionate technical and organisational measures necessary to preserve the confidentiality of the shared data, in particular in relation to third parties, such as model contractual terms, confidentiality agreements, strict access protocols, technical standards and the application of codes of conduct.

In case the data holder and the user do not agree on the measures to take in order to preserve trade secrets, or if the user fails to implement them, the data holder may refuse to share the data identified as trade secrets. In exceptional circumstances the data holder may stop sharing data if it proves that, despite the measures agreed with and taken by the user, it is highly likely to suffer serious economic damage from the disclosure of trade secrets.

Development of a competing product

Lastly, there is something the user cannot do with the data provided by the manufacturer or the data holder:

The user shall not use the data obtained...to develop a connected product that competes with the connected product from which the data originate, nor share the data with a third party with that intent.

Article 4 (10)

Data sharing in B2B relations

As we have just seen, the data generated by connected products and related services can be shared between enterprises upon request of the user; the user may ask the data holder to send the data to another business, the data recipient. We are now going to briefly sum up how the Data Act regulates data sharing between businesses.

Non-discrimination

Any agreement concluded in business-to-business relations for making data available should be non-discriminatory between comparable categories of data recipients, independently of whether the parties are large enterprises or SMEs.

Recital n° 45

Right to compensation for making data available

The businesses involved may agree a compensation for the one providing the data. The compensation may cover the costs incurred in making the data available, considering the volume, format and nature of the data, and for data recipients other than small enterprises or a not for profit research organizations, may also take into account the investments in the collection and production of data.

Unfair contractual terms on data access

Contractual terms concerning access to and the use of data are not binding if they are:

  1. imposed unilaterally by an enterprise to another, with no negotiation.
  2. unfair.

The Data Act provides a general definition of an unfair contractual term:

A contractual term is unfair if it is of such a nature that its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing

Article 13 (3)

Always unfair

Article 13 (4) also provides a list of terms, or rather their effects, to be considered always unfair. That is the case when a contractual term:

  • exclude or limit the liability of the party that unilaterally imposed the term for intentional acts or gross negligence;
  • exclude the remedies available to the party upon whom the term has been unilaterally imposed in the case of non-performance of contractual obligations,
  • give the party that unilaterally imposed the term the exclusive right to determine whether the data supplied are in conformity with the contract or to interpret any contractual term.

Presumed unfair

Lastly, Article 13 (5) lists contractual clauses which are presumed to be unfair: the enterprise that imposes them can demonstrate that in the specific case they are not unfair.

Obligation to make data available for exceptional needs and public emergencies

A public sector body, the Commission, the EU Central Bank or Union bodies may ask manufacturers and data holders to provide data in situations of exceptional need. According to article 15, this may happen when:

  • the data are needed to respond to a public emergency and they could not otherwise be obtained in a timely and effective manner and under equivalent conditions.
  • there is no public emergency: only non-personal data can be requested and only to businesses other than microenterprises and small enterprises, IF:
    • data are needed to fulfil a specific task carried out in the public interest, that has been explicitly provided for by the law AND
    • the subject requesting the data has exhausted all other means at its disposal to obtain such data.

The data holder may refuse to comply with the request if:

  1. a similar request for the same purpose has been previously submitted by another public sector body or the Commission
  2. the request does not meet the conditions laid down in Article 17(1) and (2).

Lastly: the data holder is entitled to a compensation for complying with the request of data made by the public sector body or EU body. The compensation covers the organizational costs borne to comply with the request, as well as where applicable, the costs of anonymisation, pseudonymisation, aggregation and of technical adaptation, and a reasonable margin.

There is no right to compensation for providing data when the specific task carried out in the public interest is the production of official statistics and where the purchase of data is not allowed by national law.

Switching between data processing services

One of the goal of the Data Act is to eliminate the obstacles the customer finds when switching between data processing services. Such obstacles can be of pre-commercial, commercial, technical, contractual and organizational nature.

What is a data processing service?

‘data processing service’ means a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction

Article 2

The definition of data processing service provided by the Data Act is not very clear; in fact, it encompasses a broad range of services having different purposes and functionalities. Recital 80 specifies that data processing services include resources such as networks, servers or other virtual or physical infrastructure, software, including software development tools, storage, applications and services.

Anyway, data processing services can be grouped into at least 3 categories:

  1. IAAS: infrastructure as a service;
  2. PAAS: platform as a service;
  3. SAAS: software as a service.

In order to facilitate the switching between data processing services, the Data Act requires providers of such services to:

  • terminate the contract after the notice period expires and the switching process is completed;
  • let the user conclude new contracts with a different provider of data processing services covering the same service type;
  • enable the user to port its data and digital assets to the new provider;
  • ensure the user achieves functional equivalence, that is re-establishing, on the basis of the customer’s exportable data and digital assets, a minimum level of functionality in the environment of a new data processing service of the same service type after switching (recital n° 86).

Switching charges

Switching charges are charges imposed by providers of data processing services on the customers for the switching process. Typically, those charges are intended to pass on costs which the source provider of data processing services may incur because of the switching process to the customer who wishes to switch.

Recital 88

Switching charges inhibit the customer from choosing another service, particularly when they are unjustified, that is unrelated to the actual cost borne by the provider for the switch. Therefore, the Data Act provides for the abolition of switching charges starting from 12 January 2027; until then, providers may impose switching charges not exceeding the costs incurred by the provider of data processing services that are directly linked to the switching process concerned.

Data interoperability

Data interoperability is a precondition for many of the objectives of the Data Act: from enabling customers to change provider of a digital service to allowing data sharing in business-to-business relations, data need to be portable. Data interoperability is necessary to overcome vendor lock-in, which forces a customer to stay with a provider for mere practical reasons, like when the switch would imply losing the data, thus undermining competition and the development of new services.

‘interoperability’ means the ability of two or more data spaces or communication networks, systems, connected products, applications, data processing services or components to exchange and use data in order to perform their functions

Article 2

Requirements for interoperability of data

Article 33 of the Data Act lays down essential requirements for interopability which participants in data spaces that offer data or data services to other participants need to comply with:

  • the dataset content, use restrictions, licences, data collection methodology, data quality and uncertainty shall be sufficiently described, where applicable, in a machine-readable format, to allow the recipient to find, access and use the data;
  • the data structures, data formats... shall be described in a publicly available and consistent manner;
  • the technical means to access the data, such as application programming interfaces, and their terms of use and quality of service shall be sufficiently described to enable automatic access and transmission of data between parties, including continuously, in bulk download or in real-time in a machine-readable format where that is technically feasible and does not hamper the good functioning of the connected product.

Harmonised standard and common specifications on data interoperability

The Commission may request one or more European standardisation organisations to draft harmonised standards that meet the essential requirements for interoperability provided for by article 33. This, pursuant to Regulation EU n° 1025/2012.

The Commission may within the limitations of the competences laid down in the Treaties, request one or several European standardisation organisations to draft a European standard or European standardisation deliverable within a set deadline.

Article 10 - Regulation EU n° 1025/2012

The Commission may also adopt common specifications on the essential requirements for interoperability IF both the following conditions are met:

  • the Commission has already made a request and either it has not been accepted, or the harmonised standards have not been delivered within the deadline, or the harmonised standards do not comply with the request AND
  • in the Official Journal of the European Union there is no reference to harmonised standards on the essential requirements for data portability laid down in Article 33 of the Data Act.

Competent Authorities

Member States designate one or more competent authorities responsible for the application and enforcement of the Data Act. If a Member State designates more than one authority, it also should designate one of them as data coordinator to facilitate cooperation between the competent authorities and to assist entities within the scope of this Regulation on all matters related to its application and enforcement.

Article 37 requires Member States to clearly define the powers of the competent authorities and related tasks, which need to include the following:

  • promoting data literacy and awareness among users;
  • receiving and handling complaints on alleged infringements of the Data Act;
  • conducting investigations into matters that concern the application of this Regulation, including on the basis of information received from another competent authority or other public authority;
  • imposing sanctions;
  • cooperating with the other competent authorities, with the Commission and the European Data Innovation Board (EDIB);
  • examining the requests made by public sector bodies or EU bodies to access data for exceptional needs.

Sanctions

Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive.

Article 40

Member States will notify the Commission of the rules on sanctions by 12 September 2025; the Commission will maintain a public and easily accessible register on the sanctions adopted by Member States.

In establishing sanctions, Member States will take into account the recommendations of EDIB and the non exhaustive criteria laid down in article 40 (3), such as:

  • nature, duration and gravity of the infringement;
  • whether the infringing party has taken any action trying to mitigate the damage caused by the infringement;
  • the benefit gained by the infringing party by breaching the Data Act.

Conclusions

In conclusion, a brief recap.

  • The purpose of the Data Act is to facilitate the sharing of the data produced by users of connected products and related services.
  • The free flow of data would benefit competition and innovation: consumers would be free to export their data and choose a competing provider. The availability of interoperable data would also give more material for improving existing products and create new ones.
  • The Data Act covers personal and non-personal data with no prejudice on existing EU and national legislation on the protection of personal data and privacy.
  • The Data Act provides for specific rules depending on the subjects involved in the exchange of data:
    • user and manufacturer of the product, provider of the service and data holder: data access right for the user.
    • business-to-business relations: make data available to other businesses when required by the user.
    • enterprises and public sector bodies or EU institutions or EU bodies: duty to make data available to authorities for exceptional needs.


About the author

Vincenzo Lalli

Vincenzo Lalli

Founder of Avvocloud.net

Avvocloud is an Italian network of lawyers passionate about law, innovation and technology.
Feel free to reach out for any info: send a message.

Thanks for reading!

Creative Commons License