In collaboration with Elena Mandarà

On January 11, 2024, Regulation EU 2023/2854 setting forth the Data Act entered into force. The Data Act introduces a new regulatory framework that applies to the use of personal and non-personal data generated by connected devices and will apply beginning September 12, 2025.

The Data Act follows the Data Governance Act (Regulation (EU) 2022/868), which became applicable in September 2023 and established common European data spaces in an effort to make more data available for use

The Data Act provides specific requirements to facilitate the interoperability of data, data sharing mechanisms and services, and European data spaces.[1] Notably, the same obligations apply to providers of data-processing services. This is meant to facilitate the interoperability of in-parallel use of data-processing services (i.e., when clients access different services provided by different providers at the same time to benefit from the complementary nature of the services).[2]
1. Scope of application

The new rules apply to data generated using connected products[3] and related services, as well as to data-processing services (including cloud services).[4] The Data Act sets forth rules concerning making data available to a variety of parties. It also makes it easier to change data-processing services, introduces safeguards against unlawful third-party access to non-personal data, and offers interoperability standards for data to be accessed, transferred, and used.

In other words, the Data Act will have impact mostly on the IoT and cloud services markets, without distinguishing between personal and non-personal data.

The Data Act contains a complex set of obligations and rights that distinguish between the various parties involved in the use of connected products. Namely, the Data Act sets forth obligations applicable to data holders—entities that may use or make available data generated by a connected product or a related service. Users (individuals or entities using a connected product) also have certain rights.

Key provisions regard:

• Accessibility of the data generated by connected products and related services;
• Information obligations for data holders;
• Right to switch from one processing service to another;
• Identification of a certified dispute settlement body and the right to file complaints.

2. Accessibility of the data generated by connected products and related services

Users have the right to easy access to data generated by connected products and related services.

Therefore, connected products and related services must be designed, manufactured, and provided in such a manner that the associated data, including metadata, are by default directly accessible to the user, where technically feasible. Access must be easy, secure, and free of charge, and the data must be provided in a comprehensive structured, commonly used, and machine-readable format.[5]

When data cannot be directly accessed, data holders shall make data, including metadata, readily available to users without undue delay, and the data shall be of the same quality as the data available to the data holder.[6] The right to access may be restricted or prohibited contractually for security reasons only.[7] Data holders or, when different, trade secret holders may agree with users to adopt further measures to preserve trade secrets.[8]

A user may also ask a data holder to make data available to third parties. However, this right is not applicable when such third parties are designated as gatekeepers[9] under the Digital Markets Act.[10] Such third parties have certain obligations, including the obligation to process the data only for the purposes and under the conditions agreed upon with users. In specific circumstances (e.g., if third parties or recipients have provided false information to a data holder for the purpose of obtaining data or used available data for unauthorized purposes), third parties may be asked to erase the data, stop producing, promoting, placing on the market, or using goods or services based on the knowledge of such data, inform the user of the unauthorized use or disclosure, and compensate the party suffering due to the misuse or disclosure.[11]

In addition to being obligated to make data available, data holders have the right to enact adequate measure to prevent unauthorized access to data, including smart contracts[12] and encryption.[13]

In certain scenarios, the right to access data generated from connected products and related services applies to users that are businesses.

3. Information obligations

To make the right to access data effective, before entering into a contract regarding the use of a connected product or the provision of a related service, the seller, renter, or lessor or the provider of the server must inform the users in a clear and comprehensive manner about, among the others, the type, format, and estimated volume of product data that the connected product is capable of generating, including whether the connected product is capable of generating data continuously and in real-time, the nature and estimated data of the related service to be generated

The seller must also identify the prospective data holder and explain how to communicate with the data holder.

4. Switching between data-processing services

The Data Act is designed to remove obstacles to switching between data-processing services in an effort to boost market competition and improve the quality of service. These rules have an especially strong impact on cloud services and allow development of multi-cloud infrastructures.

All data-processing service providers involved shall cooperate in good faith with each other.[14] Providers of data-processing services shall not impose and shall remove any obstacles that prevent customers from terminating data-processing service contracts after the maximum notice period or entering into new contracts with different providers.[15]

Rights and obligations concerning switching between providers shall be covered by a written contract containing—at a minimum—the elements listed in Article 25 of the Data Act. Data-processing service providers must inform customers of the procedures for switching and porting to other data-processing services.[16]

5. Judicial remedies and dispute settlement

Users, data holders, and data recipients shall have access to a certified dispute settlement body.[17]

Natural and legal persons who believe their rights have been infringed have the right to file a complaint with the relevant national authority appointed by each Member State according to Article 37 of the Data Act. The right to file a complaint is without prejudice to any other administrative or judicial remedy.[18]

Natural and legal persons also have the right to effective judicial remedies with regard to legally binding decisions of the appropriate authorities.[19]

6. Next steps: Applicability and actions required from Member States

While the Data Act is fully in force, it will become applicable starting September 12, 2025. Though it is directly applicable in Member States (as it is an EU regulation), Member States will have to adopt legislative measures both to adapt their existing frameworks and to implement certain provisions. For instance, by September 12, 2025, each Member State must identify the supervisory authority that will enforce the Data Act and establish the applicable penalties.

[1] Article 33 of the Data Act.

[2] Article 34 of the Data Act.

[3] According to Article 2, par. 15 of the Data Act, “product data” means “data generated by the use of a connected product that the manufacturer designed to be retrievable, via an electronic communications service, physical connection, or on-device access, by a user, data holder, or third party, including, where relevant, the manufacturer.”

[4] According to Article 2, par. 16 of the Data Act, “related service data” means “data representing the digitization of user actions or of events related to the connected products, recorded intentionally by the user or generated as a byproduct of the user’s action during the provision of a related service by the provider.”

[5] Article 3, par. 1 of the Data Act.

[6] Article 4, par. 1 of the Data Act.

[7] Article 4, par. 2 of the Data Act.

[8] Article 4, par. 6 of the Data Act

[9] Article 5 of the Data Act.

[10] Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828.

[11] Article 11 of the Data Act.

[12] According to Article 2, par. 39 of the Data Act, “smart contact” means a computer program used for the automated execution of an agreement or part thereof, using a sequence of electronic data records and ensuring their integrity and the accuracy of their chronological ordering.

[13] Article 11 of the Data Act.

[14] Article 27 of the Data Act.

[15] Article 23 of the Data Act.

[16] Article 26 of the Data Act.

[17] Article 10 of the Data Act.

[18] Article 38 of the Data Act.

[19] Article 39 of the Data Act.