The EU Data Act: what does it regulate?
Published on 23rd Jan 2025
The Data Act is a potpourri of legal provisions varying in relevance for companies – this series' opens with an overview
The European Data Act came into force on 11 January last year to address the challenges and opportunities presented by data in the European Union by emphasising fair access and user rights while ensuring the protection of personal data.
With the Data Act generally applying from 12 September 2025, the countdown is on for companies to check whether they are affected by the new regulations of the Data Act and how they can implement them.
This is important for companies across Europe, as violations of the Data Act are sanctioned by the EU Member States. The type of sanctions (including the amount of any fines) are not directly regulated in the Data Act but determined by the individual Member States in national law.
'Regulatory complexes'
The Data Act includes various "regulatory complexes" that can have a different relevance for companies depending on the business model, as illustrated.
Data Act Chapters II and III: Right to Data Access
Providers of connected products and related services are obliged under article 3 and following of the Data Act to make available, upon the user's request, the data generated by the use of a connected product or related service.
This could include, for example, products that are connected to the internet, such as smart cars, certain medical devices, smart meters, smart TVs, smart watches, or smart kitchen appliances. It also includes related services, such as apps that allow a connected product to be controlled, such as an app to control smart home devices.
Upon the user's request, providers must make the data generated by the connected product or related service available to both the user and a third party designated by the user. This data access is free of charge for the user, but the provider can charge a reasonable fee to the third party.
This regulation is intended to enable users to use aftermarket, ancillary and other services, particularly in relation to the connected product or related service that are offered by third parties (possibly at a lower cost). Furthermore, the possibility for third parties to use the generated data is intended to promote innovation and the development of new, demand-oriented services or products. For example, insurers could adjust their premiums according to the risks associated with the use of the products.
However, the use of the generated data by third parties is subject to restrictions. In particular, third parties may not use this data to develop a product that competes with the connected product. It is also prohibited to use the data to gain insights into the economic situation, assets and production methods of the provider or the use by the provider. Additionally, data protection law may restrict the right to data access, as the provisions of the General Data Protection Regulation (GDPR) remain unaffected by the Data Act.
Data Act Chapter IV: Prohibition of Unfair Contractual Terms
If a provider must grant a third-party access to generated data upon a user's request under article 5 of the Data Act, the provider should conclude a contract with the third party to regulate data access and data use. This way, the provider can protect its interests, particularly regarding the protection of trade secrets or through fees to the third party. The clauses of such a contract, in that they are not negotiated, must not be unfair according to article 13 of the Data Act; otherwise, they are not binding on the other party.
Data Act Chapter V: Data Provision to Public Sector Bodies and EU Institutions
In addition to the obligation to make data accessible to users and third parties, public sector bodies and EU institutions can also request the provision of data from the provider (or other data holders) if there is an "exceptional need", according to article 14 (and those following) of the Data Act. These regulations arose from the experiences of the Covid-19 pandemic, which showed that access to certain data by public authorities and EU institutions can be relevant for assessing and taking appropriate measures for the society as a whole.
Data Act Chapter VI: 'Cloud Switching'
Both business-to-business (B2B) and business-to-consumer (B2C) customers should be able to switch from one cloud provider to another or to an on-premises solution at short notice and without obstacles according to article 23 (and those following) of the Data Act. The purpose of this regulatory complex is to promote competition and lower market-entry barriers for new providers, particularly by eliminating contractual lock-in effects.
These regulations apply not only to classic cloud services but also to other data processing services such as infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), software-as-a-service (SaaS), storage-as-a-service, and database-as-a-service. Providers are obliged to provide reasonable assistance for the switch, particularly when exporting and transferring data and digital assets. The respective rights of customers must be set out in a written contract between the provider and the customer. From 12 January 2027, providers must provide these support services free of charge.
Data Act Chapter VII: International governmental access and transfer of non-personal data
In line with chapter V of the GDPR and, particularly, its article 48 on the transfer of personal data to courts and authorities in a third country, article 32 of the Data Act contains requirements for providers when they are to transfer or make available non-personal data stored in the EU to a court or authority outside the EU.
These requirements apply even if the foreign court or authority has issued a decision requesting the provider to transfer or give access to such non-personal data.
Data Act Chapter VIII: Interoperability regarding European Data Spaces
Special interoperability requirements apply according to article 33 (and those following) of the Data Act for the use of European data spaces. Interoperability means the ability of two or more data spaces to exchange and use data to perform their functions (article 2 (40) of the Data Act).
Participants in European data spaces must disclose certain information in the future. This includes dataset contents, data structures, and information on the technical means used for data access and transmission. The aim and purpose of these regulations are to ensure that data can be shared and exchanged between different data spaces to promote innovation.
Data Act Chapter VIII: Smart Contracts
In the future, specific requirements will also apply to the use of smart contracts. Smart contracts refer to computer programs used for the automated execution of an agreement or part thereof (Art. 2 No. 39 Data Act).
The Data Act stipulates that smart contracts must meet certain requirements if they are used for the automated execution of data sharing and data provision agreements. In this case, they must be designed to be robust enough to avoid functional errors and allow access control to withstand manipulation by third parties, according to article 36 of the Data Act. Providers of smart contracts must demonstrate compliance with the new requirements through an EU declaration of conformity in the future.
Osborne Clarke comment
We will provide further coverage of the various regulatory complexes of the Data Act in this Insight series on the Data Act and present the individual regulatory complexes in detail, analyse the impact on companies and show implementation measures. This will include data protection considerations and aspects of trade secret protection.
Click here to download the full article as pdf.
