Data Act
Data Act
Overview
The Data Act establishes rules on who can use and access data generated by connected products and services. It aims to unlock the value of industrial and commercial data while ensuring fair data access rights for users.[1]
Entered into force September 11, 2023, with most obligations applying from September 12, 2025.
Application Timeline
| Date | Milestone |
|---|---|
| September 2023 | Data Act enters into force |
| September 2025 | Most obligations begin to apply |
| September 2026 | Smart contract provisions apply |
| September 2027 | Interoperability requirements for data processing services |
Key Provisions
1. User Data Access Rights (Chapter II)[2]
Users of connected products have the right to:
- Access data generated by their use of products
- Share that data with third parties of their choice
- Receive data in a usable, machine-readable format
- Portability across different service providers
Applies to: IoT devices, connected vehicles, smart home products, industrial machinery, and wearables.
2. Data Holder Obligations
Data holders (typically manufacturers) must:
- Design for access: Make data easily accessible to users
- Transparent information: Inform users what data is collected and how
- Provide data: Without undue delay, free of charge
- Enable third-party sharing: Upon user request
3. B2B Data Sharing (Chapter III)
Obligations when sharing data with third parties:
| Requirement | Details |
|---|---|
| Fair terms | FRAND (Fair, Reasonable, and Non-Discriminatory) conditions |
| Prohibited clauses | Cannot restrict user's right to share data |
| Compensation | Reasonable compensation for making data available |
| Non-discrimination | Similar terms for similar uses |
4. Protection of Trade Secrets
Trade secret holders may:
- Agree confidentiality measures with data recipients
- Refuse sharing if confidentiality cannot be ensured
- Request technical protection measures
However, trade secrets cannot be used as general excuse to refuse data access.
5. Government Data Access (Chapter V)
Public sector bodies may request data from businesses for:
- Public emergencies (e.g., pandemics, disasters)
- Implementing legal mandates
- Production of official statistics
Subject to necessity and proportionality requirements.
6. Cloud Switching (Chapter VI)[3]
Data processing service providers must:
- Enable switching: Facilitate transfer to other providers
- No lock-in: Remove technical, contractual, or commercial barriers
- Data portability: Provide data export in open formats
- Phase out switching charges: From September 2027
7. Smart Contracts (Chapter VII)
Providers of smart contracts for data sharing must ensure:
- Safe termination mechanisms
- Data archiving before termination
- Continuity and protection mechanisms
Unfair Contract Terms
The Data Act prohibits unfair terms in B2B data sharing contracts, including terms that:
- Grossly deviate from good commercial practice
- Are contrary to good faith and fair dealing
- Unilaterally favor one party without justification
Penalties
Member States determine penalties, which must be effective, proportionate, and dissuasive.[4]
Developer Action Items
For IoT/Connected Device Manufacturers
- Design for data access: Enable users to retrieve their data
- Document data flows: Be transparent about what data is collected
- Build export tools: Machine-readable formats for data portability
- Third-party APIs: Enable authorized data sharing
For Cloud/SaaS Providers
- Remove switching barriers: Technical and contractual
- Implement data export: Standard, open formats
- Review pricing: Phase out switching fees
- Interoperability planning: Prepare for 2027 requirements