Introduction
The EU Data Act (the “Data Act”) came into force on 11 January 2024 with a number of provisions becoming effective on 12 September 2025, while other provisions are scheduled for implementation on 12 September 2026 and 12 September 2027.
The Data Act establishes harmonised rules for data accessibility, sharing and usage across the EU. At its core, the Data Act aims to enhance the EU’s data economy and encourage data-driven competition by making data more accessible, useable and fairly distributed.
Scope
The Data Act applies to both personal data and non-personal data, in contrast with both UK GDPR and EU GDPR which only apply to personal data.
The scope of the Data Act is broad, encompassing the following products and services:
• Connected products: products which generate, collect or obtain data regarding their use or environment and are capable of communicating this data via an electronic communications service, physical connection or on-device access.
• Related services: digital services linked with connected products in such a way that the absence of those services would prevent the connected product from performing one or more of its functions.
• Data processing services: digital services which offer customers flexible access to a shared pool of configurable, scalable and elastic computing resources. This can include Infrastructure-as-a-Service (“IaaS”), Software-as-a-Service (“SaaS”) and Platform-as-a-Service (“PaaS”).
Relevance to UK businesses
The Data Act applies to entities outside of the EU if they provide connected products or related services within the EU.
Importantly, if a business is not established in the EU, but offers products or services in the EU and falls within the scope of the Data Act, those businesses must appoint a legal representative in an EU member state.
Data access
If a user cannot directly access data from a connected product or related service, following a request, the data holder must provide access without undue delay, easily, securely, free of charge and in a comprehensive, structured, commonly used and machine-readable format. The user can also request that this data is shared with a third party in the same manner.
This right of access is not absolute. For example, data holders are not under an obligation to provide secret information with commercial value e.g. trade secrets.
Unfair terms
The Data Act establishes a targeted B2B unfair‑terms regime for data‑sharing arrangements, limited to clauses governing the making available of data. It sets out a black list (always unfair) and a grey list (presumed unfair unless rebutted by context), alongside a general unfairness test. For example, the black list captures, among other things, terms that grant the party imposing them the exclusive right to decide whether the supplied data complies with the contract. On the other hand, the grey list captures, among other things, terms that allow the imposing party to access and use the counterparty’s data in a way that is significantly detrimental to the counterparty’s legitimate interests.
The regime does not assess price adequacy, the contract’s main subject matter, or provisions unrelated to data access.
Data access by design
From 12 September 2026, connected products and related services placed on the EU market must be designed/provided in a way which allows a user to access product data and related service data.
The data must be accessible by default, easily, securely and free of charge. It must be provided in a structured, commonly used and machine-readable format.
Where a manufacturer or other party affects the accessibility of the initially accessible data or there is additional accessible data, the changes need to be communicated to the user.
Switching data processing services
The Data Act removes barriers to termination for customers of data processing services.
Providers of data processing services must allow a customer to switch to a competitor or an in-house solution. The provider can require a notice period for the switch, not exceeding two months. The provider must also transfer the customer’s data within 30 days of the switch.
There are limited exceptions to this right. Generally, customers will not be entitled to this termination right where the service is predominantly custom-built and not offered on a broad commercial scale or where the service is provided temporarily for testing and evaluation purposes as a non-production version.
Providers should note that this switching right applies even where the contract was concluded prior to 12 September 2025.
International transfers
The Data Act implements measures to protect data located in the EU, in addition to the obligations required under GDPR. For example, data processing service providers are required to inform customers about any international data requests from a third-country authority prior to complying with the request. Providers are also obliged to keep their websites updated with information on the jurisdictions that their data processing infrastructure falls under and the technical, organisational and contractual measures in place to prevent international governmental access or transfer of non-personal data held in the EU that would be contrary to EU or EU member state law.
Government access
The Data Act gives public bodies the right to access private sector data during exceptional situations, e.g. health crises or natural disasters. This includes both personal data and non-personal data needed to address the exceptional situation.
Enforcement
Each EU member state must appoint a national authority to be responsible for enforcing the Act. These authorities are tasked with overseeing compliance, investigating complaints, and carrying out inspections.
Penalties for non-compliance will be determined and implemented by individual member states, ensuring they are effective, proportionate, and dissuasive. These penalties could range from financial fines to regulatory orders demanding changes in business practices.
Infringements that overlap with the GDPR can incur further penalties under GDPR sanctions, up to €20M or 4% of the company's annual turnover, whichever is higher.
Conclusion
For businesses, both within and outside the EU, understanding the implications of this legislation is crucial for compliance and strategic planning. Businesses need to review their data management practices, contracts, and compliance frameworks to align with the new requirements. The Data Act's enforcement mechanisms and potential penalties underscore the importance of adhering to these regulations.
