Share
The EU Data Act which came into force in January 2024 marks a significant milestone in the EU’s efforts to redefine data governance. As part of the EU’s broader digital strategy, the Data Act complements the GDPR and other regulatory initiatives by focusing on equitable data sharing, enhanced interoperability, and the removal of barriers to competition in the digital economy. Its provisions, set to become applicable in September 2025, are designed to give businesses and consumers greater control over the data they generate and to foster innovation in data-driven markets.
The EU Data Act is divided into six main chapters, each tackling a distinct aspect of data governance. These include rules on (1) Internet of Things (IoT) data sharing; (2) frameworks for business-to-business (B2B) and business-to-government (B2G) data exchanges; (3) protections against unfair contractual terms; (4) requirements for switching providers; (5) safeguards against unlawful foreign government access requests to data; and (6) interoperability. In addition, the Act introduces streamlined enforcement mechanisms, requiring a single point of contact in each member state to avoid the fragmented oversight seen in some previous EU legislation, such as the GDPR in Germany. The scope and ambition of the Data Act promise to reshape the European data landscape, but its implementation will require significant adjustments by organisations across various sectors, from IoT manufacturers to cloud service providers.
IoT data sharing: my device, my data
One of the most impactful aspects of the EU Data Act is its approach to IoT data sharing. Traditionally, manufacturers of connected devices have maintained exclusive control over the data generated by their products, leveraging it to improve their offerings or create new revenue streams. End users, whether individuals or businesses, have often been excluded from accessing this data, even when they are the ones generating it. The Data Act disrupts this model by granting both consumer and business users the right to access the data produced by their connected devices. For consumers, this could mean the ability to retrieve and analyse data from products like smart cars, fitness trackers, or home automation systems, empowering them to better understand and manage their interactions with these devices. For businesses, the implications are even more profound. Companies using industrial robots, agricultural machinery, or other connected equipment will now be entitled to access the data generated by these devices, enabling them to optimise operations, enhance efficiency, and innovate in their respective markets.
However, this new right comes with certain limitations. Manufacturers will be allowed to charge a reasonable fee for providing access to IoT data, and safeguards are in place to protect trade secrets. The Act explicitly prohibits the disclosure of data that could cause significant economic harm to manufacturers, ensuring a balance between openness and the protection of proprietary information. For a comparison of data access rights under the GDPR and the EU Data Act, please see our article.
Organisations affected by these changes will need to carefully evaluate how they collect, store, and manage IoT data. Manufacturers, in particular, must prepare for the operational and financial implications of sharing previously exclusive data while maintaining compliance with the Act’s safeguards.
Facilitating data portability and switching providers
Another key focus of the EU Data Act is its effort to simplify the process of switching data services. The complexities and costs associated with migrating from one cloud provider to another have long been a barrier to competition in the digital services market. The Act addresses this issue through measures designed to increase transparency and remove technical obstacles. The EU aims to resolve this issue through a dual-pronged approach. First, cloud service providers will be required to meet minimum transparency standards in their contracts, ensuring that terms related to data portability and migration are clear and fair. Secondly, providers must also support customers in extracting their data and migrating it to other systems. These requirements aim to prevent lock-in and promote a more competitive marketplace. To ease the transition, the Act introduces a phased implementation timeline. Until January 2027, providers may charge customers for the costs associated with data egress and migration. After January 2027, providers must provide these free of charge as such charges will be prohibited, further incentivising organisations to explore alternative service providers without fear of financial penalties.
The implications for cloud service providers are significant, as they must invest in the infrastructure and processes necessary to facilitate data portability. For businesses relying on cloud services, the Act offers an opportunity to reassess existing contracts and explore more competitive options.
The way forward
The EU Data Act heralds a significant shift in the digital economy, aiming to unlock the potential of data while promoting fairness and transparency. For businesses, the Act represents both a challenge and an opportunity. The compliance requirements are substantial, but the benefits, ranging from increased access to valuable IoT data to greater flexibility in choosing service providers, could be transformative.
Organisations should use the lead time before September 2025 to prepare for the Act’s implementation. This includes reviewing existing systems, contracts, and processes to ensure compliance, as well as exploring new strategies to derive value from the data they generate or hold. Businesses that embrace the changes introduced by the Data Act will be well-positioned to thrive in an increasingly data-driven world.
Related article: Looking ahead: A global shift towards digital regulation for children
This article was co-authored by Joshua Curzon, Trainee Solicitor.