The EU Data Act is one of the cornerstones of the EU's Data Strategy and introduces a new and horizontal set of rules on data access and use to boost the EU's data economy. Most of the provisions of the Data Act will become applicable as of 12 September 2025. To assist stakeholders in the implementation, the European Commission recently published a fairly extensive FAQ document. This article provides an overview of the main takeaways.
Key concepts
The FAQs clarify some of the Data Act's main concepts and contain clarifications on its scope of application. Although the FAQs cover all parts of the Data Act, the Commission focuses on the data sharing obligations for IoT data (Chapter II).
On the material scope:
- Data: The 'data' in scope of the mandatory data sharing obligations are raw and pre-processed data ('raw but usable' data'). Purely descriptive data (eg user manual or label info) is not included. Highly enriched data, such as data inferred or derived data through the use of algorithms or other additional investments, is not in scope. Furthermore, users only have a right to access data which was generated by a connected product (eg a connected car) and not by that product's infrastructure (eg a highway), unless the user of the connected product also received (ownership or contractual) rights over the sensors in the infrastructure. In case of subsequent users (eg a second-hand product), the Commission indicates that the Data Act “can be read” as providing a right to access to historical data (provided granularity and scope are limited to preserve rights and interests of others, eg privacy).
- Connected product: The definition of connected products is wide and can range from consumer products (eg smart fridges) over industrial machines to medical devices. It includes finished products (not prototypes) placed on the market in the EU. The latter is assessed with regard to an individual product (in accordance with the Commission's 'Blue Guide on the implementation of the product rules'). This means that the Data Act does not automatically apply to all products of the same type. To illustrate the broad scope, smartphones are specifically stated to be in scope of the Data Act in the FAQs – this appears consistent with the definition of connected products in the finalized version of the Data Act text but is a departure from the position in the initial legislative text, which specifically excluded smart phones (and other products with primary function to display, record, transmit, play content). A key exclusion from the definition of connected products are products whose primary function is the storing, processing or transmission of data on behalf of any party other than the user. However, the FAQs seem to interpret the “on behalf of any party other than the user" as “unless they are owned, rented or leased by the user” which appears to be a narrower interpretation of the legal text.
- Related service: A related service will encompass most, but not all, digital services. To qualify as a related service (eg an app to adjust lights), two main conditions must be fulfilled:
- there must be a two-directional data exchange between the related service and the connected product: This is an important clarification which seems to exclude apps that merely display (aggregated) data received from a connected product.
- the related service must affect the connected product's 'functions, behaviour or operation': The Commission admits that the meaning of this determinator is not yet fully fleshed out and emphasizes that courts and real-life practice will have a role in further delineating this notion. Criteria that may be used are, for example, the accompanying marketing, the user expectations, contractual negotiations or whether the service was preinstalled on the connected product.
On the personal scope:
For many organisations, understanding their role(s) under the upcoming data sharing obligations has been another challenging area of the Data Act. The FAQs also further clarify the new notions of 'data holder', 'user' and 'third party'.
- User: A user of a connected product is a natural or legal person or even a public sector body, who has a legal right on a connect product (based on civil rights relations of ownership, rent or lease). Where multiple persons have such a 'stable right', there can be more than one user with regard to the same connected product (eg sub-lease, or the renter together with the owner)
- Data holders: Data holders are those who control the access to the readily available data. This may be the original equipment manufacturer of the connected product, software companies, providers of sensors and providers of other electronic equipment, to the extent each of these have access to the data. The main criterion is therefore not who produced the hardware or software. The Commission also confirms that the role of a 'data holder' can also be outsourced (eg to another group entity). There may also be multiple data holders for the same connected product (eg manufacturer of the product and component supplier). Even situations without data holders are a possibility. When the data generated by a connected product is stored directly on the device without access for the manufacturer, then there is only a user and no data holder.
- Third parties: A third party within the meaning of Chapter II of the Data Act is a person that receives data from a data holder upon request of a user. An interesting point that is confirmed by the FAQs is that the data holders are only obliged to share readily available data upon request of a user with a third party if that third party “is in the Union”. According to the Commission, operators that “do not have a presence in the EU” do not need to receive access.
Interestingly, the FAQs mention that companies cannot be a data holder and user for the same data. This combination of roles is only possible when different connected products or related services are involved. This position seems to be inconsistent with recital 34 of the Data Act which states that in certain cases “a user, once data has been made available, may in turn become a data holder if that user meets the criteria under [the Data Act]”.
In terms of temporal application, the FAQs clarify that the right to access only applies to data generated or collected after the Data Act enters into application on 12 September 2025. The Data Act will thus not require legacy data to be made available.
Restrictions on data use
In terms of data usage rights, the Data Act presents a significant shift. The Data Act prohibits data holders to use any readily available data that is non-personal data, unless such use is contractually agreed with the user. The FAQs confirm that each data holder must agree with the user on the use of data (based on transparent terms), which requires that data holders timely revise the relevant agreements to continue using readily available data. A third party that receives data following a request of the user to the data holder needs to secure a similar contractual approval from the user to use the received data.
In terms of data sharing by a data holder with third parties, the Commission states that, even with contractual agreement of the user, only aggregated non-personal data can be made available to a third party. Only the user can be a source of access to granular non-personal data from the connected product or related service.
Another point of attention for companies is that the non-compete provision of the Data Act is limited to the use of the data obtained to develop another connected product. According to the Commission, this non-compete restriction does not extend to the creation of competing related services, which is something organisations should be aware of, both when assessing the viability of a business model and when exploring new business opportunities. The European Commission underlines that competition in the field of related services is needed to stimulate innovation and offer consumers a wider choice range in value-added services, such as maintenance and aftercare.
Overlap with data protection laws
The FAQs confirm that the Data Act is without prejudice to the General Data Protection Regulation. In other words, data sharing obligations under the Data Act do not excuse a controller from having to comply with data protection obligations when sharing personal data. Whilst this principle seems clear in theory, it will likely prove challenging to operationalise effectively as data holders will likely struggle to separate personal data from non-personal data which will be key in determining both the obligations that apply and the steps that must be taken to ensure lawful transfer of data.
The GDPR right to data portability is said to be enhanced by the Data Act. The GDPR right only relates to personal data and requires certain conditions to be met (e.g., processing of personal data was carried out on the basis of consent or contractual relationship) and only applies to data subjects. The Data Act obligations around portability apply to personal and non-personal data and both individuals and businesses can benefit (provided they are users).
The FAQs also clarify that a user (who is not a data subject) that obtains personal data under the Data Act becomes a controller of that personal data and that data protection authorities will be competent to enforce rules on personal data protection and, therefore, they will be responsible for monitoring the application of the Data Act and can rely on tasks and powers provided under the General Data Protection Regulation.
Implementation of IoT data sharing
To grant users their right of access, manufacturers of connected products must provide them with either direct or indirect access.
- Direct access means that the user can access the data without having to contact the data holder first. Examples of direct access are connected products that have a digital interface to download the data directly or a mobile app where the data is accessible.
- Indirect access means that the user must first request access with the data holder through an approval process. Examples of this type of access include providing a web portal or contact form for access requests.
It is important to note that the Commission indicates that manufacturers have “a “discretion and” are allowed” to decide between indirect access and direct access, based on what is 'relevant and technically feasible', the costs of technical modifications, or the protection of trade secrets. Hybrid formats are also an option (eg direct access only for some data).
Products which are already on the market before 12 September 2025 do not need to be redesigned to provide direct access.
Data holders must still share data with a third party upon request of the user, irrespective of whether the user itself has direct access.
Transfers of non-personal data
The FAQs also provides some context about other parts of the Data Act, in particular the transfer restrictions for providers of data processing services (eg cloud service providers) to protect non-personal data in the EEA from unlawful direct transfers or governmental access stemming from third-country legal frameworks containing transfer or access obligations.
The Commission stresses that these new data transfer rules for non-personal data only have a specific scope. These restrictions do not apply to international transfers between or inside businesses. Neither do they impact the possibility for users of cloud services to freely choose cloud service providers regardless of where the data will be stored.
The Data Act does however include obligations for providers of data processing services that choose to store their non-personal data in the EEA. The obligations essentially result in obligations for cloud services providers, irrespective of their place of establishment, providing such services to customers in the EEA, rather than imposing a (compliance) burden on customers of those services.
European Commission's next steps
- Interoperability: The Commission indicates it has no intention to replace existing standards. However, to support interoperability in data spaces, the European Commission has prepared a “European Trusted Data Framework” standardisation request that is currently under consultation with the European standardisation organisations. It is expected to be formally adopted by the end of 2024.
- Standard Contractual and Model Clauses: The European Commission is expected to deliver model contractual terms for data sharing agreements and standard contractual clauses for cloud computing agreements before 12 September 2025 (without providing a more specific timing). The FAQs clarify that these non-binding terms will be adaptable by parties based on their contractual needs.
- Further guidance: The European Commission will publish guidance on reasonable compensation for making data available. This guidance will only be available after 12 September 2025. Other topics on which the Commission considers issuing further guidance after the entry into application include the type of measures to be implemented by data processing service providers to prevent unlawful governmental access to or transfer of data (Chapter VII), and guidelines for the effective application of data access and use rules (Chapter II).
[View source.]
