Data Act (Regulation (EU) 2023/2854) is an EU Regulation that is aimed at creating a competitive and innovative data market by establishing rules for fair access to and use of data.
The act started to apply in the EU on 12 September. It is a significant piece of legislation that will make more data available for use in the economy and society, and it covers both personal and non-personal data. The obligations primarily relate to “product data” (which is data generated using a connected product) and “related service data”. One of the main purposes of the Data Act is to establish rules setting out who can access and use data generated by connected products and related services in the EU.
In fact, data holders – whether individuals or organisations, usually the manufacturer or service provider that controls access to data generated or retrieved from a connected product or related service and holds the right or obligation to use and share it – are particularly impacted by this regulation..
The Data Act operates alongside other EU instruments notably the GDPR, DMA, DGA. Where those other acts govern the same subject matter (for example, personal data under the GDPR), their rules continue to apply and must be respected when implementing Data Act obligations. Let us now list some of the key rights and obligations.
The Data Act sits alongside a growing mix of existing and planned EU data-related laws, such as the GDPR (especially in relation to the right of access and data portability), the Data Governance Act, the proposed European Health Data Space, and the Digital Markets Act. The Data Act, which is an EU regulatory initiative (Commission proposal published on 23 February 2022), was designed to unlock the value of data held by businesses and by connected products, to promote fairness in data-sharing, to reduce vendor lock‑in, and to ensure public-sector access to privately-held data in public-interest situations.
Readers may ask why was this Data Act introduced? The answer is to spur competition and innovation by improving access to data generated by devices and services (especially IoT and industrial data). It also prevents abusive contractual practices and vendor lock‑in by dominant cloud/platform providers. Other important aspects include a quicker access to data for public authorities in emergencies, with safeguards and compensation.
It introduces among other things, fairness of contract terms such as provisions that prohibit or limit unfair contract terms that impede switching providers or sharing data; data holders cannot unreasonably limit access to data in contracts. It expects that data should be made available in machine‑readable, interoperable formats; rules to reduce cloud and service provider lock‑in.
A more important aspect is the protection of trade secrets and business‑sensitive information. Safeguards are in place to prevent unfair disclosure of genuinely sensitive business data. How is the relationship with other rules such as GDPR? The Data Act does not override GDPR – controllers/processors must still respect data‑protection obligations when data is personal or mixed.
Again, one observes that DGA continues to focus on governance, reuse of public sector data and data intermediaries, whereas the Data Act focuses purely on access and allocation rules for data held by private actors and users’ rights to data. The Digital Markets Act addresses competition and gatekeeper power in core platform services, ensure contestability and fairness in digital markets. If a conflict arises, it will be resolved through the normal EU legal and enforcement channels: national authorities/courts will apply EU law and set aside conflicting national provisions, the European Commission can open infringement proceedings against a member state, and the Court of Justice of the European Union (CJEU) issues final rulings on interpretation.
Now let us discuss which are the affected businesses. These include manufacturers of connected products, service providers that process data (cloud, platform, analytics providers); SMEs and start-ups that rely on access to data to offer services, apart from public authorities and end users (consumers and business users) who gain greater rights to access and reuse data.
What should organisations do after the implementation date? As a practical guide these organisations need to:
- Review contracts and terms of service to ensure compliance and to avoid clauses that could be deemed unfair or blocking access;
- Prepare technical capability to supply data in interoperable, machine-readable formats and to permit third-party access under user instruction;
- Review data governance and IP/trade-secret protection policies to reconcile sharing obligations with protection of sensitive information;
- Assess cloud/provider lock-in risks and migration/portability plans; and
- Put processes in place to handle lawful government requests for data under the act (and understand compensation/safeguards).
In conclusion, given that the Data Act is an EU regulation its rules are directly applicable across member states and, in principle, take priority over conflicting national law. National measures that the Act explicitly preserves or permits remain valid only insofar as they fall within the act’s limits.
