The EU’s Data Act is now being applied.
The legislation is one of the cornerstones of the EU’s Data Strategy, and sets out horizontal rules on data access and use, with the aim of boosting the EU’s data economy.
Even though we’ve known it’s been coming since January, it’s worth taking a look at how the new regulations are going to shake things up and how it could potentially affect you and your business – so let’s do that.
Everyday impact: consumers and businesses
The Commission says the new rules will make everyday life and business operations easier by breaking down barriers to data access:
-
Lower repair costs: If a smart device breaks down, consumers will be able to request that any repair service – not just the original manufacturer – gains access to the data needed to carry out the fix.
-
Cross-device services: Businesses or households with machines from different manufacturers will be able to use services that aggregate data across devices. For example, linking a thermostat with a garden shed system.
-
Shared machine data: Both device owners and manufacturers will be able to access operational data. For instance, a café owner could use coffeemaker data to improve their drinks, while the manufacturer uses the same information to design new models.
-
Public emergencies: Public authorities will gain rights to access private-sector data in response to emergencies such as floods or wildfires.
-
Fairer contracts: The Act includes protections for SMEs against unfair terms in data sharing agreements, opening up more opportunities for smaller firms in the data economy.
Key concepts clarified
An FAQ published by the European Commission shed light on several important aspects of the Data Act:
-
Data in scope: Obligations cover “raw but usable” data generated by connected products, not highly enriched or purely descriptive information. Historical data from second-hand products may also be accessible under certain limits.
-
Connected products: The definition is broad, ranging from consumer items like smart fridges and smartphones to industrial machinery and medical devices. Products whose primary purpose is storing, processing or transmitting data on behalf of others are excluded, unless they are owned, rented or leased by the user.
-
Related services: Apps and digital services qualify as “related” only if they exchange data both ways with the product and affect its functions or behaviour.
-
User, data holder, third party:
– A user is anyone with a legal right over a product (owners, renters, leaseholders).
– A data holder is any entity controlling access to data, which could include manufacturers, software providers or sensor suppliers.
– A third party is someone receiving data at a user’s request, but only if they are established in the EU.
The FAQs note that companies cannot usually be both data holder and user for the same data, although the Act itself appears to allow for this in certain cases, so who knows.
Restrictions on data use
The Act significantly reshapes how data can be used:
-
Non-personal data: Data holders may only use readily available non-personal data if the user has agreed to this in a contract.
-
Third-party access: Only aggregated non-personal data can be passed to a third party, unless provided directly by the user.
-
Non-compete clause: Data may not be used to develop rival connected products, but competing related services are permitted to encourage innovation.
Relationship with GDPR
The Data Act does not override the General Data Protection Regulation (GDPR). Personal data sharing will still need to comply with GDPR, which the Commission acknowledges may prove challenging in practice.
The Act does, however, broaden data portability rights. Unlike GDPR, which covers only personal data and applies to individuals, the Data Act extends portability to personal and non-personal data, benefiting both individuals and businesses.
Any user receiving personal data under the Data Act becomes a controller of that data, and data protection authorities will oversee enforcement.
IoT data sharing in practice
Manufacturers must enable either direct access (for example, via a product interface or app) or indirect access (via request to a data holder). Hybrid models are permitted, depending on technical feasibility and cost.
Products already on the market before 12 September 2025 will not need to be redesigned to provide direct access.
Recommended reading
Regardless of the model chosen, data holders must share data with a third party if a user requests it.
Transfers of non-personal data
The Act also introduces new rules on non-personal data transfers:
-
Restrictions: Providers of data processing services, such as cloud providers, face limits designed to protect data in the EEA from access under foreign legal frameworks.
-
Scope: These restrictions do not apply to internal business transfers or to users choosing providers outside the EEA.
-
Cloud obligations: The compliance burden will fall on service providers themselves, rather than their customers.
The Data Act represents a major shift in how data generated by connected devices can be accessed and used across the EU.
For consumers, it promises cheaper repairs and more choice of services. For businesses, it sets out new rights, obligations and market opportunities – but also raises questions around implementation, especially where personal and non-personal data overlap.
Related