Andre Walter and Stefan Abt, data law experts at Pinsent Masons based in Amsterdam and Munich, said the new data law could require a wide range of companies across a range of sectors to update terms of use for connected products and amend data-sharing and licensing agreements.
The Data Law, proposed by the European Commission as a core element of the EU's data strategy for 2022, was adopted by EU legislators in the European Parliament and the European Council late last year. The law came into force on January 11, 2024, but its provisions will start to apply from September 12, 2025.
The Data Act provides for both business-to-consumer and business-to-business data sharing with respect to data acquired, generated or collected by connected products or related services.
“Data owners,” a term that applies to a wide range of companies, including automotive and consumer goods manufacturers, commercial infrastructure providers, healthtech and medical device companies, and industrial machinery providers, have a general obligation to provide users of their products or services with access to their data, under conditions prescribed by law, including that the data be provided free of charge and in a “comprehensive, structured, commonly used and machine-readable format.” There are exceptions to this obligation, including those relating to the protection of trade secrets and cybersecurity.
Users can also request that their data be shared with a third party (the “data recipient”). Data holders are obliged to make the data available on fair, reasonable and non-discriminatory terms. The Act requires that data holders and data recipients enter into a contract governing access to and use of the data, and allows the data holder to seek reasonable compensation. The Act also provides that contract terms (including those relating to exclusions and limitations of liability) will automatically be deemed unfair if the data holder unilaterally imposes these terms on the recipient, and therefore be unenforceable by the data holder.
Additionally, the Data Act gives public authorities limited powers to request data holders to provide them with data. This power applies where a public authority can demonstrate an exceptional need for the data in the context of using the data to fulfil a statutory duty in the public interest. The Act lists the steps public authorities must take when making such a request and further outlines the steps data holders must take to follow. Data holders are entitled to “fair compensation” if they share data with a public authority, and the Regulation also provides that public authorities may share data they receive with research or statistical agencies.
Other rules included in the Data Act include standards for smart contracts to promote interoperability standards for shared data, greater interoperability and switchover of “data processing services,” including those offered by data center operators and cloud service providers, and rules on the unlawful access or transfer of non-personal data by third-country governments.
The provisions under the Data Act will come into force in stages. Most of the provisions will apply from 12 September 2025, but the provisions on designing connected products and related services in a way that makes data available to users by default will only apply to products and related services placed on the market after 12 September 2026. The rules on unfair contract terms will initially only apply to contracts concluded after 12 September 2025, but from 12 September 2027 they will also apply to contracts concluded before 12 September 2025, provided they have no fixed term or are due to expire at least 10 years after 11 January 2024.
“The Data Act is far-reaching legislation that will have a major impact on thousands of businesses in many different sectors across the EU,” said Andre Walter of Pinsent Masons.
“The first step companies should take is to conduct research to determine whether the Data Act applies to their products and services. An impact analysis will help companies further determine the specific provisions that pertain to them,” he said.
“For companies that are classified as 'data holders' under the Data Act, exercising data classification will help them determine what data is protected in other areas of law, such as trade secrets or other intellectual property, and therefore does not need to be shared under the new law,” Walter said.
Stephan Abt added: “Of particular concern is the reconciliation of the GDPR and its privacy-by-design principle with the Data Act's access-by-default principle. Companies that are not yet clear which data generated by their products and services constitutes personal data under the GDPR will find themselves in a tough position, as they risk breaching either the GDPR or the Data Act, both of which carry equally tough sanctions regimes.”
Walter said many data owners will also need to consider “revising the terms and conditions of their connected products and related services, or data processing services,” and that existing data sharing and licensing agreements may need to be amended “to reflect new requirements, such as fairness, non-discrimination and switching fees.”
Abt added: “For potential data recipients, the coming into force of the Data Act should serve as a catalyst for them to consider what data can be released under the regulation and used to develop and improve their own products and services.”
Pinsent Masons Data Law Overview