The Data Act applies. These are the key points

The EU Data Act will come into force on September 12, 2025. The law is intended to promote innovation through the improved availability of data. However, affected companies fear that the protection of trade secrets and copyrights will be weakened.

The regulation on harmonized rules for fair access to and fair use of data (Data Act) was already adopted on November 27 and has been in force since January 11, 2024.

Like the AI Act and the Digital Services Act, the Data Act is part of the European digital strategy. The aim of the Data Act is to make the EU a pioneer in the data-driven society and to ensure fair access to and fair use of data.

These are the key points:

The Data Act is intended to lay the foundations for an EU-wide data sharing economy

All players in the data economy should have access to industrial data in line with their interests. According to the EU Commission, 80 percent of the industrial data collected is never used. The Data Act is intended to lay the foundations for an EU-wide data sharing economy and leverage untapped potential in the development of innovative business models by improving the utilization of industrial data. The EU Commission’s explicit aim here is also to shift the market power of large companies and platforms, which act as gatekeepers, towards SMEs and consumers.

Data use only on the basis of a contract

If non-personal data is generated when using connected products, the manufacturers of these products require a contract with the users in order to be allowed to process the data. Users can even demand that the provider makes the data available to the user free of charge and without delay and also passes it on to third parties on the user’s instructions. In the latter case, the provider may demand reasonable remuneration, but only the reimbursement of direct costs in the case of SME recipients.

Data sharing – new challenges in the development of smart products

Users should be entitled to access the data they generate when using products or services at any time. The law stipulates an “accessibility by design” obligation for product development, according to which products and services should be designed in such a way that users can directly access user-generated data. If they cannot read the data directly within the product, providers are obliged to make the data available to users free of charge without delay – and in some cases even continuously and in real time.

In addition, manufacturers and providers of connected products will in future have pre-contractual information obligations regarding details of data use and existing user rights, which are similar to those of the GDPR.

The Data Act prohibits unfair contractual clauses in standard contracts

The Data Act contains a ban on unfair contractual clauses in standard contracts for data use and licensing from September 12, 2025. For old contracts, a deadline of September 12, 2027 applies (indefinite term or term ≥10 years from January 11, 2024). The prohibitions are strongly reminiscent of the German law on general terms and conditions and provide for a catalog-like list of contractual contents, the agreement of which can lead to the invalidity of individual clauses or, in extreme cases, the entire contract. In addition to the enumerated clause contents, clauses that grossly deviate from “good commercial practice of data access and data use” are particularly invalid.

Facilitating the change of provider for users

Changing providers in the field of data processing – i.e. cloud and edge services in particular – is to be made much easier for customers in future. In particular, the Data Act stipulates that providers must remove all commercial, technical, contractual and organizational obstacles that prevent customers from terminating the contract with a maximum notice period of two months, concluding a contract with a new provider, transferring the data or applications and other digital assets to another service within a minimum period for data retrieval of at least 30 calendar days. To this end, providers should be obliged to ensure the interoperability of their services by using open standards and interfaces. Switching fees may only be charged for this until January 12, 2027.

Data Act enables data access by public authorities

In exceptional cases, the Data Act also provides for a right of access to data by public bodies. The prerequisite for this, however, is that the public body explicitly requests disclosure from a company and approaches the company on the basis of an “exceptional need”. According to the Data Act, such special needs exist in particular in emergencies or if access is necessary for the fulfillment of the authority’s tasks, for example pandemics.

New products must enable data access

In future, manufacturers must design, manufacture and provide connected products and connected services in such a way that users can access their data easily, securely and free of charge as standard. However, this regulation will only apply to products that are placed on the market from September 12, 2026.

Violations can result in substantial fines

The Data Act provides for significant penalties for violations. Fines can amount to up to 20,000,000 euros or up to 4 percent of annual global turnover. The amount of the fines is reminiscent of the GDPR.

Conclusion

It is striking that the Data Act brings the processing of industrial data closer to the processing of personal data in regulatory terms by assigning the right to use the data originally to the users and granting them far-reaching decision-making powers with regard to its use. However, no specific statement has been made on the subject of data ownership.

The Data Act represents a significant encroachment on the contractual freedom of the parties involved in data usage contracts. It remains to be seen what consequences this will have.

Companies should start implementing the requirements of the Data Act now at the latest, as it is clear that the Data Act brings with it numerous obligations for digital companies, some of which can only be guaranteed through long-term and extensive process adjustments.