The Data Act: Opportunities and challenges for companies

With the Data Act (Regulation (EU) 2023/2854), the EU has created a new legal framework to regulate access to and use of data within the EU. The Data Act, which was already passed at the end of 2023 (we reported in Data Protection Update No. 148, No. 158 and No. 187), came into force on January 11, 2024. The transitional period for the main contents of the ordinance expires on 12 September 2025.

The Data Act (DA) is intended to strengthen consumer rights and provide small and medium-sized enterprises with data access. In addition, there are new requirements for product design, contract drafting and interoperability, as well as data access obligations and entitlements, especially for data owners and recipients as well as data processing services.

In the following, an overview of the essential obligations resulting from the Data Act as well as the resulting economic opportunities and risks for the companies concerned will be given.

I. Scope of application

The material scope of the Data Act is defined in Art. 1 DA and includes, in particular, networked products and connected services that generate or process digital data during their use. According to Art. 2 No. 5 DA, a "connected product" is an "object that obtains, generates or collects data about its use or environment and that can transmit product data via an electronic communications service, a physical connection or an in-device access and whose main function is not to store, process or transmit data on behalf of a party other than the user“. These include IoT devices in areas such as consumer electronics, smart home, mobility, industry or medical technology.

Art. 1 para. 2 DA describes the categories of data collected and clarifies that both personal and non-personal data are collected. For personal data, the data protection law already in force, in particular the GDPR, remains unaffected (cf. Art. 1 para. 5 DA). In practice, however, this can lead to considerable delimitation and interpretation problems, especially in determining the applicable legal bases and the compatibility of the data access claims of the Data Act with the protection requirements of the GDPR.

With regard to the personal scope of application, the Data Act follows the market place principle (Art. 1 para. 3 DA), which means that companies outside the EU are subject to the regulations if they offer networked products or services in the EU. It covers manufacturers, providers of connected services, users, data holders, data recipients and providers of data processing services. Public bodies can also request data under certain conditions (Articles 14 et seq. DA).
In addition, virtual assistants are included in the scope of application (Art. 1 para. 4 DA). These software solutions – such as voice assistants or AI-based control systems – process user input and interact with connected products or services. However, the exact demarcation between virtual assistants and connected services remains open, which can lead to uncertainties in legal accountability.

II. Obligations

The Data Act standardises extensive obligations for all actors in the data-based economy, in particular for data holders and data recipients. However, small and micro enterprises are largely exempt from the requirements of the Data Act. This includes all companies with fewer than 50 employees and an annual turnover or balance sheet of less than EUR 10 million.

1. Obligations of data owners and data recipients towards users

a) Obligations of data controllers towards users

Data holders are natural or legal persons who are entitled or obliged under the Data Act or other legal requirements to provide data from networked products or connected services (Art. 2 No. 13 DA). They are subject to extensive obligations regarding the provision of data to the users of these products.

First, data owners must comply with far-reaching information obligations towards the users of networked products and connected services before a corresponding purchase, rental or other usage contract is concluded. You need to explain in detail what data is generated and stored by the product, how long that data is retained, and how the user can access it. In addition, they are obliged to inform the user about potential data recipients and the conditions of possible disclosure (Art. 3 paras. 2 and 3 DA).

In addition to this transparency obligation, the Data Act also ensures a direct right of access for the user to the data generated and stored by the networked product.

The data holder must enable data access directly from the networked product, to the extent that this is technically possible and appropriate. Otherwise, he is obliged to provide the data immediately, simply, securely, free of charge, in a comprehensive, commonly used and machine-readable form and in real time (Art. 4 para. 1 DA).

In addition, the Data Act regulates the conditions under which data may be disclosed. The data holder may only use the data generated by the product for its own purposes or pass it on to third parties if the user agrees to this in a contract. This applies in particular to non-personal data, while the provisions of the GDPR continue to apply to personal data (Art. 4 paras. 13 and 14 DA).

To protect sensitive company information, the data holder can deny access to certain data if its disclosure would result in significant economic damage or endanger trade secrets. However, these protective measures may not be misused to impermissibly restrict the user's legally guaranteed access to data (Art. 4 paras. 6-9 DA).

Finally, the Data Act also contains restrictions on the use of the data received by the user. He may not use them to develop a competing networked product or to draw conclusions about the economic trade secrets of the data holder. This is intended to prevent the data access opened up by the Data Act from leading to competitive disadvantages for the original manufacturer (Art. 4 para. 10 DA).

b) Obligations of the data recipients towards users

Data recipients are third parties to whom a user grants access to certain data or whose disclosure the user requests from the data holder (Art. 2 para. 14 DA). Their obligations are governed in particular by Articles 5 and 6 of the DA:

The Data Act grants the user not only his own right of access to the data generated by his networked product, but also the right to request that it be passed on to third parties. At the request of the User, the Data Controller is obliged to transmit certain data directly to a third party designated by the User. This access must take place without delay and, as far as technically feasible, in real time (Art. 5 para. 1 DA).

The contractual relationship between the data recipient and the user is subject to specific provisions of the Data Act (Art. 6 DA). The data recipient may use the data received exclusively for the purposes agreed with the user. Disclosure to other third parties is only permissible if the user has expressly consented to this. In addition, Art. 6 para. 2 lit. h DA obliges data recipients not to prevent consumers from sharing the data provided to them with other parties – not even by contractual restrictions. This is intended to prevent companies from gaining exclusive control over data and impermissibly restricting users in their data sharing.

Finally, special care must be taken when handling personal data. Data recipients must ensure that the processing of this data is carried out exclusively in accordance with the GDPR. In particular, this means that there must be a lawful basis for the processing. The provisions of the Data Act do not release companies from their obligations under data protection law, but supplement and specify the requirements in the context of data transfer (Art. 5 para. 7 DA).

2. Duties among each other

In addition to the obligations towards the users of the networked products, the Data Act also regulates the obligations of data owners and data recipients among themselves.

Art. 8 DA obliges data holders to provide data access to data recipients on a fair, reasonable and non-discriminatory basis ("FRAND" principle). This means that access to the data must be transparent and no excessive or unreasonable restrictions must be imposed. In particular, companies must not demand unfair terms and conditions or excessive prices in order to make access to economically relevant data more difficult or to disadvantage certain market players.

The pricing of access to the data is subject to Art. 9 DA. Data holders may only demand appropriate compensation for the provision of the data, which must be based on the actual costs of the provision. Disproportionate or abusive price demands are not permitted. Micro, small and medium-sized enterprises (SMEs) are particularly protected under Art. 9 para. 3 DA, as they may not be charged any fees for data access.

Technical protection measures and security precautions to maintain the integrity and confidentiality of the data are regulated in Art. 11 DA. Data owners may (and must) use technical measures to protect access to the data, but only to the extent that these measures are not intended to hinder or delay authorized access by data recipients. Likewise, data recipients are obliged to process the data received in compliance with the applicable security standards and to protect it from unauthorized access.

3. Drafting of contracts

Another key requirement of the Data Act is the creation of fair and transparent contractual relationships between data holders and data recipients. Art. 13 DA contains provisions to prevent unfair contractual terms in agreements on data access in the B2B sector, which are in addition to the applicable provisions of Sections 305 et seq. of the German Civil Code. The aim is to avoid imbalances that could lead to smaller market participants being disadvantaged by unilaterally imposed conditions.

Under Article 13(1) of the DA, contractual terms are invalid if they create a significant imbalance to the detriment of one of the contracting parties. This applies in particular to cases in which an economically stronger contractual partner unilaterally imposes disadvantageous conditions on a small or medium-sized company.

Article 13(2) of the DA gives specific examples of contractual terms. These include, in particular, rules that allow one party to unilaterally change the terms and conditions without the other party having to agree, or clauses that impose excessive liability without providing for any corresponding consideration. Clauses that prevent the data recipient from reusing the received data under fair conditions can also fall under the prohibition of misuse.

The provisions in Art. 13 DA are particularly relevant for companies operating under data licence agreements or data trading agreements. They help to create a level playing field by preventing individual market participants from abusing their economic power through non-transparent or unilateral contract drafting.

4. Data processing services

The Data Act also imposes new obligations on providers of data processing services. Customers should have the freedom to switch their cloud or data processing services without excessive hurdles. Art. 23 DA obliges providers to technically facilitate switching between services by ensuring interoperability and standardised interfaces. In addition, they must provide support during a fixed transition period to ensure a smooth transition.

In addition, unreasonable exchange fees are to be banned in the future. While costs for the actual service or necessary technical measures are permitted, excessive or hidden fees that de facto bind customers to a provider are to be prevented. From 2027 at the latest (Art. 29 DA), switching is to be completely free of charge for users.

III. Sanctions

The Data Act provides for significant fines for violations. The maximum amount of sanctions is based on the General Data Protection Regulation (GDPR) and can be up to 20 million euros or 4 % of a company's global annual turnover.

The precise definition of the rules on fines is the responsibility of the individual EU Member States. According to Article 40(3) of the Data Act, the following factors should be taken into account when determining the amount of the fine:

• the nature, gravity, scope and duration of the infringement
• measures taken to mitigate or remedy the damage
• previous violations
• financial gains or losses resulting from the breach
• other aggravating or mitigating circumstances of the individual case.

The penalties provided for shall be effective, proportionate and dissuasive. The aim is to create a strong incentive for companies to comply with the requirements of the Data Act and to ensure a fair data market in the EU.

IV. Economic opportunities for companies

In addition to new obligations, the Data Act also offers companies significant economic opportunities. By facilitating access to industrial and IoT data and enabling new data-driven business models, companies that use data as a commodity or as the basis for innovative digital services can benefit in particular.

A key advantage of the Data Act is the creation of a fair and competitive data market. Data that previously remained in closed systems is now accessible – this promotes data-based innovations and new business models. Data intermediaries could establish themselves as new market players by operating data platforms, pooling data pools and offering companies structured access to valuable information.

However, the Data Act also brings challenges. Thus, the economic value of data remains a controversial issue. Although the Data Act provides clear guidelines on the fairness and proportionality of fees for data access (Art. 9 DA), the question of the actual monetisation of data remains complex.

V. Recommendations for action for the stakeholders concerned

In order to meet the requirements of the Data Act and make the most of the resulting opportunities, companies should take action early on. The following summary of the measures should provide an initial orientation for the various actors in the data-based economy.

Manufacturers of connected products should ensure that they fully comply with their legal information obligations by clearly informing users about what data the product generates and stores before making a purchase. In addition, direct data access must be made possible – either via the product itself or, if technically not otherwise feasible, by providing it promptly, securely and free of charge in a machine-readable format.

Data processing service providers are required to ensure the interoperability of their systems, making it easier to switch between different services. This also requires the implementation of standardized interfaces. From 2027, they will also have to offer users the switch free of charge.

Data owners must provide transparency about the data they store and process by providing information and provide users with direct access to it. The use and disclosure of the data is generally only permitted with the user's consent. In order to protect sensitive information, it must be ensured that access can be denied if disclosure could cause significant economic damage.

Data recipients may only use user data for the purposes specified in the contract. Disclosure to other third parties is only permitted with the express consent of the user. At the same time, they must not prevent users from sharing the data they receive with other parties – not even through contractual restrictions. The processing of personal data must comply with the provisions of the GDPR.

The FRAND principle applies to cooperation between data holders and data recipients: access to the relevant data must be provided in a fair, reasonable and non-discriminatory manner. At the same time, technical protection measures are permissible and necessary to ensure the integrity and confidentiality of the data, provided that they do not impermissibly hinder lawful access.

Unfair terms that create a significant imbalance between the parties to the contract are not permitted in the drafting of contracts.

VI. Outlook

The Data Act is an important step towards a uniform and fair data market in the EU. Companies are now faced with the challenge of adapting their processes to the new regulations, especially with regard to data access obligations, contract design and interoperability requirements. While the regulation facilitates access to valuable IoT and industrial data and creates new business opportunities, companies must also ensure that their contract structures, pricing models and technical infrastructures comply with the new requirements.

The transition period until September 2025 offers the opportunity to prepare strategically for the upcoming changes and to take compliance measures at an early stage. It will be particularly important to analyze existing data structures, clarify internal responsibilities and put contracts with business partners to the test in order to avoid risks associated with unfair contract terms or unreasonable fee demands.