The Data Act: Opportunities and challenges for companies

With the Data Act (Regulation (EU) 2023/2854), the EU has established a new legal framework to regulate access to and the use of data within the EU. The Data Act, which was adopted at the end of 2023, came into force on January 11, 2024. The transition period for the essential contents of the regulation will end on September 12, 2025. The Data Act aims to strengthen consumer rights and enable data access for small and medium-sized enterprises (SMEs). It introduces new requirements for product design, contract formation, and interoperability, as well as data access obligations and claims, particularly for data holders and recipients, and data processing services. Below is an overview of the key obligations resulting from the Data Act and the economic opportunities and risks for the affected companies.

I. Scope

The scope of the Data Act is defined in Article 1 and includes connected products and related services that generate or process digital data during their use. A "connected product" is defined in Article 2(5) as an item that obtains, generates, or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection, or on-device access, and whose primary function is not the storing, processing, or transmission of data on behalf of any party other than the user. This includes IoT devices in areas such as consumer electronics, smart home, mobility, industry, or medical technology. Article 1(2) describes the data categories covered and clarifies that both personal and non-personal data are included. For personal data, existing data protection laws, particularly the GDPR, remain unaffected. This can, however, lead to significant demarcation and interpretation issues in practice, especially in determining the applicable legal bases and the compatibility of the Data Act's data access claims with the GDPR's protection requirements.

Regarding the personal scope, the Data Act follows the market location principle (Article 1(3)), meaning that companies outside the EU are subject to the regulations if they offer connected products or services in the EU. This includes manufacturers, providers of related services, users, data holders, data recipients, and providers of data processing services. Public authorities can also request data under certain conditions (Articles 14 ff.). Additionally, virtual assistants are included in the scope (Article 1(4)). These software solutions, such as voice assistants or AI-based control systems, process user inputs and interact with connected products or related services. The exact distinction between virtual assistants and related services remains open, which can lead to uncertainties in legal responsibility.

II. Obligations

1. Obligations of data holders and recipients towards users

a) Obligations of data holders towards users

Data holders are natural or legal persons who are entitled or obliged to provide data from connected products or related services under the Data Act or other legal requirements (Article 2(13)). They are subject to extensive obligations regarding the provision of data to the users of these products. Data holders must comply with extensive information obligations towards users of connected products and related services before concluding a purchase, rental, or other usage contract. They must inform users in detail about the data generated and stored by the product, how long these data are retained, and how users can access them. Additionally, they must inform users about potential data recipients and the conditions of possible data sharing (Article 3(2) and (3)).

Besides this transparency obligation, the Data Act also secures a direct access right for users to the data generated and stored by the connected product. Data holders must enable direct data access from the connected product, as far as technically possible and reasonable. Otherwise, they are obliged to provide the data promptly, easily, securely, free of charge, in a comprehensive, commonly used, and machine-readable format, and in real-time (Article 4(1)). The Data Act also regulates the conditions under which data sharing may occur. Data holders may only use the data generated by the product for their own purposes or share it with third parties if the user contractually agrees. This particularly concerns non-personal data, while personal data remains subject to the GDPR (Article 4(13) and (14)).

To protect sensitive business information, data holders can refuse access to certain data if their disclosure would cause significant economic damage or endanger trade secrets. However, these protective measures must not be misused to unlawfully restrict the user's legally guaranteed data access (Article 4(6)-(9)). Finally, the Data Act also includes restrictions on the use of the received data by the user. Users may not use the data to develop a competing connected product or to infer the economic trade secrets of the data holder. This is to prevent the data access provided by the Data Act from leading to competitive disadvantages for the original manufacturer (Article 4(10)).

b) Obligations of data recipients towards users

Data recipients are third parties to whom a user grants access to certain data or whose data sharing the user requests from the data holder (Article 2(14)). Their obligations are particularly regulated in Articles 5 and 6. The Data Act grants users not only their own access rights to the data generated by their connected product but also the right to request their sharing with third parties. At the user's request, the data holder is obliged to transmit certain data directly to a third party designated by the user. This access must be provided promptly and, as far as technically feasible, in real-time (Article 5(1)).

The contractual relationship between the data recipient and the user is subject to specific regulations of the Data Act (Article 6). Data recipients may only use the received data for the purposes agreed with the user. Sharing with further third parties is only permissible if the user has explicitly agreed. Additionally, Article 6(2)(h) obliges data recipients not to prevent consumers from sharing the data they receive with other parties, even through contractual restrictions. This is to prevent companies from gaining exclusive control over data and unduly restricting users in their data sharing.

Special care must be taken when handling personal data. Data recipients must ensure that the processing of these data is exclusively in accordance with the GDPR. This means, in particular, that there must be a lawful basis for the processing. The provisions of the Data Act do not exempt companies from their obligations under data protection law but rather complement and specify the requirements in the context of data sharing (Article 5(7)).

2. Obligations amonge other

In addition to the obligations towards users of connected products, the Data Act also regulates the obligations of data holders and data recipients towards each other. Article 8 obliges data holders to grant data access to data recipients on a fair, reasonable, and non-discriminatory basis ("FRAND" principle). This means that access to the data must be provided under transparent conditions and without excessive or unreasonable restrictions. Companies must not demand unfair business conditions or excessive prices to make access to economically relevant data difficult or to disadvantage certain market participants. The pricing for data access is subject to Article 9. Data holders may only demand reasonable compensation for providing the data, which must be based on the actual costs of provision. Disproportionate or abusive price demands are not permissible. Micro, small, and medium-sized enterprises (SMEs) are particularly protected under Article 9(3), as no fees may be charged for data access.

Technical protection measures and security precautions to maintain the integrity and confidentiality of the data are regulated in Article 11. Data holders may (and must) use technical measures to protect access to the data, but only to the extent that these measures do not aim to hinder or delay legitimate access by data recipients. Data recipients are also obliged to process the received data in compliance with applicable security standards and to protect it from unauthorized access.

3. Contract formation

Another central requirement of the Data Act is the creation of fair and transparent contractual relationships between data holders and data recipients. Article 13 contains regulations to prevent abusive contractual clauses in data access agreements in the B2B sector, which complement the existing regulations of §§ 305 ff. BGB. The aim is to avoid imbalances that could lead to smaller market participants being disadvantaged by unilaterally imposed conditions. According to Article 13(1), contractual clauses are invalid if they create a significant imbalance to the detriment of one party. This particularly concerns cases where an economically stronger contracting party imposes unilaterally disadvantageous conditions on a smaller or medium-sized enterprise. Article 13(4) provides specific examples of contractual terms. These include, in particular, provisions that allow one party to unilaterally change the terms without the other party's consent or clauses that impose excessive liability without providing corresponding consideration. Clauses that prevent the data recipient from reusing the received data under fair conditions can also fall under the abuse prohibition.

The regulations in Article 13 are particularly relevant for companies involved in data licensing agreements or data trading agreements. They contribute to creating fair competition conditions by preventing individual market participants from abusing their economic power through non-transparent or unilateral contract formation.

4. Data processing services

The Data Act also imposes new obligations on providers of data processing services. Customers should have the freedom to switch their cloud or data processing services without excessive hurdles. Article 23 obliges providers to facilitate the switch between services technically by ensuring interoperability and standardized interfaces. They must also provide support during a specified transition period to ensure a smooth switch. Additionally, unreasonable switching fees are to be prohibited in the future. While costs for the actual service or necessary technical measures are allowed, excessive or hidden fees that effectively bind customers to a provider are to be prevented. From 2027 at the latest (Article 29), switching should be completely free for users.

III. Sanctions

The Data Act provides for significant fines for violations. The maximum amount of sanctions is aligned with the General Data Protection Regulation (GDPR) and can amount to up to 20 million euros or 4% of a company's worldwide annual turnover. The exact determination of the fine regulations is the responsibility of the individual EU member states. According to Article 40(3) of the Data Act, the following factors should be considered when determining the fine amount: the nature, gravity, scale, and duration of the violation; measures taken to mitigate or remedy the damage caused by the violation; previous violations; financial gains or losses caused by the violation; and other aggravating or mitigating circumstances of the individual case. The intended sanctions should be effective, proportionate, and dissuasive. The goal is to create a strong incentive for companies to comply with the Data Act and ensure a fair data market in the EU.

IV. Economic opportunities for companies

In addition to new obligations, the Data Act also offers significant economic opportunities for companies. By facilitating access to industrial and IoT data and enabling new data-driven business models, companies that use data as a commodity or as a basis for innovative digital services can particularly benefit. A key advantage of the Data Act lies in creating a fair and competitive data market. Data that previously remained in closed systems is now accessible, promoting data-based innovations and new business models. Data intermediaries could establish themselves as new market players by operating data platforms, pooling data, and providing companies with structured access to valuable information.

However, the Data Act also presents challenges. The economic value of data remains a contentious issue. While the Data Act provides clear guidelines on the fairness and proportionality of fees for data access (Article 9), the question of actual data monetization remains complex.

V. Recommendations for affected stakeholders

To meet the requirements of the Data Act and optimally leverage the resulting opportunities, companies should take early action. The following summary of measures should provide initial guidance for the various stakeholders in the data-based economy:

• Manufacturers of connected products: Ensure comprehensive compliance with legal information obligations by clearly informing users before purchase about the data generated and stored by the product. Enable direct data access, either through the product itself or, if technically not feasible, by providing it promptly, securely, and free of charge in a machine-readable format.
• Providers of data processing services: Ensure the interoperability of their systems to facilitate switching between different services. This also requires the implementation of standardized interfaces. From 2027, they must offer users the ability to switch free of charge.
• Data holders: Create transparency about the data they store and process by providing information and granting users direct access to these data. The use and sharing of data are generally only permissible with the user's consent. Ensure that access can be refused if disclosure could cause significant economic damage.
• Data recipients: Use user data exclusively for the contractually agreed purposes. Sharing with further third parties is only allowed with the user's explicit consent. Do not prevent users from sharing the received data with other parties, even through contractual restrictions. Comply with GDPR requirements when processing personal data.

VI. Conclusion

The Data Act is an important step towards a unified and fair data market in the EU. Companies now face the challenge of adapting their processes to the new regulations, particularly regarding data access obligations, contract formation, and interoperability requirements. While the regulation facilitates access to valuable IoT and industrial data and creates new business opportunities, companies must also ensure that their contract structures, pricing models, and technical infrastructures comply with the new requirements. The transition period until September 2025 offers the opportunity to strategically prepare for the upcoming changes and take early compliance measures. It will be particularly important to analyze existing data structures, clarify internal responsibilities, and review contracts with business partners to avoid risks associated with abusive contractual clauses or unreasonable fee demands.