Countdown to September – The EU Data Act and its implications

Who does the EU Data Act apply to?

From a business perspective, the main addressees of the EU Data Act are manufacturers of connected products (IoT) and providers of digital services in the EU market, irrespective of where they are located, the respective “data holder”, and providers of data processing services. 

There are partial exceptions for small businesses (i.e., businesses with less than 50 employees or less than EUR 10 million annual revenue) and for mid-size businesses (i.e., businesses with less than 250 employees or an annual revenue of not more than EUR 50 million).

What products and services does the EU Data Act apply to?

The products and services within the scope of the EU Data Act are “connected products” and “connected services”. 

A connected product is defined as a product which obtains, generates, or collects data about its use or its surroundings, and which can transmit such data electronically, physically or via an integrated access point. However, products whose main purpose is the storage, processing, or transmission of data in the name and interest of a party other than the product user are exempt.

A connected service is defined as either (i) a digital service that is connected with a connected product in such a way that the latter would not be able to fulfill one or more of its functionalities without it, or (ii) that is later connected to the product to augment, update or amend the product’s functionalities. However, mere electronic communications services are exempt.

Some examples of products and services in scope include connected industrial machinery, navigation systems and services, fitness trackers, and smart home appliances.

What does the EU Data Act require?

Broadly speaking, the EU Data Act requires manufacturers and providers to provide access to certain data to the users of their products, and potentially to third parties, even competitors. The EU Data Act also applies to “data holders” which may or may not be the same entities as the manufacturers and providers.

Connected products and connected services must be designed and manufactured/provided in a manner that permits the user to easily and safely access data that is generated by or during the use of the product or service free of charge, in a structured, common, and machine-readable format. Furthermore, a broad range of detailed information concerning the data collected by the product or service and access to such data must be provided. 

Upon request from the user, readily accessible data must be provided to third parties free of charge and in the same quality as available to the data holder. There are provisions intended to safeguard trade secrets which may be incorporated in or deducible from the relevant data and certain other safeguards to protect the interests of data holders, manufacturers and providers are provided for or contractually permitted.

In addition, the EU Data Act contains numerous detailed provisions concerning provider switching, cloud services, interoperability and other aspects of the data-driven economy.

What should be done now? What happens if you don’t comply?

Check whether the EU Data Act applies to you. If it does, take measures to ensure compliance, establish internal processes for data request handling, trade secret protection, appropriate contractual measures and GDPR compliance.

Failure to comply with the EU Data Act can result in serious financial sanctions to be determined by the member states before 12 September 2025. These will likely be similar to the fines provided for in the GDPR.