New rights and obligations related to ”connected products” and online services becoming applicable as of September.
What is it about?
The EU Data Act ((EU) 2023/2854) (“Data Act”) entered into force on January 11th 2024 with applicability as of September 2025. The Data Act is, together with the Data Governance Act and, the significantly more well-known General Data Protection Regulation (“GDPR”), key pillars of the “European Data Strategy”. The Data Act provides for new rights for both businesses and consumers to access data they generate using “connected products”.
A “connected product” means, in the context of the Data Act, “an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user”. In other words, this means your technical devices having an online connection that collects, stores and shares (whether you are aware of it or not) data that is generated by your use of said device.
This type of data, which may or may not include personal data, has previously been somewhat of a grey area with respect to the GDPR and it has been notoriously difficult for users to gain access to this data, or even understand WHAT data is being generated and HO it is being used. The Data Act aims at addressing this and to promote sharing and innovation by allowing for such data to be more easily shared between devices and service providers.
How does it affect your business?
The Data Act grants both businesses and consumers the right to access, use and share data generated through their use of connected products. I’m currently working on an assignment within the car industry and as an example, the Data Act becomes relevant in relation to connected vehicle data. Cars today collect, store and use massive amounts of user and vehicle data, for example location data, data about your vehicle’s health and need for service, data about incidents your vehicle is involved in and much more. Under the Data Act, “Data Holders”, in this example the manufacturer of the vehicles who control the data, must ensure that the connected data is made available upon request, either directly to the user or to a third party designated by the user. This means that the vehicle itself and all its supporting systems must be designed to support this data access and sharing.
It is easy to see that complying with the Data Act can be challenging, depending on the level of preparedness by the organization and the connected products. And importantly, the Data Act goes above and beyond any requirements already imposed by the GDPR.
No more “unfair contract terms”
Another key provision imposed by the Data Act aimed at promoting the fair and unbiased sharing of connected data is the prohibition of unfair contract terms. It is not uncommon for companies with a strong market position and holding massive bargaining power to impose contract terms that could be seen as unfair or skewed in relation to weaker parties such as partners or consumers. Even though determining what constitutes “unfair” contract terms is far from straightforward and clear, businesses should continuously and proactively review their terms and conditions to at least remove terms that could objectively be seen as blatantly and obviously unfair. More guidance is however needed in this respect and the Data Act imposes an obligation on the Commission to develop and introduce model clauses to help businesses comply with this obligation.
Other requirements
The Data Act furthermore introduces obligations for cloud service providers, including infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and software-as-a-service (SaaS) companies operating within the EU or offering services to EU customers to simplify the process for users to switch providers. Finally, the Data Act introduces provisions to protect non-personal data held within the EU from access requests by third country governments. This means that entities such as cloud service providers, data intermediaries and businesses offering digital products and services will need to asses whether a foreign access request aligns with EU law and may need to challenge such requests if they are unlawful under the Data Act.
Fines
All of us familiar with the GDPR will recognize the fine and sanction mechanisms imposed by the Data Act, i.e., up to €20 million or 4% of global annual turnover, whichever is higher.
What you can do:
- Identify and map out all the processing of connected data. Your Registry of Processings mandated under the GDPR (which surely you already have in place…?) is a good place to start.
- Make sure your connected products are ready to enable data sharing as required under the Data Act. If not, assess what you need to do to modify them.
- Map out the contractual landscape, i.e. who controls the connected data, who have access to it and what contractual terms and provisions do we have in place (and are they “fair”?)
- Prepare your organization for dealing with this type of “new” requests. This might be a good opportunity to revise the (often dormant) GDPR governance structures and processes.
- Stay updated on the evolving nature of this legislation.