What is it?
The EU Data Act is a significant step forward in the European Union’s mission to regulate access to and use of data, by pushing for improved transparency and portability for businesses that rely on data services.
The Act applies to two main data services:
In each case, the requirements are imposed on the provider of the product / service and aimed at improving the user’s ability to access their data, provide the data to third parties for the purpose of supporting the user, and to switch services, so the user is not dependent on the original provider. The expectation is that this will improve data portability, increase competition, and benefit service users.
When does it come into force and who does it affect?
The Act has been approved and came into force on 11 January 2024, though most requirements do not come into effect until 12 September 2025 or later, giving businesses time to implement the required changes.
Unlike the General Data Protection Regulation (GDPR), the EU Data Act applies to both personal data and non-personal data.
This is a European Union law and applies to products and services provided to users within the European Union. Like the GDPR, this means that it will apply to businesses located outside of the EU, to the extent that they operate and supply goods and services within the EU.
Below, we highlight the key requirements being implemented for each service type.
1. Connected Products
User’s right of access:
If the data is not directly accessible through a connected product or related service, providers will be required to make the data available to the user “without undue delay”. This data, including any relevant metadata necessary to interpret and use the data, must be of the same quality as that available to the provider, and provided easily, securely, free of charge, and in a comprehensive, structured, commonly used and machine-readable format.
The data should be accessible via a simple request through electronic means where technically feasible. Contractual restrictions on accessing, using or further sharing data may be agreed but only if such processing could undermine security requirements of the connected product imposed by law.
There are limited abilities for the provider to restrict the use or resist the disclosure of certain data, where it can demonstrate that it is necessary to protect the confidentiality of trade secrets.
Right to give access to third parties:
The user also has rights to require this data to be shared with third parties, subject to similar requirements and limitations as those applied to direct sharing with the user. These third parties may only access and process the data for the purposes agreed with the user, and must delete the data when no longer required for those purposes.
Exclusions:
The requirements in relation to connected products do not apply to those manufactured or designed by, or related services provided by, a microenterprise or small enterprise (provided they’re not partnered with or subcontracted by an entity that does not qualify as a microenterprise or small enterprise).
The exclusion also applies to any entity that has qualified as a medium-sized enterprise for less than one year, to their connected products for one year after the date on which they were placed on the market.
No derogation:
It is not possible to agree contractual derogations from the legal requirements. Any contractual term that excludes, derogates from or varies the user’s rights, to the detriment of the user, will not be binding on the user.
2. Data Processing Services
Definition of ‘data processing service’:
The Act defines a ‘data processing service’ as “a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction.” It is likely that guidance will follow on the practical boundaries of this wordy definition prior to the requirements coming into force.
User right to switch services:
The main purpose of the new law is to enable customers to switch to the same/similar service provided by another provider, or to on-premises ICT infrastructure, or to use several providers at the same time.
Providers must not impose any legal, technical or commercial obstacles to the customer having the ability to terminate and switch, port the exportable data and digital assets, and/or unbundle some services from the others provided by the same provider.
Minimum contract requirements:
The Act requires that data processing service contracts meet certain minimum requirements, and include the provision of certain information to the customer, so the customer is fully aware of its rights.
The minimum contract requirements include:
It is expected that the European Union will publish recommended standard clauses prior to the requirements coming into effect.
In terms of informational requirements, the provider must give the customer (i) information about the available procedures for switching and porting data, including the methods, formats, restrictions and technical limitations; and (ii) an up-to-date register of the data processing services, with details of the data structures and formats as well as relevant standard and interoperability specifications.
Restrictions on switching charges:
From 12 January 2027, providers will not be able to impose any switching charges on the customer; between 11 January 2024 and 12 January 2027, providers may impose reduced switching charges.
These charges must not exceed the costs actually incurred by the provider for the switching process. Providers must provide prospective customers with clear information on their service fees, early termination penalties, and switching charges. They must also provide information on any services that involve highly complex or costly switching or for which it is impossible to switch without significant interference in the data, digital assets or service architecture.
3. Implementation and Enforcement
The laws summarised above will apply from 12 September 2025, subject to the following specific implementation dates:
Each EU Member State is left to designate one or more competent authorities for application and enforcement of the laws. Companies will be subject to the jurisdiction of the Member State where it has its main establishment; companies offering services in the EU that are not established in the EU must designate a legal representative in one of the Member States. Administrative fines that can be issued under this law are the same as those permitted under the GDPR.
Contact us
If you'd like any advice on data regulations or other commercial law, please contact us on info@roxburghmilkins.com.