EU Data Act: New Rules on Data Sharing and Portability of Cloud Services Now in Force

The EU Data Act came into force on January 11, 2024. The Data Act is part of the European Commission’s data strategy released in February 2020 and obliges manufacturers of connected products to make use-related data available in certain circumstances. It also requires providers of data processing services (such as cloud services) to facilitate customers switching to a different provider, for instance, by providing minimal transitional services. Most of the new rules will apply as of September 12, 2025.

Connected products and extraterritoriality

Under the Data Act, connected products comprise products that obtain, generate or collect data concerning their use or environment, and that are able to communicate this data via electronic communications, physical connection or on-device access (such as IoT devices, e.g., connected home devices, medical devices or vehicles).

Obligations under the Data Act will mostly fall upon manufacturers of connected products placed on the EU market and providers of related services, irrespective of their place of establishment. Such companies – except micro, small or medium-sized enterprises – will be required to make use-generated data accessible to the user and to third-parties of the user’s choice.

Key Impacts for In-Scope Businesses

The Data Act will impact manufacturers of connected products and providers of data processing services (including cloud services) with the key obligations below:

Obligations for Manufacturers of Connected Products Placed on the EU Market

• Design the product or service in a way that the use-generated data is easily accessible to the user;
• Provide information to the user about the data to be generated by the use of the product or service and how this may be accessed, retrieved or erased, prior to entering the contract with them;
• Upon request of the user, provide the use-generated data to the user or to a third-party, if the data is not directly accessible from the product or related service;
• Provide the data to the third-party chosen by the user under fair, reasonable, transparent and non-discriminatory terms, to be formalized in a contract. The Data Act prohibits businesses from unilaterally imposing on other businesses “unfair” contractual terms concerning access and use of data¹. Such provisions also apply when a company is required to make data available to another company under EU or Member State law.
• Manufacturers or providers of related services may, on a case-by-case basis, refuse the sharing of specific data identified as trade secrets.² The refusal to share data may occur only in exceptional circumstances, where they are highly likely to suffer serious economic damage from the disclosure despite the technical and organisational measures taken by the user. The refusal must be based on objective elements (including the nature and level of confidentiality of the data at hand), duly substantiated and provided in writing to the user, and also notified to the national competent authority.
• Manufacturers or providers of related services may apply appropriate technical protection measures, including smart contracts and encryption, to prevent unauthorised access to the data. However, smart contracts used to automate data-sharing are subject to certain requirements such as safe termination and interruption.
• Users and third-parties are forbidden from using the data to develop products that compete with the product from which the data is generated and from using the use-generated data to derive insights about the economic situation, assets and production methods of the manufacturer. Third-parties are only allowed to use the data for the purposes and under the conditions agreed with the user.
• Legal persons may be required to share data they hold with public sector bodies in exceptional circumstances, such as public emergencies, where the data could not be otherwise obtained by the public sector body in a timely and effective manner.

Obligations for Providers of Data Processing Services, Including Cloud Services

• Facilitate customers switching to other providers of the same service type, which includes refraining from imposing commercial, technical, contractual or organisational obstacles to a change of provider. In practice, this means that cloud providers will be required to provide certain minimum transitional services to customers which will be subject to limitations on charges which the providers can charge for their assistance. Such obligations will not apply where the main features of the service have been built to accommodate specific needs of an individual customer. These obligations have extraterritorial applications and apply to providers of data processing services, irrespective of their place of establishment, who provide service to customers in the EU.
• Take adequate technical, legal and organisational measures to prevent international and third-country governmental access and transfer of non-personal data held in the EU, if such transfer or access is illegal under EU or Member State law.

Fines

Member States shall lay down rules on penalties applicable to infringements of the Data Act. Fines shall be effective, proportionate and dissuasive. Data protection authorities may impose fines within their scope of competence as provided for in the GDPR (up to EUR 20 million or 4% of the total worldwide turnover of an entity for the preceding financial year, whichever is higher).

Next Steps

Most obligations under the Data Act will apply as of September 12, 2025. Obligations relating to the design and manufacturing of connected products will apply to the products and connected services placed on the market after September 12, 2026.

What Businesses Should Be Doing Now

Manufacturers of connected products and providers of related services are advised to critically assess their practices around providing data to users in view of the requirements of the Data Act and prepare a roadmap for implementation of compliance measures.

Providers of data processing services are likewise advised to consider the need for any changes to their practices (including technical and contractual measures) around switching and transitional assistance, interoperability and governmental access and transfer of non-personal data.

Privacy rules such as the GDPR, as well as cybersecurity regulations such as sectoral rules applying to medical devices and connected vehicles, may already apply in relation to products and services within the scope of the Data Act. In addition, new cyber rules are likely to be adopted soon with regard to connected devices – see our Legal Update on the draft EU Cyber Resilience Act from October 2023.

Furthermore, it is unclear how the Data Act will interact with other recently adopted pieces of legislation, such as the Digital Markets Act (“DMA”). In particular, the DMA has its own provisions on data portability, and the Data Act prevents “gatekeepers” designated under the DMA from receiving user data. This illustrates how competition law and data-related rules are increasingly interconnected in the EU and often require a combined legal assessment.

These existing and forthcoming provisions should be taken into account when developing a compliance strategy.

¹ A contractual term is unfair if it "grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing". The Data Act lists terms which are always considered unfair (e.g., those excluding or limiting liability for intentional acts or gross negligence) and those that are presumed to be unfair.

² The Data Act relies on the definition of trade secrets in the Trade Secrets Directive (EU) 2016/943, which means that any business relying on the trade secrets exception must show that the information in question is subject to appropriate safeguards, among other things.