EU Data Act: An Overview

The EU Data Act (Regulation (EU) 2023/2854) (“Data Act”) is an EU Regulation that is aimed at creating a competitive and innovative data market by establishing rules for fair access to and use of data. It will be a significant piece of legislation that will make more data available for use in the economy and society, and it covers both personal and non-personal data. The obligations primarily relate to ‘product data’ (which is data generated by the use of a connected product) and ‘related service data’.

As a key pillar of the EU’s Data Strategy, the Data Act is expected to make a significant contribution to the EU’s objective of advancing digital transformation. The Data Act entered into force on 11 January 2024 and most of its provisions will apply from 12 September 2025.

Who does the Data Act apply to?

The Data Act is a sector-neutral piece of legislation that imposes rights and obligations on various participants of the data ecosystem, namely:

  • Manufacturers of connected products (e.g. smart home appliances, medical devices, connected cars and agricultural and industrial machinery) placed on the EU market and providers of related services (e.g. an app that controls the connected product);
  • Businesses and individual users of connected products or related services in the EU;
  • Data holders that make data available to data recipients in the EU;
  • Data recipients in the EU;
  • Public sector bodies in the EU with certain exceptional needs;
  • Providers of data processing services to customers in the EU (e.g. SaaS and IaaS providers);
  • Participants of European data spaces; and
  • Vendors of applications using smart contracts and those who deploy smart contracts for others as part of their business in the context of executing an agreement.

Key rights and obligations

One of the main purposes of the Data Act is to establish rules setting out who can access and use data generated by connected products and related services in the EU. Some of the key rights and obligations include:

1. Business-to-Consumer (B2C) and Business-to-Business (B2B) Data Access and Sharing

Some of the key provisions that apply under Chapters II and III of the Data Act concern B2C and B2B data access and sharing requirements, which include:

  • Default design requirements for Data Access - Connected products and related services must be designed and manufactured in such a manner that users (consumers as well as business users) have free and easy access to the product data and related service data (as well as the metadata) generated by such products or related services.
  • Data holders shall make data accessible to users - Where data cannot be directly accessed by the user from the connected product or related service, the Data Act requires data holders to make the data accessible or share the data with the user, upon request and without undue delay, in a common and machine-readable format, free of charge and, where relevant and feasible, continuously and in real-time.
  • Data holders shall make data available to a third party – Upon request from a user, data holders must make the data (as well as the metadata) readily available to a third party (e.g. a competitor providing repairs) without undue delay, to the same quality, and in a common and machine-readable format, free of charge and, where relevant and feasible, continuously and in real-time. Data holders can look to be compensated for third party access, however, it must do so on ‘fair, reasonable and non-discriminatory’ (FRAND) terms and in a transparent manner.

2. Unfair Contract Terms in Standard Enterprise Contracts

A contractual term concerning the access to and use of data (or liabilities and remedies for breach or termination of data-related obligations) which has been included in a standard contract entered into between enterprises, that has not been individually negotiated, shall not be binding where it is considered to be an ‘unfair’ term for the purposes of the Data Act.

A contractual term shall be regarded as ‘unfair’ where it “is of such a nature that it grossly deviates from good commercial practice in data access and use and is contrary to good faith and dealing”. An example of an unfair term is one which excludes or limits liability for intentional acts or gross negligence. Irish consumer law prohibits unfair contract terms in B2C contracts, but this will be the first time that a similar prohibition applies to B2B contracts.

3. Making Data available to Public Sector Bodies based on ‘Exceptional Need’

If a public sector body can demonstrate an ‘exceptional need’ to require access to certain data (including the metadata) to carry out its statutory duties in the public interest, data holders must make that data available to the requesting public sector body. One such ‘exceptional need’ is to respond to a public emergency. If the data is required to respond to a public emergency, the data holder shall provide it free of charge and without delay.

In other exceptional circumstances, unrelated to a public emergency, a public sector body may request non-personal data to deal with a specific task which is to be carried out in the public interest and that has been explicitly provided for by law. However, the public sector body must prove that it is unable to access this required data through other means. In this scenario, the data holder is, in most cases, entitled to ‘fair compensation’ which covers the technical and organisational costs of complying with the request and a reasonable margin. 

4. Sharing between Data Processing Services (or ‘Cloud Switching’)

Providers of data processing services (e.g. cloud and edge providers) will be required to make it easier for customers (both in a B2B and B2C context) to switch from one cloud provider to another or to an on-premise solution or use several cloud providers at the same time. Some notable aspects include:

  • Removal of obstacles - Providers shall not impose (and shall remove, if they exist) obstacles that inhibit: (i) termination of services; (ii) entering into new contracts with new providers for the same type of service; (iii) porting the customer’s exportable data and digital assets to a new provider or on-premise solution; and (iv) unbundling data processing services from one another.
  • Contract – There must be a written contract setting out the rights of the customer and the provider’s obligations with respect to switching. That contract must be made available to the customer prior to signing and in such a way that allows the customer to store and reproduce the contract. The Data Act requires that certain provisions are included in the contract, including:
    • The right for the customer, on request, to switch service without undue delay and, in any event, within the mandatory maximum transitional period of 30 calendar days. Where that transitional period is technically unfeasible, it can be extended. The alternative transitional period must not, however, exceed seven (7) months;
    • An obligation on the provider to support the customer’s exit strategy, including by providing it with all relevant information;
    • A clause specifying that termination of the contract shall occur: (i) upon the successful completion of the switching process; or (ii) at the end of the maximum notice period for initiating the switching process, which shall not exceed two (2) months; and
    • The minimum period for data retrieval on termination (which shall be at least thirty (30) days).
  • Switching charges – Switching charges are to be phased out and shall no longer apply after 12 January 2027.

5. Providing Safeguards for International Government Access and Transfers of Non-Personal Data

Providers of data processing services are required to take “all adequate technical, organisational and legal measures” in order to prevent international governmental access to, or transfer of, non-personal data held in the EU where such access or transfer would conflict with EU or Member State law (e.g. national security).

Where a decision or judgment of a court or tribunal of a third country requires such data, it must only be disclosed under an international agreement or if certain conditions are met. Such conditions include where: (i) a third-country system requires that reasons and proportionality of a decision or judgment be set out and be specific in character; (ii) a reasoned objection of the addressee shall be judicially reviewed; and (iii) account is taken of the relevant legal interests of the provider.

These transfer restrictions are not entirely unfamiliar territory given Chapter V of the GDPR imposes transfer restrictions on personal data outside the EEA. It will be interesting to see how organisations navigate both regimes.

6. European Data Spaces

European data spaces facilitate the pooling and sharing of data in strategic sectors (e.g. mobility, health, energy and finance etc). Participants in data spaces are required to comply with several essential requirements to allow data to flow within and between the data spaces.  For example, a description of the data structures, data formats and vocabularies, where available, should be publicly accessible.

Data Bill

The EU Data Act, as an EU regulation, will be directly applicable throughout all EU Member States. It will, however, be supplemented by national legislation. In this regard, the Government’s Summer Legislative 2025 Programme notes that heads of bill are in preparation for a ‘Data Bill’. The purpose of the Data Bill is stated, as follows: “to support innovation and economic growth. It creates a harmonised framework on fair access and use of data and clarifies who can create value from data and under which conditions”. The Programme also notes that the Data Bill, if enacted, will designate the National Competent Authorities responsible for implementing and enforcing the Data Act. We are currently at a very early stage of the legislative process and several steps away from enacted legislation.

For further information on the Data Act, please contact the key contacts below or your usual contact at McCann FitzGerald LLP.

Also contributed to by Gabrielle Wall

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.

Key Contacts