Are You Ready For The EU’s Data Act? – Data Protection

As well as the EU’s AI Act and the UK’s Data Use and
Access Act, tech businesses also need to be aware of another piece
of legislation that is coming down the line – the EU’s Regulation (EU) 2023/2854, otherwise known as
the Data Act, which aims to create a single market for data, where
data can flow freely across borders and sectors, and where data
holders and users can benefit from fair and transparent conditions
for data access and use. It complements the Data Governance Act,
which establishes the legal framework and mechanisms for data
governance and data intermediaries.

The Data Act comes into force from 12 September 2025, and
applies to companies operating and managing connected products or
related services in the EU, even if they are not based in the EU.
So please keep reading if you are based in the UK and dealing with
users in the EU.

What does the Regulation do?

The Data Act is divided into Chapters and deals with the
following broad issues:

Data access and data sharing and informing users about their
rights to obtain data

A ban on unfair contract terms in data-sharing agreements
entered into from 12 September 2025 and requiring fair, reasonable
and non-discriminatory (FRAND) terms for data sharing
arrangements

Making data available to EU and public sector bodies in case of
exceptional need

Switching between data processing services (and removing
certain fees to do so)

Transfer of non-personal data and unlawful international
government access

Changes to the Database Directive.

Enforcement

Member states will be responsible for appointing a regulator in
their respective territories to handle complaints and take
responsibility for enforcement action. Member states will set
penalties, so there will be variation between Member states. Some
countries have appointed regulators or issued draft legislation
with the intention of doing so, but currently we don’t know
what the penalties are likely to be at a Member state level. The
Netherlands have set their maximum fine at €1,030,000 or 10%
of EU-wide annual turnover, whichever is higher, but it remains to
be seen where other Member states will end up. That said, should
the breach be of Chapters II (B2B and B2C data sharing), III
(obligations to make data available) or V (to make data available
to public sector and certain Union bodies) then the maximum fines
are in line with GDPR, i.e. up to €20 million or 4% of global
annual turnover, whichever is higher. The European Commission will
also be involved and has set up the European Data Innovation Board,
an expert group which facilitates cooperation between competent
authorities, promotes best practices and common approaches in
enforcement.

What should I do?

The first thing is to consider if you come within the scope of
the Data Act. If you do, any connected products going on sale in
the EU from September 2026 need to be designed with the Act’s
requirements in mind. Data needs to be accessible to users.
It’s also wise to review your contracts to make sure that they
don’t contain unfair terms. Finally, we’d suggest that you
review your business processes to ensure that you can receive and
deal with requests for data efficiently. Other changes, for example
affecting switching fees, come into effect from 2027.

We’ll be writing about the various aspects of the Act in the
coming weeks as there are many complexities, but do contact us if
you need more help. In the meantime, the European Commission has
published FAQs here.

What about the UK?

In late July, the Department for Science, Innovation and
Technology called for evidence about how to introduce a Smart Data
scheme in digital markets, using new powers under the Data (Use and
Access) Act 2025. As noted in the UK government’s Industrial Strategy, data is key for economic
growth but is often too underused, siloed and fragmented for
businesses and the public to reap the benefits. As part of its work
to improve access to data for innovators and businesses, the
government is assessing whether the new Smart Data powers
introduced by the Data (Use and Access) Act 2025 should be applied
to support use cases in digital markets. This includes exploring
viable use cases, the design features required to deliver a
successful scheme, and the potential impacts on customers,
businesses, and the wider economy.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.