Written by: Haim Ravia, Dotan Hammer, Or Cohen
The EU Data Act will come into effect on September 12, 2025. Not to be confused with the unrelated General Data Protection Regulation (GDPR), the EU Data Act governs the fair distribution, sharing, and mobility of data collected by any network-connected products and related services. It applies to any kind of data, not only personal data.
Definitions and Application
The Act applies to connected products distributed in the EU market, capable of obtaining, generating, or collecting and communicating data. The Act applies to data holders: the manufacturers of connected products and providers of related services crucial to the products’ proper functioning. It applies to any users that own a connected product or receive related services, and to data processing service providers, including IaaS, PaaS, and SaaS.
‘Data’ is defined broadly as “any digital representation of acts, facts or information”. It includes personal data, data about the performance of the connected product, usage, and environmental data.
Introduction of Direct Access and User Data Rights
The Act introduces new requirements and user rights for connected products, with the overarching objective of data mobility.
- Right to direct or indirect access. Users must have direct access, granted by default, to data, including the relevant metadata, where relevant and technically feasible. Wherever it is not feasible, users must be able to submit a simple request to access data.
- Right to use. Data can be used for any lawful purpose including reverse engineering. Data cannot be used to develop a competing connected product but can be used to develop competing related services.
- Right to share. Data holders must comply with user requests to share data with third parties, including aftermarket service competitors. This right applies only to medium-sized and large enterprises.
- Right to migrate. Manufacturers and their products must allow users to switch between data processing services, remove organizational, contractual, and technical obstacles, move to an on-prem setup, and delete data.
Trade Secret – Safety and Security Handbrake
Users and data holders can agree to restrict or refuse to share data if there is a risk that the security of the connected product could be undermined, resulting in serious adverse effects to health, safety, or security.
Data holders may also identify data trade secrets and agree on the necessary measures to preserve their confidentiality. The data holder may withhold or suspend the sharing of trade secrets only if there is no agreement in place to preserve confidentiality, if the agreed confidentiality-preserving measures are not implemented, or if the confidentiality of the trade secrets is undermined. Only when it is highly likely that serious economic damage will result from such disclosure, the data holder may refuse to share trade secrets.
Unfair Contractual Terms Unilaterally Imposed on Another Enterprise
Unfair contractual terms concerning either the access and use of data, or liability and remedies relating to data, will not be binding. Excessive contractual terms are considered unfair if they are obtained by abusing a stronger bargaining position. These include limiting liability for intentional acts or gross negligence, excluding remedies, and terminating the contract with short notice.
New Contractual Terms
Manufacturers, sellers, and renters of connected devices must notify users of the type, format, and estimated volume of generated product data, the product’s ability to generate data, data location, data retention period, and user rights.
Providers of related services must notify users regarding the nature, estimated volume, and collection frequency of product data, the nature and estimated volume of related service data to be generated, the details of the data holder or other third parties using the data, user rights, and the identities of trade secret holders.
Service providers must implement measures to support effective service-switching. They must notify users through their contract about the procedures for switching to another service, data porting, restrictions, technical limitations, and details of the data structure and formats. Service providers must also maintain on their website information about the jurisdiction applicable to their infrastructure, measures taken to prevent data transfers outside the EU, unauthorized governmental access, and terminations fees.
Data Security Safeguards and Interoperability
Service providers must implement measures to prevent cross-border and third-country governmental access or transfer of data unless facilitated by an international agreement or if ordered by the courts of a third country, provided that the country’s legal system is fair and transparent. Customers must be informed when such a transfer occurs.
Data holders must meet interoperability requirements for data sharing, to combat “vendor lock-in” and promote competition by facilitating simpler service switching and simultaneous use of multiple vendors.
Enforcement
EU Member states will define penalties and designate competent national authorities by September 2025.
Implementation Schedule
The Act will take effect on September 12, 2025. Direct access rights will apply to connected products and the services related to them placed on the market after 12 September 2026.
The new Act introduces new rights and obligations applicable to business activities not previously regulated. Organizations should review and prepare for these new obligations in the European market. We are happy to assist.
Haim Ravia, Adv. HRavia@pearlcohen.com, Dotan Hammer, Adv. DHammer@pearlcohen.com, , Or Cohen, Adv. OCohen@pearlcohen.com
Cyber, Privacy, and Copyright Practice Group
Disclaimer: This update is not intended to exhaust all aspects of the Act. Its purpose is general information only. It should not be relied upon as legal advice.
