Data protection is of significant concern worldwide. Governments are increasingly aware of the need to protect both personal and non-personal data and ensure privacy for their citizens. This has led to the development of various data protection laws and regulations aimed at safeguarding sensitive information across the globe. Some of these legislative changes will affect businesses in the UK, most notably, the EU Data Act.

What is the EU Data Act?

The EU Data Act (the ‘Act’) will govern how data obtained from connected products is used, stored and protected within the European Union. Its main focus will be on data management, ensuring data produced by connected products is regulated.

A ’connected product’ for the purposes of the Act is any item that obtains, generates or collects data concerning its use or environment and is able to communicate that data via electronic communications, physical connections or on-device access. This is commonly referred to as the Internet of Things (IoT). This includes products such as fitness trackers, smart speakers or other smart home devices.

Who does the Act apply to?

The Act has an extraterritorial effect. This means it applies to businesses outside of the EU that use and have access to data belonging to EU citizens. This is not the first time that EU data regulations have had this effect, as the EU GDPR also applies extraterritorially, in relation to the processing of personal data. Under the Act, if a manufacturer produces a ‘connected product’, which is then subsequently placed on the open market within the EU, they will need to comply with the relevant provisions of the Act in order to avoid potential hefty fines and penalties.

How is the Act different to the GDPR?

The GDPR applies to the processing of personal data, rather than non-personal data. If an organisation processes personal data, it must continue to comply with its obligations under the GDPR, in addition to ensuring compliance with the Act (for connected products).

Data Access and Sharing Requirements

The Act imposes obligations on data holders to have a contract with the user of a connected product. This contract will govern the rights regarding the use and sharing of data that is generated by the connected product. The Act also requires that the connected products are manufactured in such a way to give the user of a connected product access to metadata and related service data generated by such a product. This will ensure that users of products within the EU have unfettered access to their data at all times.

Users are also given the power to share their own data, which has been created by the connected product, with third parties. In these circumstances, the data holder must make the data available to the data user on fair terms. Although this is undoubtedly a benefit to the user, a business may face additional costs when making the data available.

The Act provides conditions under which data can be shared between businesses and governments. This must only be used to enable data sharing for legitimate purposes and to protect user privacy and is limited to circumstances which are ‘strictly necessary’.

Fair Contractual Terms

The Act emphasizes fairness in contractual terms. It requires that contracts between businesses and users be fair, transparent, and balanced. The key focus is that the contract is made in ‘good faith’ for what is considered as good commercial practice in data access and use. If a clause in a contract has not been individually negotiated, and it is deemed to disproportionately favour one party over the other, then this will automatically be considered as unfair and will not be binding on either party.

The Act ensures that data holders may use the data generated by a connected product for any reason they require, provided that it has been agreed between the data holder and data user. There is a need to obtain explicit consent of the data user to use the data for any other purpose that is beyond the original intent of the contract.

Switching Providers

The Act intends to make the transfer of data from one cloud service provider to another simpler and more efficient. The intention is to reduce a data user’s dependency on one particular provider and remove any contractual barriers when switching.

For business users, this could have a lot of benefits. From reduced switching costs, to increasing competition in the cloud-based industry, the Act could provide businesses with more options and flexibility.

When does the EU Data Act come into force?

The Act came into force on 12 September 2025. Businesses operating within the EU or handling data of EU citizens must comply with the Act from this date, although the requirements for data access by design don’t come in to force until September 2026.

Penalties for failing to comply

Non-compliance with the Act could make you subject to the EU members local sanctions regime. Where there’s personal data involved, you could face GDPR-level fines of €20m or 4% of global turnover.

Additionally, non-compliance with the access rules could lead to civil claims and reputational risks.

Next steps for businesses operating in Europe

Businesses operating in Europe or handling data of EU citizens should take several steps to comply with the Act:

1. Conduct data protection impact assessments to evaluate how data processing activities impact the privacy of individuals and identify measures to mitigate risks.
2. Update privacy policies to ensure that such policies are transparent and clearly outline how data is collected, used and shared.
3. Ensure the transfer of data from one service provider to another is without undue obstacles.
4. Provide training to employees on internal data protection policies and responding to data access requests.
5. Review and update relevant contracts to reflect data access rights and licencing terms.
6. Establish protocols for data sharing between businesses, users and governments, ensuring compliance with the new regulations.

Should you require any advice on your obligations under the Act, please get in touch with a member of our Commercial team below.