The Data Act (EU) is a regulation that gives users of connected products and digital services more control over the data they generate. It forces companies to share this data with users and third parties to encourage competition and innovation in the European data economy. [The regulation entered into force on 11 January 2024] (European Commission).
For marketers and SEO practitioners, this act signals a shift from data silos toward an open ecosystem where "lock-in" strategies become illegal and performance data becomes more accessible for third-party optimization.
What is the Data Act (EU)?
The Data Act, officially Regulation (EU) 2023/2854, sets harmonized rules for accessing and using data produced by connected products and related services. It applies to all economic sectors and targets the Internet of Things (IoT) market specifically.
The law mandates that data generated by smart devices must be accessible to the user by default. While previous regimes often allowed manufacturers to claim exclusive ownership of machine-generated data, the Data Act establishes that this information is not the exclusive asset of the manufacturer or service provider.
Key Dates for Compliance
Businesses must track these deadlines to avoid penalties: * [September 12, 2025: Most key obligations begin to apply] (European Commission). * [September 12, 2026: "Access by design" requirements apply] (Latham & Watkins) to new connected products. * 2027: Switching rules apply to some existing long-term cloud contracts.
Why the Data Act (EU) matters
The Data Act creates a more competitive landscape by removing the technical and contractual barriers that keep data trapped within a single brand's ecosystem.
- Breaks Vendor Lock-in: Users can switch cloud providers and port their data more easily, which prevents providers from using high exit fees to keep customers.
- Opens Aftermarket Opportunities: Independent repair shops and service providers can access device performance data to compete with original manufacturers.
- Improves Operational Efficiency: Businesses in sectors like agriculture or manufacturing can use machine-learning to optimize production lines using real-time IoT data.
- Imposes Steep Penalties: [Non-compliance can result in fines of up to €20 million or 4% of global annual turnover] (Skadden).
- Extraterritorial Reach: It applies to any company offering connected products or services in the EU market, regardless of where the company is based.
How the Data Act (EU) works
The regulation operates through several pillars that change how data flows between manufacturers, users, and third parties.
Right to Access and Share
Users have a legal right to access data generated by their use of a connected product. If a user asks a manufacturer to send their data to a third-party service, the manufacturer must comply. Data sharing with the user must be free of charge, though they may charge third parties for the direct costs of making data available.
Access by Design
From 2026, manufacturers must design products so that data is easily and directly accessible to the user. This means technical interfaces (APIs) must be part of the product development process.
Cloud Switching and Interoperability
Cloud and data processing service providers must allow customers [to transfer their data within 30 days] (Latham & Watkins). The Act also requires providers to support interoperability standards, ensuring that data and applications can function across different platforms.
Business-to-Government (B2G) Sharing
In exceptional circumstances, such as public emergencies like wildfires or pandemics, private companies must share relevant data with public sector bodies. This data is generally provided for free during public emergencies.
Best practices
To stay compliant and use the Act as a strategic advantage, consider these steps:
- Map your IoT data. Identify every data point your connected products or services collect. Categorize them as personal or non-personal data to determine which sharing rules apply.
- Audit your contracts. Review existing agreements for "unfair terms" that might block data access or impose excessive exit fees. The EU Commission is developing non-binding Model Contractual Terms (MCTs) to help with this.
- Build technical interfaces. Invest in APIs that allow for secure, real-time data porting. If your products are not designed for data extraction, you will need to re-engineer them before the 2026 deadline.
- Assign accountability. Create a cross-functional team including IT, legal, and marketing to manage data access requests and ensure GDPR alignment.
- Review data transfer policies. If you store non-personal data in the cloud, ensure you have safeguards against unlawful requests for that data from non-EU governments.
Common mistakes
Mistake: Assuming the Data Act only applies to personal data. Fix: Recognize that the Act covers both personal and non-personal data, such as machine performance readings.
Mistake: Treating the Data Act as a replacement for GDPR. Fix: Always apply the GDPR first when personal data is involved. The Data Act complements the GDPR but does not override it.
Mistake: Delaying compliance until 2026. Fix: [Key obligations for data access and cloud switching apply starting September 12, 2025] (European Commission). Only the "access by design" manufacturing requirement has the later 2026 deadline.
Mistake: Thinking foreign companies are exempt. Fix: Assign a legal representative in an EU Member State if you sell connected products or services in the EU from abroad.
Examples
Scenario 1: Smart Fleet Management
A logistics company operates a fleet of trucks. Under the Data Act, they can access real-time performance and sensor data from the vehicles. They can then share this data with an independent maintenance firm that offers better prices than the original truck manufacturer.
Scenario 2: Precision Farming
A farmer uses IoT-enabled tractors that collect soil moisture and temperature data. The farmer can port this data to a third-party analytics app to optimize irrigation and crop yield, rather than being forced to use the tractor manufacturer's proprietary software.
Scenario 3: Cloud Migration
A retail brand wants to move its customer database from one cloud provider to another. The current provider must assist in the transition, ensure technical compatibility, and [cannot charge excessive exit fees] (Latham & Watkins).
Data Act (EU) vs Data Governance Act (DGA)
| Feature | Data Act (EU) | Data Governance Act (DGA) |
|---|---|---|
| Primary Goal | Provides rights for data access and use. | Creates structures to facilitate sharing. |
| Focus | B2B, B2C, and B2G data access. | Data intermediation and altruism. |
| Obligation | Mandatory data sharing in specific cases. | Voluntary framework for data sharing. |
| Application | Connected products and cloud services. | Public sector data and data brokers. |
FAQ
Does the Data Act Apply to non-EU companies? Yes. Any company manufacturing connected products sold in the EU or offering data processing services within the EU must comply. Non-EU companies [must designate a legal representative in an EU Member State] (EU Data Act Info) to act as a point of contact for authorities.
Is there a conflict between the Data Act and U.S. law? There is a documented diplomatic tension. [In December 2025, the U.S. State Department imposed visa restrictions on some European officials] (EU Data Act Info) over concerns that EU digital regulations interfere with U.S. platforms and free speech. Companies should monitor how these geopolitical disputes affect data transfer between the EU and the U.S.
Can users be charged for data access? No. Data holders must provide users with access to their data free of charge. However, if a user asks a data holder to share data with a third party, the data holder may request "fair compensation" from that third party for the costs of the transfer.
Which products are considered "connected products"? This includes any item that can collect and communicate data about its use or environment, often called the Internet of Things (IoT). Common examples include smart home appliances, industrial robots, smart vehicles, medical devices, and wearables.
How does it affect trade secrets? The Act includes safeguards for trade secrets. Data holders can take measures to preserve the confidentiality of shared data, but they cannot use trade secrets as an excuse to flatly refuse data access requests.
