Users of connected products (from connected cars to wind turbines) and data processing services (from SaaS to IaaS) create vast quantities of data when using these products and services. As part of the EU’s wider data strategy, the Data Act aims to incentivise and standardise the widespread sharing of such data and to reduce friction when customers change services. For example, it will allow companies to share technical data from industrial equipment with a repair and maintenance provider of their choice which will drive competition in aftermarket services and potentially elongate the life of products which will in turn support Green Deal objectives. Data sharing will unlock value and opportunities in under-utilised data which can also be harnessed to train artificial intelligence solutions. According to the European Commission, its data strategy will drive greater competition, growth and societal progress and is expected to create €270 billion of additional GDP for the EU by 2028.

In this series, we will break down the Data Act to identify what it means for organisations that will be subject to it and what advantages and benefits it offers.

This series will focus on three main areas:

• Data access: Requirements to make data available to users (individual and business users) and to design products in a way that allows for users to easily access data.
• Data sharing: Requirements to share data on a B2B basis (i.e. expanding data portability rules under the GDPR to non-personal data) and on a B2G basis (i.e. business to government), in exceptional circumstances. Data must be shared under fair, reasonable and non-discriminatory terms and in a transparent manner.
• Switching and interoperability: New rights for customers when switching data processing services (which will eventually be free) and measures to promote the development of open interoperability specifications and harmonised standards for data sharing and for data processing services.

In terms of enforcement, there is a complaint mechanism available. Individuals and businesses can complain to their supervisory authority if they consider that an organisation has not complied with their obligations under the Data Act. The type and level of penalties for infringement are subject to Member State discretion but must be effective, disproportionate and dissuasive.

Timeline

The Data Act entered into force on 11 January 2024 and will largely apply from 12 September 2025.

Provisions requiring new products to be designed in a way that facilitates data access will not apply until 12 September 2026 and the abolition of switching charges will not apply until 12 January 2027.

The Data Act is an EU regulation, therefore it is directly effective throughout EU Member States however we expect to see supplementing legislation in Ireland to identify the relevant supervisory authority, to determine the type and level of penalties and to detail the procedure for the complaint mechanism.

Who does it apply to?

Like the GDPR, the Data Act has extra-territorial effect. It applies to manufacturers, providers and data holders in the EU and outside of the EU if they market connected products or related services in the EU. However, the rights granted to “users” of connected products and related services are only available to users in the EU.

What does it apply to?

Data	The definition of “data” under the Data Act in the context of the data access and sharing obligations is extremely broad. It is intended to cover non-personal data and the rules of the GPDR will still apply to any personal data. Non-personal data includes all data generated from the use of a connected product.    It does not include inferred or derived data which results from proprietary processes which assign value to certain data points.	Data generated automatically by sensors and embedded applications including “raw” data and metadata (i.e. timestamps)   For example: hardware status, standby mode times, temperature, pressure, position, acceleration and speed, error logs
Connected products	Connected products are items that obtain, generate or collect data concerning their use or environment and that are able to communicate product data via an electronic communications service, physical connection or on-device access.   It excludes items primarily designed to display or play content or to record and transmit content such as phones and personal computers.	Smart watches, any device with sensors such as connected cars, jet engines, wind turbines
Related services	Related services are digital services, including software, which are: connected with the connected product at the time of the purchase, rent or lease in such a way that their absence would prevent the product from performing one or more of its functions; or subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected product. The concept of connected products and related services is relevant for the data access and sharing obligations. The switching obligations apply to “data processing services” described below but there is certainly overlap in these two concepts. A “related service” on a connected device could also be a “data processing service” subject to the switching and interoperability rules.	Health tracker on a smart watch, system performance tracker on industrial equipment
Virtual assistants	The rules on access and sharing will also apply to virtual assistants insofar as they interact with a connected product or related service. Data produced by a virtual assistant unrelated to the use of a connected product or related service is not subject to the access and sharing obligations.   The Data Act defines virtual assistants as data software that can process demands, tasks or questions including those based on audio, written input, gestures or motions, and that, based on those inputs provides access to other services or controls the functions of connected products.	Virtual home assistants such as Amazon Alexa or Google Assistant
Data processing services	This concept is relevant for the switching obligations which apply to data processing services including Software as a Service (SaaS), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service).   In technical terms it means digital services provided to a customer that enable ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resource of a centralised or distributed nature that can be rapidly provisioned with minimal management effort or service provider interaction.	SaaS – Microsoft 365 PaaS – Google App Engine IaaS – AWS
Switching	Switching is the process whereby the customer switches from one data processing service to another. It includes the process of extracting, transforming and uploading the data and, in some cases, providing for functional equivalence. The switching obligations which involve the customer, source provider and destination provider also apply when the customer wants to run two services in parallel.	Switching cloud provider from AWS to Microsoft Azure