The EU Data Act complements existing EU laws, including the GDPR, Digital Markets Act and Digital Services Act. The Data Act primarily applies to non-personal data and aims to ensure fairness in the allocation of value from data, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible to all users.
This article provides an overview of some of the Data Act’s key provisions. For more information, please contact a member of our Data team or your usual Addleshaw Goddard contact. On 16 September some of our data experts are presenting a webinar on the EU Data Act and UK Smart Data developments. You can find more information and register here.
7 key things you need to know
While the Data Act covers a number of different areas, the top seven things that commercial organisations need to know about the Act are:
Timing
The Act starts to become applicable on 12 September 2025, although some provisions will not become applicable until a later date, as set out in the above timeline.
Action point: Identify what changes your organisation needs to make and draw up a timetable for implementing them.
Scope
The Act’s key provisions apply to manufacturers and suppliers of connected products and related services, as well as data processing services.
Connected products are items that obtain, generate or collect data concerning their use or environment and can communicate product data (i.e. “Internet of Things” or “IoT” devices).
Related services are digital services that make connected products work.
Data processing services are digital services including cloud and edge services.
Action point: Identify whether any of your products or services fall within the Data Act’s scope and, if so, identify which obligations apply in relation to each. This is a complex exercise, so you may need to take specialist legal advice.
The Act does not apply to voluntary data-sharing agreements or data collected for criminal law enforcement, taxation or national security purposes, and there are exclusions from some obligations for micro and small enterprises.
Extraterritorial effect
While the Data Act is EU law, it also applies to non-EU organisations placing connected products or related services on the EU market.
Action point: UK organisations, as well as EU ones, should consider whether they fall within the scope of the Data Act. In addition to needing to comply with the Act’s key obligations, they may also need to appoint a representative in the EU.
Safeguards for international transfers of non-personal data
The Data Act introduces new obligations for providers of data processing services relating to:
- transparency about international transfers;
- restrictions and safeguards for international transfers; and
- preventing unlawful third-country governmental access to data.
Action point: If you are a data processing service provider, you should amend your relevant contracts and put in place appropriate safeguards.
Data accessibility by design
Manufacturers of connected products and providers of related services are subject to the “data accessibility by design” obligation, which requires these products and services to be designed and manufactured or provided to make the data accessible to the user:
- easily, securely and free of charge;
- in a structured, commonly used and machine-readable format; and
- where relevant and technically feasible, directly.
Where the user cannot access the data directly, the data holder must make the data readily accessible:
- continuously and in real-time (where relevant and technically feasible);
- on the basis of a simple request through electronic means (where technically feasible); and
- not subject to user interface design, etc. (“dark patterns”) making it more difficult for the user to exercise their rights.
These requirements apply to connected products and related services placed on the market after 12 September 2026.
Action point: If you place connected products and/or related services on the EU market, plan the steps you need to take to ensure that you will be able to comply with these obligations.
“Trade secrets handbrake”
The Data Act contains some exceptions and safeguards (referred to as the “trade secrets handbrake”) in relation to the obligations to provide access to data, in order to protect secret information with commercial value. The data holder or (as applicable) the trade secret holder has a responsibility to identify the data protected as trade secrets and (where appropriate) agree proportionate measures, including contractual terms, to protect that data.
Action point: When considering what data you need to make accessible, consider whether any of it could be protected by the safeguards for trade secrets and, if so, take the necessary steps to put them in place.
Contract terms and pre-contractual transparency obligations
The Data Act introduces:
- obligations for the seller, rentor or lessor of a connected product to provide pre-contractual transparency information to the user about the data a connected product or service will generate and how the user can access the data; and
- new rules making unfair terms unenforceable in B2B contracts about data access and use. These terms include those excluding liability for intentional acts or gross negligence, restricting users from accessing or using their own data and permitting unilateral contract changes without valid reasons or notice.
Action point:
To the extent that the Data Act applies, review and update your contracting terms and transparency statements to ensure that they comply with these new rules and continue to be legal and enforceable.
Next steps
Organisations may be finding it difficult to navigate the closely-connected rules introduced by new EU legislation including the Data Act, Data Governance Act, AI Act, Digital Services Act and Digital Markets Act, together with more established legislation like the GDPR, while horizon scanning for forthcoming legislation such as the Digital Fairness Act.
Organisations that operate in the EU and the UK have the added complexity of UK data protection law starting to diverge from the GDPR as the Data (Use and Access) Act 2025 (“DUAA”) comes into force. Among other things, the DUAA gives the government the power to make regulations in connection with Smart Data schemes, which enable consumers to request that their data be directly shared with authorised and regulated third parties and establish a framework to ensure the security of the data.
Addleshaw Goddard’s specialist Data team can help you to identify which legislation applies to your organisation and devise a plan to achieve compliance.
