The Data Act, which entered into force in January 2024, will affect the operations and processes of nearly all businesses collecting data. Its application will begin on September 12, 2025, but it is crucial to evaluate the obligations and opportunities it brings now to prepare for the change. The regulation clarifies rules regarding data usage and commercialization and strengthens user rights to data.
What is expected from companies?
The Data Act applies broadly to all companies operating in the EU that offer products connected to a network (Internet of Things) or associated services. It also covers companies providing data processing services and those participating in data spaces or offering services related to the use of smart contracts.
Traditionally, data generated during the use of devices and services has been considered the property of the providers. Under the Data Act, companies must design and offer network-connected products and associated services so that the data they collect is readily, securely, and freely accessible to users by default. While data can still be collected and used under agreed terms, businesses must provide limited access to others. The data-sharing obligation applies to raw data generated or collected during use of a product or service, as well as to any explanatory data (including metadata necessary to interpret and utilize the data). However, further processed data is generally exempt from the sharing obligation. Distinguishing between shareable data and proprietary data is vital as companies must provide access to users and third parties acting on their behalf.
Similarly, providers of data processing services must ensure that users can easily switch service providers. The regulation imposes an obligation to remove technical barriers to portability of user data and also addresses contractual terms between providers and users to ensure continuity and reasonable transfer times.
Key goals of the Data Act
The regulation aims to facilitate data copying and transfer between products and services. For example, users can more easily compare maintenance and repair services for devices, since repair services can no longer be tied exclusively to the manufacturer. Similarly, businesses can switch providers or applications without having to manage the data transfer themselves. These changes require companies to review pricing models to maintain competitiveness. Additionally, the regulation imposes obligations on making data available to public authorities under certain conditions.
Impacts on contracts and trade secrets
The Data Act imposes disclosure requirements which providers of connected devices, related services, and data processing services must meet before contracts are finalized. Providers must specify the data collected or generated, its storage location, and how users or third parties can access it. For data processing services, providers must disclose methods, formats, and technical limitations regarding data transfer.
The Data Act takes a position on the content of contracts with users. Contracts must specify how user data is used and shared, including agreements with third parties acting on the user’s behalf. For instance, repair shops must be given data access under terms aligned with FRAND principles (Fair, Reasonable and Non-Discriminatory). However, a repair shop must not use the data received by it at will, but data usage is restricted to what is necessary for the agreed service, and it must be deleted once its purpose is fulfilled.
The regulation also imposes significant restrictions on contractual freedom, requiring clear definitions of data categories and clauses ensuring smooth transfers, with no fees after a transition period. Providers must assist in transfers, ensure data security and continuity, and comply with minimum and maximum termination and transfer timelines.
Contracts relating to the use of data should be drawn up well before the application of the data regulation begins, and even before drawing up the contract, providers of devices and ancillary services should take a moment to examine the collected data, its transfer possibilities, and management. Although the regulation includes usage restrictions and obligations to act in good faith related to shared data, enforcing such restrictions and obligations may be very difficult in practice.
Even though the obligation to share data does not cover further processed and refined data, the disclosure and sharing obligations related to data collected by devices or ancillary services cannot be avoided by processing, structuring, refining, and combining it, for example, with one's own or others' trade secrets. The starting point of the data regulation is, of course, that the protection of intellectual property rights and trade secrets must be preserved, and among other things, the use of data for the development of a competing product is explicitly prohibited. However, trade secrets as such are not a reason to refuse to provide data to the user or a third party. Trade secrets should not be thought of as a factor that facilitates actions, but on the contrary, additional measures are needed to protect them also in the context of the Data Act. Trade secrets allow, under certain conditions, a limited right to refrain from sharing data, but the fulfilment of these conditions must be carefully checked. The decision to refuse must be justified to the competent authority.
According to the Data Act, data containing trade secrets can be disclosed if the provider of the device or ancillary service and the user take all necessary measures to maintain their confidentiality before disclosing them. Therefore, it is extremely important to identify the confidential data and the related or associated metadata. An agreement should also be made with the user on proportionate technical and organizational measures necessary to maintain the confidentiality of the shared data. Such measures include non-disclosure agreements, strict access protocols, technical standards, and the application of codes of conduct.
Preparing for the Data Act
Businesses must develop systems and processes to meet the obligations set by the regulation. Preparation should be started well in advance as the changes primarily concern the technical implementation of products and services, as well as the overall processes of data management. When the data subject to the sharing obligation is managed in such a way that access to it can preferably be allowed in real-time and via an online service or it can be easily transferred, attention should also be paid to data-related contracts and the processes concerning trade secrets should be reviewed. It is also noteworthy that the processing of personal data is still primarily governed by data protection legislation.
The following checklist helps companies prepare for the Data Act's implementation:
- Identify the types of data collected, its users, and purposes.
- Determine how third-party device data is utilized.
- Assess internal data management processes.
- Identify data within the scope of the regulation.
- Ensure separation of shareable data from proprietary data.
- Check if shareable data includes trade secrets and ensure effective protection.
- Plan how to implement disclosure obligations (Data Notice).
- Decide whether users access data directly or through requests.
- Confirm if shareable data includes personal information.
- Verify compliance of contracts with data access, sharing, and transfer obligations.
New Opportunities for Business Innovation
While the Data Act requires preparation, it also creates opportunities for collaboration and innovation across industries. Companies can leverage the regulation to develop new services and products based on the free movement of data. For instance, businesses specializing in data analytics can offer tools to help users maximize their data's potential. The Data Act allows users to compare competitive services and removes provider dependency based on technical barriers and contractual constraints for connected products, their ancillary services, and data processing services. The purpose of all this is to open up new business opportunities, to promote the EU's competitiveness and innovation, and to strengthen the position of SMEs in the data market.
Preparing for the Data Act begins with understanding its practical implications for your business and making on inventory of the device data your company collects and uses. Berggren’s experts are ready to assist with these tasks and in planning and implementation of your data management project.
This blog was written by our legal experts Iiro Nurminen and Elisa Huusko.