Blog 7.5.2024

The new EU Data Act – what must I do?

Digital Society

Intelligent Industry

Woman gazing out the window while working on her laptop

The new EU Data Acti will be applied from 12th September 2024. The Act is about the data generated by products that connect to the internet. A wide range of products starting from industrial machinery fall within the scope of the act. What does the Data Act mean and who does it concern?  

The Data Act concerns products that are connected to the internet, the data they generate, and services related to them. When a product obtains, generates, or collects data concerning its use or environment, this data is called product data. When the product data is readable from somewhere outside of the product, such as from the product itself, via a physical connection or electronically, this falls under the Data Act. However, if the product’s primary function is the storing, processing, or transmission of data on behalf of somebody else than the user, meaning for example products such as servers, the Data Act does not concern these products and product data. The Data Act also concerns services related to the products and data that fall under the Data Act. 

The core of the Data Act is the data holder’s duty to make the product data of a specific product available to the user of the product free of charge, as well as the metadata needed to interpret and use the product data. This duty concerns the product data of a specific product, not the data generated by similar products used by other users. The data holder is usually but not always the maker of the product. The user is a person or entity that owns a connected product or to whom temporary rights to use that connected product have been contractually transferred, or that receives related services.  

If it is not possible to keep the product data available for the user, the data holder must give the data to the user when the user asks. If the user asks, the data holder must also share the product data with a third party within the EU. The data folder may ask for compensation from the third party and even make a profit, but the compensation must be non-discriminatory and reasonable. If the third party is a small or medium-sized enterprise or a not-for-profit research organization, the compensation may not be greater than the costs from making the data available. Exceptionally, the data holder may not share the product data with the gatekeepers defined in the Digital Markets Actii even if the user asks, but the third parties with whom the data has been shared may use data processing services offered by the gatekeepers. Then on the other hand, the data holder may not share the data with a third party for any other purpose than to fulfill the contract between themselves and the user.  

”Connected products shall be designed and manufactured, and related services shall be designed and provided, in such a manner that product data and related service data, including the relevant metadata necessary to interpret and use those data, are, by default, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format, and, where relevant and technically feasible, directly accessible to the user.”iii 

Exceptions to the duty to provide the product data 

There are exceptions to the duty to keep the product data available for or give it to the user. Small and medium-sized enterprises are exempt from this duty as well as a number of other duties under certain circumstances. Also, in certain circumstances it is possible for the data holder to refuse to share the data if sharing the data would compromise trade secrets or product safety. However, the primary course of action for data holders is to use the other tools described in the Data Act to safekeep trade secrets and ensure product safety. There are also limitations to what the user or a third party may do with the product data: for example, it is forbidden to use it to create competing products.  

Other obligations under the Data Act 

The Data Act also has rules about business-to-business contractual terms related to data access and information that must be given before concluding a contract. Unfair product data related contractual terms that one of the parties has imposed are not binding to the party that did not impose the terms. Certain information, for example how product data is generated and how the user can access it, must be given to the user before concluding a contract on the product or service. 

In certain circumstances the data holder must give data to a public sector body. This is if the public sector body has an exceptional need for the data to fulfill a specific task that is both carried out in the public interest and provided by law, and the public sector body has no other means to get the data. In this case the data holder must give the data without undue delay. 

The Data Act also contains requirements for interoperability regarding data, data sharing mechanisms and services, and European data spaces. It also requires that providers of data processing services must remove obstacles to make it easy to switch data processing services. 

Entry into force and penalties 

The penalties for breaching the Data Act are quite severe and include administrative fines up to 20 000 000 EUR, or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.  

The Data Act will apply from 12th September 2025. The obligation to design, manufacture, and provide products and services to make product data available to users will apply to products and the services placed on the market after 12th September 2026. The portion of the Act concerning unfair data related contractual terms in business-to-business contracts will apply to contracts concluded after 12th September 2025 and to contracts concluded on or before 12 September 2025 if they either are of indefinite duration or are due to expire at least 10 years from 11th January 2024. 

Ending remarks 

The Data Act contains new and quite large obligations. Product manufacturers must take data sharing and data management into account in all stages of a product’s life cycle. They must carefully both choose the data to collect from the products and how to do it. They must also plan how to share the data and how to do all this safely. A need to look at the data architecture related to products arises, and information security questions also become central. Although the Data Act brings new duties for manufacturers, it is highly likely that manufacturers who quickly take up the issue can create a competitive advantage and added quality for their products. The Act also opens new possibilities to utilize data. We are happy to help you if you would like us to. 


1 Data Act

2 Digital Markets Act

3 Quote from Article 3 subsection one of the Data Act.

data & AI

Jenni Miettinen

ICT Procurement Lawyer

Jenni is a lawyer specialising in public procurement and ICT law, with a wide range of experience for example working as an attorney-at-law, an in-house procurement lawyer at a large contracting entity, and completing training at the bench.

Back to top