Introduction
What is the EU Data Act and Why It Matters
The EU Data Act aims to regulate non-personal as well as personal data generated by devices or through services (such as cloud or IoT), focusing particularly on making product-generated data and related service data accessible to users. The law complements existing frameworks like the General Data Protection Regulation (GDPR) and the Data Governance Act. While GDPR governs personal data protection, the Data Act provides clarity on rights and duties over broader categories of data especially raw or pre-processed data produced by “connected products” and “related services”. The legislation was published in the Official Journal of the European Union on 22 December 2023.
The law is important for several reasons. First, it shifts more control toward users, businesses, or individuals over the data generated by their devices. Second, it attempts to curb vendor lock-in, particularly in cloud and edge computing, by enabling switching between service providers under fair conditions. Third, it opens pathways for public authorities to access privately held data in exceptional cases such as emergencies, with safeguards. All of this means that organisations operating in, exporting to, or partnering with entities in Europe must prepare proactively.
Key Dates and Regulatory Framework
Although the Data Act entered into force on 11 January 2024, most of its obligations become enforceable as of 12 September 2025. This date marks when users can begin asserting many of the rights created under the law. The legal text itself is available via the Official Journal: “Regulation (EU) 2023/2854 of the European Parliament and of the Council … on harmonised rules on fair access to and use of data”. The European Commission has also released an updated version of the Frequently Asked Questions (FAQ) on the Data Act (version 1.2) to help stakeholders implement its provisions.
Core Obligations Under the Data Act
Under this new regime, several obligations are central for organisations to understand and implement.
- User Right to Data Access: Users, whether consumers or businesses, can demand access to data generated by the devices or services they own, lease or rent. This includes raw data and pre-processed data but not derived or inferred data (e.g. analytics outputs or predictions) unless agreed contractually. Data must be made available in structured, machine-readable formats.
- Fair Terms for B2B Data Sharing: The Act requires rules for business-to-business data sharing to be fair, reasonable, and non-discriminatory (FRAND). Enterprises cannot impose unfair contractual terms on smaller entities regarding access to data. Legitimate grounds for refusing to share include protecting trade secrets, ensuring security, or avoiding a disproportionate burden.
- Cloud Switching & Portability: Providers of cloud and related data processing services must enable switching with minimal disruption. They need to ensure compatibility and interoperability, allowing data export in standard formats. Fees for data egress or switching must be transparent and, in many cases, be phased out or limited. By January 2027, most switching and exit-related obligations are expected to be fully in force.
- Public Sector Access in Exceptional Cases: Public Authorities are empowered to request access to privately held data in cases of “exceptional need,” such as public emergencies. Any such request must meet strict criteria: specificity, necessity, proportionality, time limitation, and transparency. Whenever possible, anonymised or aggregated data should be used.
- Protection of Trade Secrets and Confidential Information: The Data Act does not override obligations to protect trade secrets and confidential information. When sharing is requested, data holders must identify what is confidential, and they can refuse or limit sharing if disclosure would compromise such secrets, as long as they document and justify their decisions.
- GDPR and Other Legal Overlaps: Where data shared or accessed falls under “personal data,” GDPR remains fully applicable. Organisations must respect GDPR’s principles, lawful bases, data subject rights, and perform impact assessments when required. The Act clarifies that in cases of conflict, GDPR prevails.
Practical Implications and Risks
For privacy professionals, the EU Data Act poses both challenges and opportunities. One major implication is the need to classify data properly distinguishing between what is raw, pre-processed, inferred, or derived. Overlooking these distinctions can lead to misapplying obligations or exposing the organisation to risk. Another concern is the technical side: companies will have to build or adapt APIs, data export tools, interoperability layers, or interfaces that allow portability and seamless data movement.
Contractual relationships will also need review. Vendor agreements, cloud service contracts, and product terms must be checked for clauses that conflict with these new requirements. Cases where providers impose prohibitive exit fees or restrict data access may no longer be compliant. Trade secret protection must be built into contracts and technical systems so that sensitive algorithms, internal metrics, or design details are not unintentionally exposed.
Risk also arises from regulatory enforcement. National authorities in each Member State are responsible for enforcing the Data Act, and penalties for non-compliance can include sanctions, reputational harm, or legal claims from users. Additionally, companies operating internationally need to map how the Data Act interacts with other jurisdictions’ laws, especially when sharing data across borders or when working with third-country entities.
Recommended Action Plan for Privacy Professionals
To be ready, privacy and compliance teams should take a structured approach to implementing the Data Act.
First, conduct a data and device inventory. Document all connected products or services your organisation uses or provides, the data they generate (raw, pre-processed, derived), where it is stored, who owns it, and how it flows. This gives you clarity on what is in scope.
Next, review and revise all contracts and terms of service. Make sure vendor and cloud provider agreements allow users’ data access, portability, switching, and that contractual terms are FRAND (or at least not unfairly restrictive). Include clauses about how trade secrets are handled, exit fees, data export formats, and responsibilities for responding to public authority requests.
Third, develop or enhance governance, policies, and internal roles. Assign who in the organisation handles data access requests, who assesses trade secret concerns, and who ensures technical compliance. Prepare policies for exceptional public sector requests, emergency data provision, and GDPR overlap.
Fourth, invest in technical capability. Build or acquire tools and APIs that allow structured and machine-readable export of raw/pre-processed data. Test cloud switching or migration scenarios. Ensure interoperability, format compatibility, and secure data transmission.
Fifth, organize training and awareness programmes. Stakeholders across legal, product, engineering, procurement, compliance, and senior leadership must understand their obligations. Use workshops, internal documentation, and scenario exercises to simulate compliance tasks.
Finally, monitor the regulatory landscape continuously. Read the updated FAQs published by the European Commission (version 1.2 as of 3 February 2025) for clarifications on ambiguous areas like scope, data categories, compensation, etc. Also, watch for enforcement actions in different Member States to understand how regulators interpret and apply the rules.
Future Trends & Strategic Opportunities
The EU Data Act opens up several strategic opportunities for organisations that act early. Transparency in data practices and strong data governance can enhance trust with customers and partners. Companies that build interoperable systems and support portability will be more attractive in global digital markets. Novel services such as analytics, third-party dashboards, diagnostics, or product enhancements drawing on user-controlled data can become viable business models.
There is also potential for collaboration with public sector bodies, especially in areas of public interest such as environmental monitoring, disaster response, or public health. Such collaborations may depend on good compliance with exceptional‐need data access provisions.
Moreover, companies that are proactive in policy discussions for example, through stakeholder consultations on FAQ updates or standardisation efforts may help shape how certain clauses are interpreted (for compensation, trade secret protection, interoperability).
Conclusion
The EU Data Act represents a transformative shift. For privacy professionals, it signifies more than compliance: it demands a reorientation of how data is conceived as an asset controlled by users, with rights, obligations, and technical requirements attached. Organisations that prepare now mapping data flows, updating contracts, investing in technical infrastructure, and clarifying internal governance will not only reduce legal and regulatory risk but also gain a competitive advantage. Ensuring compliance with the Data Act will be a marker of maturity in data governance and privacy, reinforcing trust and enabling innovative, responsible use of data in the EU and beyond.
We at Data Secure (Data Privacy Automation Solution) DATA SECURE - Data Privacy Automation Solution can help you to understand EU GDPR and its ramificationsand design a solution to meet compliance and the regulatoryframework of EU GDPR and avoid potentially costly fines.
We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe especially conforming to GDPR, UK DPA 2018, CCPA, India Digital Personal Data Protection Act 2023. For more details, kindly visit DPO India – Your outsourced DPO Partner in 2025 (dpo-india.com).
For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or India DPDP Act 2023 and Secure Email transmission, kindly write to us at info@datasecure.ind.in or dpo@dpo-india.com.
For downloading the various Global Privacy Laws kindly visit the Resources page of DPO India - Your Outsourced DPO Partner in 2025
We serve as a comprehensive resource on the Digital Personal Data Protection Act, 2023 (Digital Personal Data Protection Act 2023 & Draft DPDP Rules 2025), India's landmark legislation on digital personal data protection. It provides access to the full text of the Act, the Draft DPDP Rules 2025, and detailed breakdowns of each chapter, covering topics such as data fiduciary obligations, rights of data principals, and the establishment of the Data Protection Board of India. For more details, kindly visit DPDP Act 2023 – Digital Personal Data Protection Act 2023 & Draft DPDP Rules 2025
We provide in-depth solutions and content on AI Risk Assessment and compliance, privacy regulations, and emerging industry trends. Our goal is to establish a credible platform that keeps businesses and professionals informed while also paving the way for future services in AI and privacy assessments. To Know More, Kindly Visit – AI Nexus Your Trusted Partner in AI Risk Assessment and Privacy Compliance|AI-Nexus