The EU Data Act officially took effect on September 12, 2025, and established new business and consumer rights to access data that their respective connected devices generate, and limited the monopoly of data among makers and cloud computing service providers. The law aims at easing data sharing and innovation and circumventing contractual and technical lock-ins to allow users to switch service providers.
Users of connected devices have unmatched rights to data
According to Skadden, the Data Act gives the right to users, both businesses and consumers, to access, use, and share data produced by their connected products and services, including smart home devices, industrial machines, or connected vehicles. This comprises individual information, such as whereabouts and usage, as well as non-personal information, such as sensor data and machine performance.
The requirement to facilitate such sharing is imposed on the data holders, who are normally the manufacturers or service providers having control over access to the data. They should make sure that data is available when requested, either to the user directly or to a third party that is appointed by the user. Notably, the sharing of data with the users should be free, but the data holders can ask the third parties to pay a fair amount as damages.
Portability requirements of cloud services remove the lock-in by the vendors
The Data Act obliges cloud service providers, such as infrastructure-as-a-service, platform-as-a-service, and software-as-a-service companies operating within the EU, to make the process of user switching providers simpler. Cloud providers must now eliminate the clauses of contractual lock-in, make pricing of data transfer more transparent, and their services must be designed in an interoperable manner.
Emerging data-sharing requirements that increase government access
According to the European Commission, public authorities can demand access to the data in the private sector, in case there is an emergency of a public character, such as a pandemic or natural disaster. These requests should be reasonable, in the cause, and confined to the absolute necessity. These regulations cover those businesses that possess information pertaining to crisis management, including transport operators, smart infrastructure, or logistics companies.
In an emergency, the companies are usually obliged to offer non-compensated access. In case of such requests for data by the public authorities, who need the information to serve non-emergency public interests, the Data Act provides the company with the right to obtain fair compensation that would compensate the expenses incurred during the preparation and transmission of the data.
The terms of an unfair contract are highly regulated
In a bid to ensure that data is accessible fairly, the Data Act limits the application of unjust contractual terms by firms that have substantially greater bargaining power, especially large corporations. The Act presents two types of unfair terms: unfair per se terms and presumptively unfair terms, which are unfair unless a showing of fairness in a particular situation is made by the imposing party.
Violation of the Data Act may result in serious fines, and their imposition is to be carried out at the national level, and the fine will depend on a specific country, being a member of the EU. In case of a breach of personal information, data protection regulators are authorized to impose fines of up to the GDPR level, up to 20 million Euros or 4% of worldwide annual turnover, whichever is greater.
The Data Act by the EU is a paradigm shift in the area of digital rights, giving users more power and placing significant burdens on data holders and cloud providers. As the companies find their way in these new requirements, they will have to look at trade-offs between the cost of compliance and innovation as they re-architect systems to make them interoperable.