EU Data Act: All your threshold questions answered

The EU Data Act entered into force in January and will become applicable in September 2025. But despite its far-reaching implications, the act has received little attention compared to the much talked about EU Artificial Intelligence Act.

The Data Act aims to improve access to data within the EU market for individuals and businesses. This is in contrast to the EU General Data Protection Regulation, which is focused on data minimization and requirements to justify collection, use and transfer of personal data.

Like the GDPR and the AI Act, the Data Act is a regulation, meaning it will be directly applicable across the EU without needing to be implemented locally. EU member states will have to designate one or more — new or existing — competent authorities to ensure efficient application and enforcement.

What data is covered?

The Data Act applies broadly to "any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording."

Personal and nonpersonal data are expressly included.

Who must comply?

The Data Act primarily applies to connected device users and manufacturers, those who provide services related to connected devices, holders of connected device data, and data processing services providers — mainly cloud providers. Connected devices include internet of things tools and connected products like health care devices, while related services are those without which the product cannot work fully, or an offering that adds to the product.

The act also sets rules for "public sector bodies" and "union bodies."

The Data Act's territorial scope is similar to that of the GDPR in that it applies irrespective of the place of establishment of manufacturers, providers and data holders. Non-EU-based manufacturers and providers must comply if their connected product or related service is placed on the market in the EU and, for data holders, if they make data available to data recipients in the EU.

A data holder is a natural or legal person who has the right or obligation, in accordance with EU or national law, to use and make available data — including, where contractually agreed — product data or related service data which it retrieved or generated during the provision of a related service. A manufacturer or provider of a related service may also be a data holder.

Data processing services providers can include infrastructure as a service, platform as a service, and software as a service providers that enable on-demand network access to a shared pool of computing resources if they "can be rapidly provisioned and released with minimal management effort or service provider interaction."

A cloud solution that allows for clickwrap procurement that does not need major customization, but only minimal professional services would likely be in scope as a data processing service. If more than minimal interaction is required, a cloud provider would not be in scope. If a cloud provider offers a variety of professional services to go along with a solution, it should not be in scope as a data processing service under the Data Act.

Data access requirements

Most obligations related to connected devices apply to "data holders." Data holders are required to make data generated by the use of a connected product and related services accessible to users, data recipients such as third parties, and, under specific circumstances, public authorities.

Connected products must be designed and manufactured, and related services must be designed and provided, so that the product data and related service data is easily, securely and freely accessible to users and, where relevant and technically feasible, directly accessible to the user.

When data cannot be directly accessed from the connected product or related service, it should be made available without undue delay, of the same quality as is available to the data holder, and easily, securely and free of charge.

There are limitations on use of the data received, including provisions regarding trade secrets. If requested data is personal data that is not about the user, the data holder must make such data available to the user unless a valid restriction under the GDPR limits transfer. Third parties receiving data at the user's request are obliged to process the data made available only as requested and agreed by the user.

Where, in business-to-business relations, data holders are obliged to make data available to data recipients, they must enter into fair agreements with the recipient and can charge a reasonable fee, which can include a margin, for the data access. The EU Commission will publish standard contracts for the data sharing, though they will not be mandatory and companies can already prepare contractual terms based on the act's requirements.

If there are database rights under intellectual property laws, they cannot be asserted by data holders as a basis for denying access requests under the Data Act.

Cloud switching

As "data processing services," some cloud companies are subject to "cloud switching" obligations under the Data Act, aimed to prevent or limit cloud vendor lock-in and difficulties transferring data between providers of products or services.

Cloud processing services providers are required to facilitate and must not interfere with switching to another provider, or providers, of the "same service type," or to a customer's own infrastructure. Services of the same type use the same data processing model, and might share the same operational characteristics, the same primary objective, and the same main functionalities.

Cloud companies with similar models, characteristics, objectives and functionalities could argue that, even to the extent they are a "data processing service," switching obligations don't apply to them.

Providers of data processing services must also enter into certain contractual terms with customers as detailed in the Data Act, including termination notice provisions, data security provisions, a detailed description of the data and digital assets that can be ported during the switching process, and full erasure of the data after the customer's retrieval period.

Notably, the Data Act does not include any exceptions to the "full erasure" requirement ― as compared to the GDPR's Article 28 which states a processor may retain data when required by law. Providers are required to be transparent about how to operationalize switching, including having an online register with information about applicable data structures and formats. How to access the online register must be included in contracts between providers and customers.

International governmental access and transfer

The Data Act introduces new rules and restrictions related to international transfers of non-personal data, requiring data processing services providers to take all adequate technical, organizational and legal measures, including contracts, to prevent international and third-country governmental access and transfer of EU nonpersonal data where it would conflict with EU law or member states' national legislation.

There are exceptions for cases of international agreements.

How the Data Act, GDPR interact

The Data Act is intended to complement and is without prejudice to the GDPR. Meaning if both the Data Act and the GDPR apply to particular data — namely where personal data is processed by a data holder or data recipient — the GDPR prevails and general principles such as data minimization, data protection by design and default, requirement for a valid legal basis for processing, and data subjects' rights, continue to apply fully.

The GDPR applies to personal data, while the Data Act applies to both personal and non-personal data. The Data Act grants rights to a wider group because "users" can be individuals and legal entities/organizations, while only individual data subjects have rights under the GDPR.

Data should be directly accessible under the Data Act, but when that is not possible it should be provided without "undue delay." The GDPR's rights of access and portability, meanwhile, grant 30 days.

If a data set contains personal data, under the Data Act it must be anonymized, or in some cases pseudonymized, by the data holder before it is shared with public authorities.

The Data Act expressly states data processors under the GDPR are not considered to act as data holders under the Data Act, and that, in the case of personal data processed by a processor on behalf of the controller, data holders should ensure the access request is received and handled by the processor.

The exact relationships between roles, rights and obligations under the Data Act and the GDPR remain unclear.

Sanctions and remedies

The majority of these provisions will be enforced as of 12 Sept. 2025. If these rules are not followed, individual member states can impose penalties, which must be  effective, proportionate and dissuasive — similar to sanctions under the GDPR.  

Member states are required to appoint a regulator to enforce the Data Act, who could be, but does not have to be, data protection authorities. These authorities will be granted tasks and powers including the ability to impose effective, proportionate and dissuasive financial penalties — which may include periodic penalties and penalties with retroactive effect — or initiating legal proceedings for the imposition of fines.

Moreover, referring to Article 83 of the GDPR, the Data Act also foresees that existing data protection authorities under the GDPR remain competent to issue fines within the scope of their powers in case of violation of certain provisions of the Data Act.

This means that — in addition to the sanctions from member states, which may vary from one member state to another — administrative fines of up to 20 million euros, or 4% of the company's worldwide turnover, whichever is the highest, could be imposed.

As for the GDPR, certain criteria must be considered for imposing fines, including:

• The nature, gravity, scale and duration of the infringement.
• Any action taken to mitigate or remedy the damage caused by the infringement.
• Any previous infringements by the infringing party.
• The financial benefits gained or losses avoided by the infringing party due to the infringement, insofar as such benefits or losses can be reliably established.
• Any other aggravating or mitigating factors applicable to the circumstances.
• The infringer's annual turnover of the preceding financial year in the EU.

Outlook

Organizations will need to determine if the Data Act applies to them, and their role under the regulation. The applicable requirements can then be mapped and compliance strategies implemented.

Importantly, while enforcement will not start for another year, manufacturers of connected products and providers of related services should already be assessing how to design their products and services to comply with the Data Act.

More generally, data holders should plan and set out processes internally on how they will operationalize data access requests in practice and in compliance with the Data Act. And, just as with respect to data processing terms under privacy laws, it is always helpful to get ahead of required updates to contracts.

Elisabeth Dehareng, CIPP/E, and Helena Engfeldt, CIPP/E, CIPP/US, are partners at Baker McKenzie.