Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
This is the fifth article in a five-part series on the EU Data Act. The first article, "EU Data Act operational impacts: Introducing the Data Act," explores the creation of the Data Act, its objectives, the negotiation backdrop, and how it fits within the EU's digital rulebook. The second article, "EU Data Act operational impacts: The Data Act's interplay within the EU digital rulebook," dives into the roles and requirements under the Act. The third article, "EU Data Act operational impacts: The Data Act as a challenge to data protection or other way around?" looks at the roles and requirements under the Act and cross-references stakeholder obligations with other laws to identify issues across the board. The fourth article, "EU Data Act operational impacts: Compliance and technical considerations of cloud switching," examines some of the compliance and technical challenges brought by the Data Act regarding cloud portability.
The EU Data Act marks a radical transformation in Europe's digital and data landscape and requires careful consideration from organizations as they navigate the requirements and obligations. In order to balance the risks and opportunities, organizations must strategically review how they use data, in terms of how data is accessed, shared, protected and monetized.
The act is broad in scope, applying across the board from manufacturers of connected products to cloud providers, software firms and data-processing services. The scope extends to the vast world of machine-generated data and industrial data, such as that collected and analyzed by connected devices and sensors or analytics processes and platforms.
Industrial data generated across Europe is not yet being fully leveraged, leaving considerable room for innovation and economic value creation. Unlocking even a portion of it could potentially add enormous value to the EU economy, where data is seen as a major engine for innovation and growth.
The act has extraterritorial reach, meaning that it applies to any provider offering data processing services to customers within the EU, or offering products on the EU market, irrespective of where the provider itself is based. In practice this means non-EU companies in scope will also need to comply.
Balancing compliance, fairness and risk
As organizations consider their position, and process their obligations under the Data Act, they may find that it is pertinent to consider how they can use this change to leverage new opportunities and reduce risk, rather than viewing this as just another compliance exercise.
The act applies across all sectors as a horizontal regulation. It mainly covers nonpersonal data but there will be potential overlap with personal data in cases where device generated information relates to individuals. In those instances, the GDPR still applies.
One of the core purposes of the act is to empower users, allowing them greater control over and access to data. It strives to shift control of data generated by connected devices from the manufacturers to the users- being either individuals or businesses. It balances this purpose with an ambition to promote innovation, ensure fair conditions and increase competition.
The Data Act aims to make industrial data more accessible and usable. It seeks to promote fair conditions in allocating the value of data. Users of connected products now have the right to access and use the data those products generate. The Act specifies general conditions where a business has a legal obligation to share data with another business. However, these access rights are not without limitations. The data holders can restrict access if they are able to substantiate that allowing access would compromise trade secrets or intellectual property.
Data processing providers now have an obligation to make it easier for customers to switch providers. They must ensure interoperability, and remove any unjustified fees or unfair contractual terms that lock users in. Where users are faced with universally imposed take it or leave it type terms, there will be an unfairness test.
Specifically, the act seeks to address the situation where one organization is in a much stronger bargaining position, perhaps due to its market size, and requires that contracts avoid unfair or imbalanced terms and conditions, particularly where smaller businesses are dealing with larger, more powerful partners. These obligations aim to foster innovation and competition while maintaining fair access and protecting organizations.
The strategic opportunity
Undoubtedly there is a strategic opportunity here. For example, manufacturers can expand their sales beyond hardware and start offering data-driven services. These can be anything from analytics and improved decision making, to efficient and effective insights from data which can optimize performance or reduce maintenance costs.
The act supports new business models built around expanding value creation. Accessible data becomes a new kind of asset. Organizations will need to review existing and potential partnerships, strategize how they buy and sell data, and optimize value add services using shared or aggregated databases. The market is braced for partnerships and collaborations between device makers and analytics companies seeking to drive growth and value.
Potentially, as data becomes more accessible, the competitive advantage will be found in alliances and partnerships. Organizations with strong analytics, access by design and robust data governance capabilities will be able to turn data into actionable insights and customer value. The act is rather ambitious in its aims to unlock the cloud market, but it seems that there is an opportunity for cloud and data-processing service providers to turn compliance into a differentiator.
Promoting trust and innovation
In practice the new rules aim to make switching between providers free, fast and frictionless. Organizations which promote concepts of easy switching and no extended lock-in period may well build and enhance trust and attract more customers in the longer term. In addition, it is entirely conceivable that user centric policies and practices will promote loyalty and trust. When users feel that they are in control of their data, and the terms of processing are transparent and clear, the customer relationship will be far deeper and more sustainable.
In terms of accelerating research and development and innovation, the act has the power to be transformative. Increased access to significant volumes of operational and industrial data has the potential to supercharge research and development. It enables superior higher quality simulations and, crucially, more effective training of machine-learning models.
The act explicitly references medical and health devices as within its scope. Accordingly, there will be substantial amounts of medical and health care devices, connected wearables and digital health platforms in scope. This data must now be made readily accessible to both the users directly and, if instructed, to third parties. Manufacturers will have to review and document the data flows and may need to reconsider product specification and design.
From a risk perspective connected devices may require enhanced security provisions to allow authorized parties to access the device or the data. These devices and platforms must ensure the protection of the information and ensure the identity of those accessing the data. This will potentially require additional investment and security by design in such products and platforms.
While the opportunities for innovation are irrefutable, this type of access to patient data raises some complex and challenging questions on privacy, cybersecurity, and critically how the act will operate in alignment with the EU General Data Protection Regulation. Overlapping requirements can be onerous to navigate for global companies and can stifle the very innovation the Act seeks to unlock and, while most health data will be processed on the grounds of consent, it will be a delicate balance for organizations in the health and medical fields to ensure they can leverage the data while ensuring they protect and secure it appropriately.
Privacy, security and compliance risks
While the Data Act offers potential benefits, it also introduces significant risks and operational challenges that organizations will have to carefully negotiate, not least those risks in relation to the exposure of trade secrets and compromising their intellectual property. Sharing data could inadvertently reveal business sensitive insights such as costs, performance metrics, or operating patterns. Strategic use of strong technical and contractual safeguards like anonymization, and non-disclosure agreements will be key to protecting sensitive commercial information.
Complying with the requirements on accessibility and interoperability may require major product or platform redesigns, and this will be particularly relevant for legacy systems. Some of the requirements will be technically complex and expensive to implement and this potentially risks disadvantaging smaller enterprises. Similarly, managing data quality, security, anonymization, and interoperability will require robust, scalable and sustainable governance frameworks, and this is something smaller firms may struggle to implement cost-effectively. While the act is designed to promote competition, compliance costs may ironically actually favor large organizations. Smaller or emerging providers could face disproportionate challenges meeting interoperability and governance standards.
In addition, it is a very real practical challenge for legal teams to address legal and technical ambiguity. Concepts like "reasonable compensation" for data access or "technical feasibility" of interoperability remain open to interpretation. There is a lack of industry best practice, guidance or even clarity on some of the language at this stage meaning that organizations may feel exposed in applying their own interpretation. The consequences of getting this wrong could be disputes, sanctions and a loss of trust from users. The act adds another layer to an already complex EU digital regulatory landscape, overlapping with the GDPR, NIS2 Directive, and Digital Operational Resilience Act. Even the largest providers will need to coordinate compliance strategies across these interconnected rules.
Conclusion
The EU Data Act reshapes the balance of data rights and responsibilities. It empowers users, challenges providers and redefines how competition plays out in Europe's digital economy. The goals of the act are ambitious but putting them into practice will not be easy. Switching cloud providers, for instance, is simple on paper but rarely simple in practice and never simple in large enterprise environments. Strict deadlines for portability and interoperability will be a challenge to manage for those with complex IT architectures, creating the potential for disruption or even legal challenges and enforcement.
While it introduces risks, from trade secret exposure to technical complexity and compliance overhead, it also opens doors to new business models, research and development, and cross-sector collaboration. The organizations that can swiftly move to strengthen governance, embrace and demonstrate transparency responsibly, and turn compliance into a catalyst for innovation and data-driven growth will be those who will benefit most from the opportunities under the act.
Helen Graham is a director at The Art of Privacy.
