EU Data Act operational impacts: The Data Act as a challenge to data protection or other way around?

As of 12 Sept. 2025, the majority of the provisions of the EU Data Act are applicable. With this new piece of legislation, the EU aims to open up the "treasure troves" of manufacturers and make data available for new business models and use cases. This is also part of the paradigm shift in EU data policy towards data use.

The Data Act is bound to create conflict with the EU's existing strict data protection regime.

Relationship between the Data Act and the EU's data protection regime

While many recent pieces of EU legislation are rightfully criticized for their vague wording of "leaving data protection laws unaffected" — Article 2(7) of the AI Act for example — Article 1(5) of the Data Act states that data protection law prevails over the rights and obligations of the Data Act. This establishes a clear hierarchy of the EU General Data Protection Regulation and other data protection-related legislation, such as the ePrivacy Directive and its national implementations, over the Data Act.

Recital 7 further states the Data Act does not constitute a legal basis, neither for the collection or generation of personal data by the data holder nor for access or use by a user who is not the data subject nor the making available of data to third parties. Instead, this recital refers to the necessity of legal bases under Article 6 of the GDPR.

The Data Act covers a plethora of subjects ranging from unfair terms in business-to-business relationships (Chapter IV), switching of data processing services (Chapter VI), international data transfers for non-personal data (Chapter VII), to interoperability (Chapter VIII). However, its main touchpoints with data protection law lie in Chapter II and, to a lesser extent, government access to data in Chapter V.