Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
This is the third article in a five-part series on the EU Data Act. The first article, "EU Data Act operational impacts: Introducing the Data Act," explores the creation of the Data Act, its objectives, the negotiation backdrop, and how it fits within the EU's digital rulebook. The second article, "EU Data Act operational impacts: The Data Act's interplay within the EU digital rulebook," dives into the roles and requirements under the Act.
As of 12 Sept. 2025, the majority of the provisions of the EU Data Act are applicable. With this new piece of legislation, the EU aims to open up the "treasure troves" of manufacturers and make data available for new business models and use cases. This is also part of the paradigm shift in EU data policy towards data use.
The Data Act is bound to create conflict with the EU's existing strict data protection regime.
Relationship between the Data Act and the EU's data protection regime
While many recent pieces of EU legislation are rightfully criticized for their vague wording of "leaving data protection laws unaffected" — Article 2(7) of the AI Act for example — Article 1(5) of the Data Act states that data protection law prevails over the rights and obligations of the Data Act. This establishes a clear hierarchy of the EU General Data Protection Regulation and other data protection-related legislation, such as the ePrivacy Directive and its national implementations, over the Data Act.
Recital 7 further states the Data Act does not constitute a legal basis, neither for the collection or generation of personal data by the data holder nor for access or use by a user who is not the data subject nor the making available of data to third parties. Instead, this recital refers to the necessity of legal bases under Article 6 of the GDPR.
The Data Act covers a plethora of subjects ranging from unfair terms in business-to-business relationships (Chapter IV), switching of data processing services (Chapter VI), international data transfers for non-personal data (Chapter VII), to interoperability (Chapter VIII). However, its main touchpoints with data protection law lie in Chapter II and, to a lesser extent, government access to data in Chapter V.
Chapter II obligations and their relationship to the GDPR
In Chapter II, the Data Act establishes a new regime for data generated by connected products and their related services, such as apps controlling such connected devices. The main principle of Chapter II is to put the user — i.e., the owner, renter or lessee of such a product — in the central position to decide if and to what extent such data is used by the data holder, typically the manufacturer of a product.
Data access by design
Following Article 3(1), all product data the manufacturer designed to be retrievable must be made available directly through the product or, alternatively, indirectly via an infrastructure operated by or on behalf of the manufacturer.
Where product data is available directly through the product, it is subject to factual control. For example: A heating system may generate data over its interaction with the inhabitants of a house. This data is accessible locally via a USB interface within the heating system.
Whoever factually controls access to the device that is processing this personal data, such as the application of settings to control room temperature, is the controller with regard to such data under the GDPR.
Opening the treasure trove — Access to 'readily available data'
Where product data is transferred from the product to a data holder, typically the manufacturer, it becomes "readily available data" that is subject to the access rights of the user under Article 4, provided it is not already accessible directly at the product. Moreover, the user may require such readily available data to be made available to a third party, the data recipient, under Article 5.
In cases where the user and data subject are identical, the new rights under the Data Act complement both the access right under Article 15 GDPR and the right to data portability under Article 20 GDPR, as Article 1(5) Data Act points out.
However, things may get complicated where the user is not identical to the data subject whose data is processed by the product and thus the data holder. For example, assume the heating system does not allow for local access. Instead, the data is sent to the manufacturer's cloud. Such data may be personal data as it contains the heating preferences of individuals living in the house. While the user — a housing company — can identify individuals, can the manufacturer as the data holder do so as well?
This is a key question for the Data Act, as under Article 4(12), a data holder can give access to personal data of data subjects other than the user solely where there is a valid legal basis under Article 6 GDPR. The extent of this provision is not fully clear. Does this mean that the data holder has a right or obligation to actively check if the readily available data could potentially contain personal data of other data subjects? To what level does the user need to demonstrate or even prove the legal basis?
For example, the data holder, the manufacturer of the heating system in this case, refuses to provide the user access to the readily available data, claiming it constitutes the personal data of other individuals such as family members and the user has failed to produce evidence of a valid legal basis.
Following the criteria of the Court of Justice of the European Union's Single Resolution Board judgment of 4 Sept. 2025, Article 4(12) may, in many instances, not be applicable. Readily available data of the heating system does not necessarily constitute personal data for the data holder — the manufacturer of the heating system. In the above example, the data subjects can only be identified with the information held by the user — the owner of the heating system. This also applies to the right to share data with third parties under Article 5(7) Data Act.
Before claiming that the information in the heating system is personal data, the manufacturer should consider that it is also in its own interest that the data generated by the product does not constitute personal data, as their own use of data — namely following Article 4(13) and (14) — would otherwise require a legal basis and result in information obligations to data subjects.
The legislators did see the conflict between access rights and the rights of data subjects. In Recital 7, they advise anonymization of personal data or, where readily available data contains personal data of several data subjects, to provide only personal data relating to the user. In Recital 21, for scenarios involving multiple users, separate user accounts are recommended to be able to separate the provision of data to individual users.
To tackle the challenges, manufacturers should conduct a thorough analysis of the data collected by their products which needs to be made available under the Data Act, assess its nature under the GDPR, and identify the proper mechanisms to provide the data in a compliant manner. It may not be an easy task depending on the nature of the product/connected service.
Chapter V and public sector access to data in cases of exceptional need
With Chapter V, the Data Act establishes a right for government entities and EU institutions to compel data holders to provide data in cases of exceptional need further detailed in Article 15. While Chapter II applies to data originating from products, this chapter is agnostic to the source of data, thus going beyond products.
Data, including personal data, can be requested by the authorities in a case of emergency as defined in Article 2(29), meaning public health emergencies, natural or human-made disasters, or cyber incidents of a serious nature. The right to claim such data is excluded where such data could be obtained from other sources in a timely, effective, and equivalent manner.
A second case for public sector access strictly relates to non-personal data for the fulfilment of a specific task in the public interest, such as the production of statistics. In this case, the rights of the public sector players are subject to more restrictions, such as the requirement to first purchase the data on the market.
The scope of application for public sector access is very limited to very exceptional circumstances and may stay irrelevant.
Enforcement
The Data Act follows the example of the GDPR, requiring member states to establish one or more competent authorities for its enforcement. Their competences are similar to those of data protection authorities. To date, no member state has designated their authority.
Following Article 37(3), the data protection authorities under the GDPR retain their role "monitoring the application of [the Data Act] insofar as the protection of personal data is concerned." Thus, the Data Act appears to take a different approach than the AI Act, which does not explicitly contain such a statement.
The extent to which the data protection authorities will exercise their authority under the Data Act remains to be seen. Interestingly, the State of Hamburg Data Protection Authority in a paper dated 29 April 2025 (page 11) interprets this as establishing their jurisdiction over all provisions insofar as they relate to personal data. They announced that, as of 12 Sept. 2025, they will handle cases of individuals, including those involving data access rights under the Data Act.
Model contract terms, data protection and the EDPB
Article 41 requires the European Commission to provide non-binding model contract terms on data access and use, including terms on reasonable compensation and the protection of trade secrets, by 12 Sept. 2025. To prepare such terms, the Commission tasked an expert group with drafting MCTs for B2B data sharing agreements. The expert group presented its final report to the public in April.
The Commission sought the European Data Protection Board's input on the MCTs. In its July statement, the EDPB issued some criticism about the drafts, stating they missed provisions and clarifications on the relationship between the Data Act and data protection law.
Assessing this statement, two aspects must be kept in mind. First, the Commission involved the EDPB on very short notice, and second, the MCTs drafted by the expert group were aimed at B2B data sharing scenarios, explicitly not covering business-to-consumer scenarios with their greater impact on data subjects. Still, they contain references to the GDPR and the processing of personal data.
Ideally, in a next step, the EDPB complements the proposed MCTs with terms for B2C data access and sharing scenarios.
Conclusion
Returning to the initial question posed in the title, it may be data protection law, rather than other factors, posing a challenge to the success of the Data Act.
While the Data Act may have its flaws and ambiguities, it highlights some of the unresolved questions under the GDPR — like the very concept of what constitutes personal data. It also puts longstanding practices of data use in the spotlight, such as the use of personal data by manufacturers, such as the automotive industry.
Still, while the Data Act may have added a new layer of regulatory complexity, its opportunities have not yet gained the attention they deserve.
Matthias Niebuhr is a lawyer and certified IT law specialist, and a member of the Technology, Data and Media practice group at BDO as well as the EU Commission’s Expert Group on B2B Data Sharing and Cloud Computing Contracts
