What is EU Data Act?

The EU Data Act complements the GDPR by addressing data that falls outside traditional "personal data" — machine-generated data, IoT sensor data, and business-to-business data flows. It is one of the most significant data governance laws to take effect in 2025–2026.

Key Provisions

• Access to product data — Users of connected devices (cars, appliances, industrial equipment) have the right to access data generated by those products. Manufacturers cannot lock users out of their own data.
• Data sharing with third parties — Under conditions, users can request that their data be shared with other service providers, enabling competition and avoiding vendor lock-in.
• Switching cloud providers — Businesses can move data between cloud providers without excessive fees or technical barriers. Interoperability requirements apply.
• Smart contract requirements — For data shared via smart contracts, the Act sets rules for termination and data retrieval.
• Unfair contract terms — B2B data sharing contracts cannot contain terms that grossly disadvantage one party. The Commission can blacklist certain clauses.

Scope

• Applies to data generated by connected products (IoT) and related services
• Covers both personal and non-personal data
• Affects manufacturers, service providers, cloud providers, and data holders in the EU
• Extra-territorial effect: non-EU entities offering services in the EU must comply

Why It Matters for Privacy

The Data Act is not primarily a privacy law — it is about data access, portability, and market fairness. But it reinforces a broader trend: the EU is defining who controls data, who can access it, and under what terms. For privacy-conscious businesses, it means more leverage to demand data from vendors and to move to privacy-respecting alternatives without losing access to your own information.