The Data Act Approved by the European Parliament

D&I Alert

Today, the European Parliament voted yes to formally approve the new Data Act. Following today’s vote, the Data Act is expected to apply in the EU as of autumn 2025 except for Article 3(1), the transition period of which is one year longer. The exact date of application will be confirmed once the Data Act is published in the Official Journal of the European Union.

A political agreement of the Data Act was reached already in June 2023 and a provisional text of the Data Act published in July 2023. The Council has stated that if the Parliament adopts the Data Act in the agreed provisional text form, the Council will approve the Parliament’s position and the Data Act will be adopted as a result. Thus, the Data Act now only needs the formal approval by the Council to become law.

Gradual and retrospective application

The Data Act will be directly applicable as such throughout the EU, although the Member States need, e.g., to designate competent authorities and lay down rules on penalties applicable to infringements of the Data Act.

The Data Act will apply twenty (20) months after its entry into force. However, the obligation under Article 3(1) to design and manufacture connected products in such manner that the data is accessible to the user directly from the product or related service will only apply to products placed on the market after an additional twelve (12) months from the date of application.

Please note that the data holders are still required to make data available to the user under Article 4(1) and to third parties on behalf of the user under Article 5(1) as of the initial date of application. Therefore, it is recommended for data holders to now begin preparing for the Data Act from the technical and commercial as well as from the contractual perspective.

After two (2) years from the date of application, the rules prohibiting unilaterally imposed unfair contractual clauses in business-to-business relations (Chapter IV) will apply also retrospectively to contracts that are of indefinite duration or due to expire at least ten (10) years after the Data Act entered into force.

The review of existing business-to-business contracts for unilaterally imposed unfair clauses is recommended within the coming years.

Data Act in a nutshell

The Data Act is one of the cornerstones of the EU Data Strategy which aims to create a single market for data within the EU and to boost the European data economy by facilitating innovation and new data-driven business models.

The Data Act sets forth rules, inter alia, regarding

  • the access to and use of data generated by connected products (such as IoT devices) and related services, including the design, manufacturing and provision of such products and related services;
  • the contents of data sharing agreements, including protection from unfair contractual terms that are unilaterally imposed;
  • mechanisms for public sector bodies to access private sector data in certain limited cases;
  • switching between cloud data processing service providers; and
  • unlawful international governmental access and transfer of non-personal data.

The Data Act obliges manufacturers and other data holders of connected products to open user data for free to users and under FRAND terms to third parties in the EU as well as other third parties outside the EU, however, not subject to the FRAND terms. One of the key issues of the Data Act has been the protection of trade secrets and intellectual property rights included within such user data.

More by the same author

Implementing the Data Act without Clashing with the GDPR?

The Data Act will largely apply as of 12 September 2025, imposing new obligations and rights in relation to personal and non-personal data in the context of, e.g., connected products and related services. As rules governing data expand, it is increasingly important to map what data sets are processed by an organisation and how they are managed in the upcoming regulatory framework. For data sets including personal data (which is often the case!), it is vital to align the implementation of the Data Act with existing GDPR compliance.

The Big 5 – Status of National Preparation in Finland

The so-called Big 5 acts – the Data Governance Act, Digital Markets Act, Digital Services Act, Data Act, and Artificial Intelligence Act – have been a key part of the European Data Strategy in recent years. Once approved, the Big 5 acts are directly applicable throughout the EU, but many of them require Member States to enact legislation to support their enforcement and supervision, e.g., to designate nationally competent authorities and assign them new powers.

EU’s New Financial Data Space Proposal and DORA

On 28 June 2023, the European Commission published a proposal for a regulation on a framework for Financial Data Access (“FIDA”) for the access and use of customer data. As part of the EU Digital Finance Strategy,  FIDA is expected to lead to better-quality, user-centric financial services and new data-driven business models in the financial sector. As the financial data space evolves, the emergence of novel interfaces, data sharing methods, and other innovative technologies may also bring forth new risks, particularly in the realm of cybersecurity. We recommend stakeholders in the financial sector to consider their role and potential responsibilities and opportunities in light of the upcoming regulations.

Latest insights

Are Finnish Lawyers the Happiest in the World?

Article / 4 Apr 2024
Reading time 2 minutes

Implementing the Data Act without Clashing with the GDPR?

Article / 4 Apr 2024