The Data Act Approved by the European Parliament

D&I Alert

Today, the European Parliament voted yes to formally approve the new Data Act. Following today’s vote, the Data Act is expected to apply in the EU as of autumn 2025 except for Article 3(1), the transition period of which is one year longer. The exact date of application will be confirmed once the Data Act is published in the Official Journal of the European Union.

A political agreement of the Data Act was reached already in June 2023 and a provisional text of the Data Act published in July 2023. The Council has stated that if the Parliament adopts the Data Act in the agreed provisional text form, the Council will approve the Parliament’s position and the Data Act will be adopted as a result. Thus, the Data Act now only needs the formal approval by the Council to become law.

Gradual and retrospective application

The Data Act will be directly applicable as such throughout the EU, although the Member States need, e.g., to designate competent authorities and lay down rules on penalties applicable to infringements of the Data Act.

The Data Act will apply twenty (20) months after its entry into force. However, the obligation under Article 3(1) to design and manufacture connected products in such manner that the data is accessible to the user directly from the product or related service will only apply to products placed on the market after an additional twelve (12) months from the date of application.

Please note that the data holders are still required to make data available to the user under Article 4(1) and to third parties on behalf of the user under Article 5(1) as of the initial date of application. Therefore, it is recommended for data holders to now begin preparing for the Data Act from the technical and commercial as well as from the contractual perspective.

After two (2) years from the date of application, the rules prohibiting unilaterally imposed unfair contractual clauses in business-to-business relations (Chapter IV) will apply also retrospectively to contracts that are of indefinite duration or due to expire at least ten (10) years after the Data Act entered into force.

The review of existing business-to-business contracts for unilaterally imposed unfair clauses is recommended within the coming years.

Data Act in a nutshell

The Data Act is one of the cornerstones of the EU Data Strategy which aims to create a single market for data within the EU and to boost the European data economy by facilitating innovation and new data-driven business models.

The Data Act sets forth rules, inter alia, regarding

  • the access to and use of data generated by connected products (such as IoT devices) and related services, including the design, manufacturing and provision of such products and related services;
  • the contents of data sharing agreements, including protection from unfair contractual terms that are unilaterally imposed;
  • mechanisms for public sector bodies to access private sector data in certain limited cases;
  • switching between cloud data processing service providers; and
  • unlawful international governmental access and transfer of non-personal data.

The Data Act obliges manufacturers and other data holders of connected products to open user data for free to users and under FRAND terms to third parties in the EU as well as other third parties outside the EU, however, not subject to the FRAND terms. One of the key issues of the Data Act has been the protection of trade secrets and intellectual property rights included within such user data.

More by the same author

AI, Free and Open Source Software and IPRs in the Context of Software Development

Artificial intelligence is speeding up software development Artificial intelligence (AI) has taken the world by storm and is becoming a common accelerator also in software development. Although AI in general is not something entirely new, with its roots reaching to the 1950s, generative AI has been soaring since the first commonly known large language models (LLMs) were launched a few years back. Generative AI tools are trained with content often referred to as training data (input) and they generate new content (output), such as software code, based on the user’s command, a prompt. The output may resemble human-generated text, pictures, sounds, videos – or software, for that matter.

Implementing the Data Act without Clashing with the GDPR?

The Data Act will largely apply as of 12 September 2025, imposing new obligations and rights in relation to personal and non-personal data in the context of, e.g., connected products and related services. As rules governing data expand, it is increasingly important to map what data sets are processed by an organisation and how they are managed in the upcoming regulatory framework. For data sets including personal data (which is often the case!), it is vital to align the implementation of the Data Act with existing GDPR compliance.

The Big 5 – Status of National Preparation in Finland

The so-called Big 5 acts – the Data Governance Act, Digital Markets Act, Digital Services Act, Data Act, and Artificial Intelligence Act – have been a key part of the European Data Strategy in recent years. Once approved, the Big 5 acts are directly applicable throughout the EU, but many of them require Member States to enact legislation to support their enforcement and supervision, e.g., to designate nationally competent authorities and assign them new powers.

Latest insights

Fostering Continuous Development

Article / 1 Jul 2024

Advocate for Change: Good Governance and Sustainability

Article / 1 Jul 2024