The Data Act Approved by the European Parliament

D&I Alert

Today, the European Parliament voted yes to formally approve the new Data Act. Following today’s vote, the Data Act is expected to apply in the EU as of autumn 2025 except for Article 3(1), the transition period of which is one year longer. The exact date of application will be confirmed once the Data Act is published in the Official Journal of the European Union.

A political agreement of the Data Act was reached already in June 2023 and a provisional text of the Data Act published in July 2023. The Council has stated that if the Parliament adopts the Data Act in the agreed provisional text form, the Council will approve the Parliament’s position and the Data Act will be adopted as a result. Thus, the Data Act now only needs the formal approval by the Council to become law.

Gradual and retrospective application

The Data Act will be directly applicable as such throughout the EU, although the Member States need, e.g., to designate competent authorities and lay down rules on penalties applicable to infringements of the Data Act.

The Data Act will apply twenty (20) months after its entry into force. However, the obligation under Article 3(1) to design and manufacture connected products in such manner that the data is accessible to the user directly from the product or related service will only apply to products placed on the market after an additional twelve (12) months from the date of application.

Please note that the data holders are still required to make data available to the user under Article 4(1) and to third parties on behalf of the user under Article 5(1) as of the initial date of application. Therefore, it is recommended for data holders to now begin preparing for the Data Act from the technical and commercial as well as from the contractual perspective.

After two (2) years from the date of application, the rules prohibiting unilaterally imposed unfair contractual clauses in business-to-business relations (Chapter IV) will apply also retrospectively to contracts that are of indefinite duration or due to expire at least ten (10) years after the Data Act entered into force.

The review of existing business-to-business contracts for unilaterally imposed unfair clauses is recommended within the coming years.

Data Act in a nutshell

The Data Act is one of the cornerstones of the EU Data Strategy which aims to create a single market for data within the EU and to boost the European data economy by facilitating innovation and new data-driven business models.

The Data Act sets forth rules, inter alia, regarding

  • the access to and use of data generated by connected products (such as IoT devices) and related services, including the design, manufacturing and provision of such products and related services;
  • the contents of data sharing agreements, including protection from unfair contractual terms that are unilaterally imposed;
  • mechanisms for public sector bodies to access private sector data in certain limited cases;
  • switching between cloud data processing service providers; and
  • unlawful international governmental access and transfer of non-personal data.

The Data Act obliges manufacturers and other data holders of connected products to open user data for free to users and under FRAND terms to third parties in the EU as well as other third parties outside the EU, however, not subject to the FRAND terms. One of the key issues of the Data Act has been the protection of trade secrets and intellectual property rights included within such user data.

More by the same author

Use of Artificial Intelligence Calls for Transparency

AI accelerates business, yet requires governance The recent emergence of artificial intelligence (AI) systems has enabled companies to boost their efficiency. AI tools may be used for a wide variety of purposes, from simpler, administrative tasks to complex tasks such as core business purposes like planning business strategies and compiling analytical action plans for projects. The rise of AI systems has impacted how companies conduct their day-to-day business as they provide easy-to-use tools for making daily business more efficient. While AI systems are given increasing emphasis in businesses, companies may not disregard establishing control and governance mechanisms for understanding their obligations and mitigating the compliance-related risks.

AI, Free and Open Source Software and IPRs in the Context of Software Development

Artificial intelligence is speeding up software development Artificial intelligence (AI) has taken the world by storm and is becoming a common accelerator also in software development. Although AI in general is not something entirely new, with its roots reaching to the 1950s, generative AI has been soaring since the first commonly known large language models (LLMs) were launched a few years back. Generative AI tools are trained with content often referred to as training data (input) and they generate new content (output), such as software code, based on the user’s command, a prompt. The output may resemble human-generated text, pictures, sounds, videos – or software, for that matter.

Implementing the Data Act without Clashing with the GDPR?

The Data Act will largely apply as of 12 September 2025, imposing new obligations and rights in relation to personal and non-personal data in the context of, e.g., connected products and related services. As rules governing data expand, it is increasingly important to map what data sets are processed by an organisation and how they are managed in the upcoming regulatory framework. For data sets including personal data (which is often the case!), it is vital to align the implementation of the Data Act with existing GDPR compliance.

Latest insights

Government Proposal on New Tax Credit for Large Industrial Investments in Finland

Article / 20 Dec 2024
Reading time 2 minutes

Takeaways on Connecting Offshore Wind Power to the Finnish Grid

Article / 18 Dec 2024
Reading time 2 minutes