The EU Data Act: How New Rules Could Reshape Access, Control and Competition in the Data Economy

Episode Summary

The EU Data Act represents a fundamental change in how data will be shared, controlled and accessed across industries. Yet “you might not have heard much about this Act in the headlines,” says host Deborah Kirk. To help listeners understand this impactful law, she invites Skadden colleagues Alistair Ho (Cybersecurity and Data Privacy) and Emily Griffin (Intellectual Property and Technology) to share their insights. The team explores why response to the act has been muted, how it differs from precious data-focused legislation and what businesses need to do to comply with its provisions.”

Voiceover (00:00):
Welcome to “SkadBytes,” a podcast from Skadden, exploring the latest developments shaping today’s rapidly evolving tech landscape. Join host Deborah Kirk and colleagues as they deliver concise insights on the pressing regulatory issues that matter to tech businesses, investors and industry leaders worldwide.

Deborah Kirk (00:22):
Hello, and welcome back to “SkadBytes,” the podcast from Skadden’s IP and technology team here in London. I’m Deborah Kirk and I’m joined today by associates Alistair Ho and Emily Griffin. And in this episode, we’re diving into the EU Data Act.

(00:38):
Now, you might not have heard much about this act in the headlines, but we believe that on its face, at least, it’s one of the most impactful data-related laws to come out of the EU in recent years. And today, we’ll break down what the act is, how it differs from previous data-focused legislation, what waves it’s already making in the data economy and where the legislation goes from here.

Alistair Ho (01:04):
And I think it’s safe to say that there’s been little noise about the Data Act compared to regulations like the AI Act or DORA. But as currently drafted, I’m going to get on to how it might change later. Its long-term implications are potentially massive. It aims to make fundamental changes to how data will be shared, controlled and accessed across industries. So while we haven’t seen the kind of global media storm that those other regulations created, perhaps ripples rather than waves at the moment, I think the Data Act’s quiet influence could potentially reshape the data landscape.

Emily Griffin (01:30):
Yeah, and I think the reasons for this muted response are still a little unclear. It could be because the scope is complex and widely misunderstood, or it could also be the lack of detailed guidance, and at the moment, the relatively low enforcement pressure that businesses are facing today. What we’re seeing in practice is that businesses are still trying to understand how it’s actually going to impact them.

Deborah Kirk (01:49):
Right, and what we’re already noticing is that it’s not the smart device manufacturers who are the most surprised by the act, it’s the related services providers, the SaaS providers, the data processors, the analytics platforms. So I guess these are the companies that don’t see themselves as IoT businesses, but the Data Act treats them as data holders or recipients with very real obligations. And I think that’s where I guess the scope creep, if you like, is happening, or certainly maybe the blind spots in terms of businesses understanding that they might fall within its scope.

Emily Griffin (02:20):
Yeah, exactly, Debs. So we’re going to cover the steps that in-scope businesses should be taking to prepare for these upcoming changes.

Deborah Kirk (02:25):
Yeah, and importantly to note as businesses do prepare, is that there are already hints coming from Brussels that parts of the act may be revisited. So to an extent, I guess it’s understandable that businesses that are aware of the Data Act don’t quite know how far to go in terms of investment into exploring its potential impact, whether they’re in scope and taking those big steps towards compliance.

(02:49):
So getting into what is the Data Act. So this is part of a broader collection of EU legislation that all stems from the 2020 Data Strategy, the EU’s vision for a single, open, competitive data economy. But it also fits into the wider regulatory picture in Europe where there is a strong push for, I guess, simplified digital rules. The European Commission recently wrapped up its call for evidence on the so-called Digital Omnibus, which in essence is a proposed package of simplified regulations set for adoption in Q4 of this year.

(03:25):
And that, we hope, will give us a better picture of the true impact of the Data Act in the light of the simplification measures adopted. So while there’s still uncertainty, if it is enforced in its current form, the Data Act certainly has the potential of shaping the future of the digital economy, so let’s get into it.

(03:42):
What is the Data Act? And how does it differ from what we see currently in terms of data legislation? So a high-level overview of what makes it stand out from past regulations in this space, Emily, give it to us in simple terms.

Emily Griffin (03:55):
Yeah, so just to take a step back in thinking about what the Data Act really is, it’s the EU’s framework for how data should be accessed, shared and used. So it particularly relates to data generated by connected devices. So what we’re thinking about here is internet-of-things devices such as wearables, smart cars, and even industrial equipment is caught too. The act aims to make it easier for businesses and consumers to access their data and use it in ways that’ll drive innovation and also competition at the same time.

Deborah Kirk (04:22):
Right, and I guess the big shift here is that it goes beyond just personal data, which I think is sort of where everyone’s minds have been in terms of data-related legislation in the past year. So the Data Act extends to nonpersonal data too, and actually is probably its primary focus. So for example, user settings, usage data, such as period of usage are all within scope, whereas other elements of data that might cause cyber vulnerability or inferred data are not within scope. So I guess that’s a way of saying there are some limits, but the pool of the data that the Data Act looks at is much wider than the GDPR and really focuses on more commercial data. While the GDPR did focus on ring-fencing personal data, the Data Act is about opening this up to industrial and usage data.

Alistair Ho (05:08):
Exactly. And it talks about connected devices, but it goes beyond just internet-of-things products too. So the act covers everything from platforms to analytics tools, service providers, and even data intermediaries.

Deborah Kirk (05:18):
Yeah. And I guess just to think of a helpful example to demonstrate the act’s scope, we think of a fleet management SaaS platform that integrates with smart vehicles. Under the old rules, they may have assumed the vehicle maker controlled the data. Under the Data Act, they may be the data holder and obliged to make that data portable. So that’s a really significant difference in approach.

Alistair Ho (05:40):
It is. What the act’s essentially doing then is creating a whole data infrastructure. It’s not industry-specific, cuts across industries. Is really just aimed at giving users, whether businesses or consumers, the ability to unlock the full value of this data, so unlocking that data, as you say. And it’s a place where we’ve often seen silos forming with data in businesses and keeping that data behind proprietary walls, concerned about sharing it to lose a competitive edge. But the Data Act’s really trying to get away from that into a more sort of sharing data approach.

Deborah Kirk (06:06):
Okay, so now that we’ve covered the basics, let’s dive deeper into a couple of main areas of the Data Act that we think could be real game changers. So these are the elements that we think will have the biggest impact on businesses and consumers alike if the Data Act is enforced in the way that it’s currently drafted. So we see these as number one, data access and sharing, number two, B2B and B2G data sharing, and thirdly, cloud switching and interoperability. But we’re going to focus on the data-sharing aspects of these, so numbers one and two.

(06:34):
So first up, data access and sharing. The Data Act mandates that both businesses and consumers can access the data generated by connected products and services. So that means if you’re using an IoT device like a smartwatch or a connected car, you now have the right to access the data that that IoT device generates. But here’s the big kicker, you can also ask that your data be shared with third parties, even if they happen to be competitors of that device’s manufacturer. So Emily, do you want to give us something to bring this to life? Give us an example.

Emily Griffin (07:05):
Yeah, exactly. So if we take a real life example and we look at somebody wearing a wearable device to track their health data under the act, the device manufacturer can be required to share the user’s real time health data with an alternative health tech company, enabling the user to leverage the analytics of the data without being restricted by the device manufacturer, which is quite a change.

Alistair Ho (07:25):
Exactly. And another change is conceptually, it’s not just about manufacturers providing access to data that they have, that they already capture. From September 2026, they actually must design their products in a way that allows users, whether businesses or individuals, again, to easily access and leverage that data. So it’s a shift from just a legal compliance obligation to actually a product design requirement.

Deborah Kirk (07:44):
I think that’s why we think it’s so massive, right? Although it’s important to caveat that SMEs with under 10 million euros in annual turnover and fewer than 50 employees are exempt from the data-sharing rules for connected products. And I guess that’s not surprising, as the EU seems increasingly keen to avoid overburdening startups and smaller businesses, to try and find that sweet spot between consumer protection and giving innovators the space to grow.

Emily Griffin (08:11):
Yeah, and also, importantly, while the Data Act gives more access to user data, it also empowers users in terms of how their data can be used. Product users, whether businesses or consumers, must have access to the data they create through their use of these connected products free of charge. And users can also dictate how this data is shared with third parties of their choice.

Alistair Ho (08:31):
Which, of course, sounds like a win for product users, but we shouldn’t lose sight of a key concern when making data more easily shared. So the potential for users to lose control of the data when the data holders are required to share it, it’s suddenly a positive. A user can request their data to be shared with selected third parties. But this doesn’t address a potentially bigger issue. User data might still be shared outside of these preferences in pursuit of this open data shared economy, but also potentially without user awareness. So that’s quite a big deal, especially when you consider that we’re talking about the scope of data involved. It’s everything from health data to manufacturing data and more. So there’s a real risk if people lose control of their data here.

Deborah Kirk (09:05):
100%. So let’s move on to our second major area, B2B and B2G data sharing. So the Data Act changes the game, or at least purports to or threatens to when it comes to how businesses share data with each other and with governments. So in the past, businesses could tightly control their data-sharing agreements. But now there are rules that ensure fairness, so businesses can no longer impose unilateral terms that favor one party over another. And these provisions are about really leveling the playing field here, right, Ali?

Alistair Ho (09:35):
Yeah, that’s right. For example, businesses that share data with other companies each ensure the terms are fair. So if you’re a service provider and you have all the leverage in a contract, you can’t just dictate the terms you want to see anymore. The Data Act actually introduces a list of contract terms that are automatically deemed unfair if they’re imposed unilaterally. So this, as you can imagine, shifts the balance of power and ensures that more equitable access to data is achieved by all businesses, not just the largest.

(09:58):
So in terms of when this applies, they currently apply to contracts now, which are new. But if you already have existing contracts in place, you don’t get away scot-free. From the 12th of September 2027, those actually have to be amended.

Emily Griffin (10:10):
Yes. And then there’s the second limb of this area, the B2G side of things, business-to-government data sharing. The Data Act makes it easier for governments to access private sector data, but only under certain exceptional circumstances. So governments can actually access data from businesses without going through the usual hoops. But there are still some protections in place to ensure that this is obviously done responsibly. The key thing here is that businesses have very limited ways to refuse government requests for data. So this is something that businesses really need to plan for going forward.

Deborah Kirk (10:39):
Right, exactly. And it’s a delicate balance. Businesses want to protect their data and their competitive edge, but governments may need access to private sector data for public interest purposes, so healthcare, public safety. So it’s important for businesses to understand how these new rules will affect their data-sharing policies with governments.

(10:58):
So now that we’ve looked at how the Data Act impacts data access and sharing, let’s sort of go on to an inevitable question that will arise for many businesses. How does this all work with proprietary data? How does the Data Act sit comfortably alongside concepts of intellectual property? So the good news is that the Data Act is designed to protect your core IP and know-how, but there are still some nuances to understand.

Alistair Ho (11:21):
Exactly. I think one of the biggest concerns we hear from clients or people we talk to about data sharing regulations is that fear of losing control over proprietary information. So I think it’s just worth reiterating that the Data Act doesn’t force companies to give away their proprietary data. Things like IP, algorithms, trade secrets, those remain untouched by the act itself.

Emily Griffin (11:39):
Yeah, absolutely, Ali. So putting this together, it means that the big concern for businesses isn’t about losing control over their core technology, but more about the data generated by the use of the product or service. So if we take an example, again, if we look at the data from internet-of-things devices or smart devices, which might end up in a shared pool for public interest or even with competitors. So in essence, it’s really about how this mandatory sharing of usage data could affect business models going forward.

Deborah Kirk (12:04):
Yeah, and I guess that’s the nuance we were touching on. So we shouldn’t underestimate that there is competitive value in that non-proprietary, non-IP protected data. So the act as it won’t touch your trade secrets, but in reality, usage data is often the foundation of your competitive advantage, even though it might not be IP protected. So while the IP stays protected, it stays with you, it’s not necessarily the case that the commercial-edge data does too. And what’s more in B2B contracts, this is the one area where the Data Act could cause issues. So the act might invalidate clauses in existing contracts that restrict data sharing, a particular concern for those with revenue models that are based on exclusive access to data.

(12:46):
Great, so before we move on, I’d like to touch on something that’s critical for companies that are operating either globally or at least both in the EU and the UK, and that’s jurisdictional divergence. So while the EU is rolling out the Data Act, the UK this year introduced the Data (Use and Access) Act or the DUAA, and it’s important to flag that the DUAA is not and does not purport to be the UK version of the EU Data Act, but what it does try and do is modernize and streamline the law around data use and access in the UK. It is an interesting comparison in the data space that sort of demonstrates the difference in approach between the UK and the EU in this area. Ali, why don’t you tell us a bit more about it?

Alistair Ho (13:24):
Yeah, so the divergence is interesting. I think it’s something that was much talked about in Brexit and has taken a little bit of time to get going, but those divergences are becoming increasingly significant. So while the EU Data Act here, for example, is about increasing data accessibility, enabling data flow across borders, UK’s DUAA is focused more on just harnessing growth, harnessing data for economic growth even, particularly in sectors like AI, healthcare and digital services.

Emily Griffin (13:48):
Yeah, and thinking about the UK-specific approach in a slightly different way here, if we look at the economic picture, the UK government has said that they see data as a key driver of economic growth. And the target here is to generate about £10 billion for the British economy by 2035 through the use of data.

Deborah Kirk (14:03):
Right, so here we’re seeing the UK trying to position itself as a more data-friendly market, so more encouraging innovation while also looking to use data to support a modern digital government and improve people’s lives. So unlike the EU’s approach, one might say, which is I guess more arguably focused on regulation and shared data spaces, we see the UK trying to position itself as enabling businesses to maximise the economic value of their data.

Emily Griffin (14:30):
Yeah, so taking this into a practical perspective, it becomes very relevant for companies with operations in the UK and the EU. The difference in approach makes a subtle but important difference in goals. So what does this really mean for companies looking to plan products or services in both the UK and the EU?

(14:46):
So companies will need to account for two very different regulatory landscapes. For instance, a tech company that’s planning to launch a new internet-of-thing product might face different compliance requirements in the EU where they have to design for data sharing and interoperability. But then on the other hand, in the UK, the focus might be moreso on data portability and AI usage for economic growth.

Alistair Ho (15:06):
And that divergence then also impacts the market strategy rates, market entry strategy. For example, if you’re a company in the data space, you may decide how you’re going to develop products that can cater to both regions without running into compliance issues. So various knock-on impacts that might have. One, for example, data architecture, how data’s collected, how’s it processed, how’s it stored, that impacts your market entry strategy.

Deborah Kirk (15:25):
Yeah, that’s right. And the divergence is not just between the EU and the UK. Even amongst EU digital legislation, there are differing rules with overlapping reach. So for example, the GDPR and the EU Data Act sits alongside one another, with the Data Act stating that the GDPR will prevail over it in the event of conflict. But in a situation where an IoT product user requests its personal data, both acts could apply. And balancing the data protection focus of the GDPR with the data portability and access focus of the EU Data Act means businesses really need to understand exactly how each piece of legislation applies and what is required of that business under each of them respectively.

(16:06):
Okay, so we’ve honed in on the act itself and then looked at divergence between legislation within the data space. But now let’s zoom out and look at the bigger picture. So the Data Act, as we mentioned, is part of a broader EU data strategy, which was announced in 2020 and aims to promote an open and competitive data economy. But there is also a growing push for simplifying these regulations. So I guess rowing back a bit, which is something we’re seeing with the Digital Omnibus initiative. So let’s look at how this might influence the future of the Data Act, the regulatory landscape in general, and what impact that might have on businesses. Ali, talk us through it.

Alistair Ho (16:41):
Yes, exactly. So while the Data Act is, of course, a key piece of the EU’s data strategy, it’s definitely not immune to this Digital Omnibus you mentioned. So what’s Digital Omnibus? Set of rules being developed to essentially simplify the entire regulatory landscape for businesses. Data Governance Act, the ePrivacy Directive, AI Act, or potential targets, to name a few. It’s an attempt to remove some of the complexity that comes with dealing with different regulations in the EU, something that many companies have struggled with.

Emily Griffin (17:05):
Exactly. So we’re seeing the EU take quite a pragmatic approach to this type of regulation. And the push to simplify data rules across the EU is really clear. There’s a growing recognition that while regulations like the Data Act are crucial for building a more transparent and competitive data market, also needs to be balanced with simplicity. Businesses are looking for clear, predictable rules that won’t create unnecessary red tape or confusion amongst all of the compliance regimes we’re seeing at the moment. So we’re in the phase of waiting to see how the EU decides to approach the simplification process and how it might practically impact laws like the Data Act.

Alistair Ho (17:43):
That’s right. There’s a real tension between creating that strong, clear protection for data and ensuring that the rules don’t become so complex that businesses can’t comply or even innovate. So the Digital Omnibus is likely to have some impact on the Data Act itself, potentially streamlining some aspects, clarifying certain requirements. But until we see the details, it’s actually really hard to say exactly how the two will interact.

Deborah Kirk (17:58):
Absolutely. So I guess the big question now is how will the Digital Omnibus reshape the data regulatory environment? And will it bring additional clarity to the Data Act? So we’re expecting the EU’s digital simplification package or the Digital Omnibus to be presented on November the 19th of this year, and an announcement on the new European Data Union strategy on the 29th of October of this year. So it will be interesting to see the updates that come out of those events and we’ll, of course, keep you updated on those.

(18:27):
But remember, this isn’t the end of EU data regulation. We also have the Digital Fairness Act on the horizon. The regulatory landscape for connected services and data-driven businesses, we think is only going to get more complex.

(18:39):
So now that we’ve covered the Data Act’s key elements and how it fits into the larger regulatory landscape, let’s take a practical turn and think about what businesses should be doing now to prepare for the changes that are coming. And I think the first big step for all businesses is to figure out whether they fall within the scope of the act in the first place. And that’s obviously essential because if you’re not in the EU, if your business interacts with the EU market in any way, you may still need to comply with these rules.

Emily Griffin (19:06):
Yeah, exactly, Debs. So if you’re a business and you’re thinking that you might be in scope, you need to also consider scope aside from just the territorial definition of scope. And you really should be identifying whether you fall within the subject scope of the act. So the questions you need to be asking yourself are: Are you acting as a data holder or a data recipient? Are you a data processing services or a DPS provider? Do you manufacture connected products or provide related services? So these are all key questions that determine how the Data Act actually applies to you.

Alistair Ho (19:35):
And then once you’ve determined whether it applies to you, that, of course, is just the start of the journey. So should then be looking at carrying out a detailed compliance gap analysis and a risk assessment, together with a legal counsel, and thoroughly document all data flows and processes. So the fragmented scope of the Data Act means that some parts will be harder to navigate than others, we found. Getting legal experts involved to help scope and focus that gap analysis and that risk assessment early can save you from costly mistakes down the road and just increase the efficiency and productiveness in that process.

Emily Griffin (20:02):
Yeah, and just on this assessment point, it’s really important to not forget about your cloud services within these assessments and process maps. So the act introduces new rules about cloud switching, interoperability and vendor lock-ins. So importantly, the prohibition on cloud and data providers charging switching fees will be introduced on the 12th of January 2027. Businesses need to make sure their cloud providers are meeting these new standards, no exit charges, migration support and clear contracts. Cloud portability will be a big theme, so companies should start already considering their exit strategies now because that January 2027 date will creep up on us very quickly.

Alistair Ho (20:37):
Right. And it’s not just cloud providers. So you need to make sure you have a good grasp on all of your B2B sharing arrangements. So if your organization regularly engages in the data sharing as a data holder, review your data-sharing agreements against the list of unfair contract terms we mentioned earlier. Going forwards, new contracts, again, they have to comply already. Existing contracts need to be amended by the compliance deadline in autumn 2027, so don’t be leaving that until the last minute.

Deborah Kirk (21:00):
Right. In summary, the EU Data Act, at least on the page, represents a significant change in how data is accessed, shared and used. And while it’s still flying in the radar for many businesses, they really shouldn’t be ignoring it. Whether you’re a SaaS provider, a manufacturer of connected devices or a cloud service provider, this regulation should be considered as part of your data strategy in the years ahead, depending, of course, somewhat on the EU’s legislative and enforcement direction of travel.

Alistair Ho (21:27):
Right. And however the Data Act ends up, it’s looking at laying the groundwork for this new era in the data economy. So all business in this space need to be thinking more broadly about how they leverage and share data because that is the direction of travel we’re going in. So not just within their organizations, with competitors, with regulators and even the public.

Emily Griffin (21:44):
Yeah, Ali. And at the start of the podcast, we noted that the reaction to date has been quiet, but it’s really not going to remain that way going forward over the next few months. The full implementation of the Data Act as it’s currently drafted will bring a real change. So businesses really need to start planning now to ensure that their data strategy is aligned with its developing future landscape.

Deborah Kirk (22:02):
Great. Thank you, folks. Well, the Data or Data Act, whichever you prefer to say, it’s here. So please take notice of it and consider how and if it applies to you. Thank you, Ali and Emily, and thank you very much for listening.

Voiceover (22:15):
Thank you for joining us for today’s episode of “SkadBytes.” If you like what you’re hearing, be sure to subscribe in your favorite podcast app so you don’t miss any future conversations. Additional information about Skadden can be found at skadden.com.