The Unique Rights and New Obligations of the EU Data Act

The EU Data Act, effective September 12, 2025, is a regulation aiming to make more data available for use while establishing parameters around who can use and access what data and for which purposes. The intent is to foster innovation, expand competition, and create a more equitable economy within the EU. The Act applies to physical devices that generate or collect raw (but usable) user interaction information and can communicate that data to other devices and related services (called “connected products”). Information generated by connected products includes personal and non-personal data. 

The Act introduces unique rights and new obligations, including: 

• Grants users additional rights to access, use, and share data generated by their devices

  Two core rights are introduced with the Data Act: 1) users of a connected product or related service have a right to receive a copy of the product or service data, including metadata, that they generate and 2) users have the right to instruct the data holder to send requested data directly to a third-party service provider. Data holders are responsible for including any relevant competition and trade-secret guardrails prior to transferring data to a third party. 

• Obligates data holders to enable user access

  The Data Act requires data holders to ensure user access to data generated by connected products, immediately upon user request. The Act also requires data holders provide the requested information to the user in a structured, machine-readable format, free of charge. Companies may need to invest in technical infrastructure upgrades and formal processes to support accessibility and interoperability.

• Encourages competition and better service options for customers

  The Data Act eliminates the exclusive control conventionally held by manufacturers or data holders over data generated by connected products. Under the Act, users have the authority to direct the use and access of their data to find the best consumer options, thus encouraging competition and better service options for customers. 

• Establishes a broad compliance scope, extraterritorial application

  Any company that provides connected products or services in the EU falls within the compliance scope and the Act broadly defines “connected products.” This makes the territorial scope of the Data Act unlimited because providers of connected products or services may provide connected devices or services in the EU from any jurisdiction. Connected products can range from large consumer products (e.g., smart refrigerators) to smartphone apps. Thus, a US company may be in scope for EU Data Act compliance if an EU-based customer uses its smartphone app from within the European Economic Area (EEA), even if the company has no European presence.

A Key Challenge

The Data Act primarily focuses on non-personal data, which may create a new and significant challenge for many organizations. Traditionally, protecting personal data is the primary focus of data protection laws; companies may not have formal documentation or a data map for non-personal information. Additionally, data holders routinely process and transfer mixed data sets of personal and non-personal data. Now, these same companies will need to separate personal data from non-personal data to effectively operationalize obligations under the Act. 

Suggested Best Practices for Next Steps 

Two factors make the EU Data Act an unprecedented regulation. First, the rights granted are not people-centric, but “users” are both consumers and businesses. Secondly, the Act forces data holders to document and manage personal and non-personal datasets flowing to and from the organization. Although enforcement will not begin for another year, there are several steps organizations should take now for continuous compliance.

• Review the regulation and determine if the Data Act applies to the organization, and if so, what is the organization’s role under the Act.
• Organizations should perform a data mapping exercise for non-personal data generated by products and services. Optimally, this includes categorization by data type, purpose, and access points of non-personal data.
• Companies should assess whether standard contractual clauses or model clauses are applicable, and if so, begin repapering efforts immediately.
• Organizations should review technical infrastructure to ensure interoperability is achievable.

If you have questions about how the EU Data Act affects your organizations and its stakeholders, QuisLex Advisory can help. Contact us here.