EU Data Act and Data Governance Act - cornerstones of new data ecosystems
While the whole world is immersed in the fascination of ChatGPT and the hardly foreseeable effects of artificial intelligence (AI), the decisive foundations lie in the availability of large amounts of data for machine learning. What began with a debate about "data ownership" – which was rightly terminated at an early stage – has led to a broad framework of rules on data access and sharing of non-personal data as well as the role of intermediaries in data spaces under the heading of "data sovereignty".
The EU Data Act and the EU Data Governance Act are the cornerstones to create new data ecosystems beyond the dominant platform operators. As part of the European digital and data strategy, they stand alongside the Digital Markets Act (competitive regulation of gatekeepers), the Digital Services Act (content regulation of platform operators), the AI Regulation and the EU Directive on AI Liability. Businesses and institutions are facing far-reaching changes in the handling of data that go far beyond data protection law.
The Data Act as a new horizontal regulation
The Data Act entered into force on 11 January 2024. The individual chapters of the Act apply in stages since 12 September 2025 until full scope application on 12 September 2027. In particular the data access and sharing rights for users of connected products, as well as the cloud switching rights for customers of data processing services are in force since 12 September 2025.
The Data Act combines two fundamental objectives: (a) strengthening data sovereignty for commercial and private users of connected devices (IoT products) through transparency obligations for data holders and data access rights; and (b) opening up a data cycle through data sharing rights, in which small and medium-sized enterprises (SMEs) also participate and which increases innovation and value creation from data.
The EU is designed to open up for alternatives to the platform-based data economy, which tends to be dominated by a few – predominantly non-European – "hyper-scalers". The "right to data portability" of the General Data Protection Regulation (GDPR) serves as a guiding principle, even if it has played a subordinate role in practice to date.
The Data Act applies with extraterritorial reach to manufacturers of IoT products and data holders based outside the EU if the products and associated services are used within the EU. It applies across all sectors and explicitly lays the foundation for further sector-specific regulations. With the FiDA Regulation ("Financial Data Access Regulation"), the EU Commission presented the first draft of open data regulation in the financial sector soon after the legislative process for the Data Act had reached its final stage. Increased transparency requirements and user control, including through "Financial Data Access Permission Dashboards", will trigger far-reaching changes in this area – independent of any IoT products.
Data access and data sharing rights at heart of the regulation
At the centre of the Data Act is the legal relationship between the data holder by virtue of its de facto control over IoT data and the user of a connected product and recipient of related services. The Data Act strengthens the position of the user and gives him – beyond an existing contractual relationship – the right to access and be provided with "readily available data" in a common machine-readable format. Manufacturers must design and develop their IoT products to make available such data. The data access right includes the metadata, i.e. the descriptive elements of the raw data collected. Manufacturers, sellers or lessors of IoT products must inform the user about the type, quantity, personal use and availability of the collected data when the contract is concluded.
Certain restrictions apply if the user wishes to share this data with a third party. In particular, the third party may not use it to create competing IoT products. However, that third party is free to develop new, data-based services and products based on the shared data with the user's consent. This is the decisive regulatory step towards a diversified data economy, by moving beyond the linear, bilateral data usage and monetisation models of device manufacturers by giving the user wider control over that data.
The consequences of this "enabling regulation" are considerable: device manufacturers and other data holders must organise their data governance in a fundamentally different manner, and at the same time develop their data strategy beyond the mere data protection compliance and data security perspective. Companies focussed on innovation are already looking at the possibilities of proactively procuring IoT data and strategic alliances for data sharing.
Data access and trade secrets
One of the fundamental challenges, but also concerns of data holders, is the balance between access and sharing rights on the one hand and the protection of the data holder's trade secrets on the other. The Data Act deprives data holders of the opportunity to easily invoke (alleged) trade secrets as a defence against data access and data sharing claims. In principle, the data holder must also disclose such data that contains trade secrets. To this end, the data holder must precisely identify the data sets subject to trade secret protection and instruct the user on the necessary technical measures to protect the trade secrets when handing the data over. Only if the data holder can credibly demonstrate the risk of significant economic (irreparable) damage resulting from the disclosure of a trade secret may he refuse access to and release of the data in question. But that's not all: the data holder must notify the competent supervisory authority and give solid ground why he refused disclosing the trade secret.
It remains to be seen whether this approach will be successful: SMEs in particular are concerned about unwanted transparency on their business processes (e.g. machine utilisation, efficient production processes, etc.) when confronted with data access claims. Over time, court decisions will provide more clarity on the scope of the trade secret defence.
How about data protection?
The Data Act opens a new regulatory chapter on processing personal and non-personal IoT data. The GDPR applies if a natural person can be identified (e.g. the private user of connected products). The Data Act itself does not create a new legal basis for processing personal data. Rather, the data holder – as the data controller – must comply with all relevant obligations under the GDPR (including determining the suitable legal basis for data processing, information and documentation obligations, technical data protection, safeguarding the rights of data subjects, etc.). If a business user has asserted its data access claim against another company (B2B) and then wishes to share that data with a third party, that business user may end up in the role of a data controller for personal data of the original data holder (e.g. end device data of its employees). As a consequence, the business user needs to bear all consequences of GDPR compliance following such controller-to-controller transfer (C2C), including establishing the proper legal basis of processing (e.g. consent, fulfilment of a contract with the data subject, legitimate interest or other justifications).
Contract design
As part of its future data strategy, every company will need to reconsider its approach towards licensing-in and licensing-out data ("inbound" and "outbound"), be it in the role of users of IoT devices in asserting data access claims ("inbound") as well as in enabling a transfer of such data to third parties ("outbound"), or be it in the role of data holders that are exposed to data access and sharing claims and making available IoT data to the third parties at the request of the user.
The data holder must share IoT data with data recipients on non-discriminatory basis (FRAND principles) and may ask for a remuneration only in relation to B2B recipients to cover cost plus an auditable profit margin. When sharing data with other companies (B2B), the data holder must respect a catalogue of rules on inadmissible contractual clauses, which serve to implement general fairness rules for data licensing, including questions of liability and warranty for poor data quality, as well as termination rules. Those who are familiar with the German law on general terms and conditions will recognise these restrictions on contractual clauses.
Cloud switching
In addition and without regard to IoT products, the Data Act gives B2C and B2B customers of "data processing services" (i.e. cloud services of all kinds) a statutory right to switch its provider by an early termination right free of charge. Detailed rules are designed to bring down common "lock-in" effects that providers of cloud services have created through technical, contractual and economic parameters. Cloud providers must inform their customers of the switching rights, provide technical assistance in migrating data free of charge to a competitor or back to the customer (an "egress charge" is only permitted until 12 January 2027).
Regulatory guidance
The EU Commission has provided initial guidance on the interpretation of the Data Act through its FAQ document (recent version 1.4 of its Data Act of January 2026), covering a wide range of frequently asked questions, such as on data quality requirements, interoperability obligations. Also it has issued model contractual terms for data sharing, and standard contractual clauses for cloud switching.
Further, the European Data Innovation Board acts as a coordination body between the national supervisory authorities and in support of the EU Commission in the development of legislation. It issues guidelines and recommendations on law enforcement, the development of implementation measures, certifications, smart contracts for data exchange and reasonable costs for cloud switching as well as interoperability standards in the area of European data spaces.
Supervisory authorities and dispute resolution
The Data Act aligns with the GDPR's regulatory approach, instituting national supervisory authorities and a European body (the European Data Innovation Board) to supervise, interpret and enforce the regulation. Member States have assigned different existing authorities with the supervisory role (e.g. in France, the Electronic Communications, Postal and Print media distribution Regulatory Authority (ARCEP), in Germany the Federal Network Agency (BNetzA), in Italy (yet tbc), the Agency for Digital Italy (Agid), in Spain (yet tbc), the Spanish Data Protection Agency (AEPD)) who need to build out Data Act expertise.
In addition, the Data Act provides a particularly interesting dispute settlement procedure. Member States have laid the foundations to institute certified dispute settlement bodies. They are designed for data holders, users and third-party recipients of IoT data to solve disputes over access and sharing rights, as well as cloud service providers and customers. The dispute settlement bodies must issue their decision within 90 days, including the reasons for their decisions and an award on the costs of proceedings, after hearing the parties and written submissions. Decisions are binding if the parties have mutually agreed to this at the beginning of the proceedings. However, these dispute settlement proceedings do not preclude recourse before ordinary courts or other arbitral panels – in which case the dispute settlement body could reject taking a case. The dispute settlement bodies will publish annual experience reports, including their recommendations on dispute avoidance and best practices. This highly innovative approach is important for the interpretation of the law and to quickly reach practical experience in solving conflicts under this entirely new, unprecedented piece of legislation. It is to be hoped that data holders, users and third parties will strongly make use of this mechanism, in order to rapidly develop legal practice and precedents on a broader basis.
Data Governance Act and data spaces
In an effort to find viable alternatives to the platform economy, the EU Commission has proclaimed its Data Space Strategy in 2020. In this strategy, data intermediaries play a central role in realising data sovereignty for data providers and data users in decentralised network structures. The Data Governance Act addresses this by way of a "soft regulation" in that data intermediaries must register with the competent authorities (no authorisation requirement). They must ensure sufficient independence within the scope of their activities and may not themselves engage in any data analysis or commercialisation of data beyond the provision of technical services to maintain the data space and the services offered therein.
Catena-X is the first reference model that implements the principle of data sovereignty through decentralised, platform-independent data exchange models in accordance with the principles of the International Data Spaces Association and Gaia-X. Manufacturing-X could follow suit. The planned regulation on a European data space for health data and the Health Data Utilisation Act show that an exciting development lies ahead for data spaces, with a considerable need for design and inevitable potential for disputes in the future.
Consolidation via the Digital Omnibus
The EU Commission has prepared a broad legislative package to simplify and consolidate EU digital regulations in the "Digital Omnibus Regulation". While discussions are in final stages, it is planned to integrate the provisions on data intermediaries and data altruism as well as re-use of data and documents held by public sector bodies from the Data Governance Act into the Data Act (new Articles 32a-32g).
****
About the author
Dr Alexander Duisberg, Partner in the Digital Economy department at Ashurst LLP, is one of the leading legal experts on issues relating to digitalisation and the data economy. He has repeatedly taken part in expert hearings organised by the EU Commission on the EU's Digital Strategy, including in particular the Data Act and the AI Act.
