The EU Data Act officially came into effect on January 11, 2024, and will be mandatory from September 12, 2025. As another new data regulation from the EU, it does not only focus on data privacy protection itself, but also shifts the focus of compliance from "control and processing rights" to "usage rights," enshrining the accessibility, sharing, and portability of data between devices, applications, and the cloud into mandatory rules. Based on this, many companies' European clients have already submitted data sharing and compliance verification requirements in accordance with the new regulations. It is recommended that companies operating in the EU plan ahead to avoid compliance risks.
Core Positioning of the Data Act
★ Legislative Purpose
- To enhance the rights of individuals and businesses to access and use data within the EU market, with a particular focus on data generated through connected devices.
- Unlike the GDPR (which focuses on data minimization and proving the legality of the collection, use, and transfer of personal data), the Data Act emphasizes data availability.
★ Applicable Form
- Legal Form: As a regulation, it has direct effect without requiring local legislation in each member state.
- Enforcement and Regulation: Member States must designate one or more competent authorities.
Key Timelines
- September 12, 2025: The EU Data Act officially comes into effect.
- After September 12, 2026: Connected products placed on the market must fulfill the "by design" obligation.
- January 12, 2027: Cloud services will be "free for switching and data egress".
Applicable object
★ Manufacturers of connected products and related service providers located within the EU
★ Data recipients within the EU
- Data holders who provide data to data recipients within the EU, regardless of whether they have a place of business in the EU;
- Public sectors, the European Commission, the European Central Bank, and EU institutions that require data holders to provide data due to specific needs for performing specific tasks in the public interest;
- Providers of data processing services to EU customers, regardless of whether they have a place of business in the EU.
★ Participants in the Data Space
- Application providers using smart contracts;
- Individuals whose business involves deploying smart contracts for others while executing agreements.
Industries Involved
Category 1: Enterprises involved in the intelligent and digital transformation of equipment, such as manufacturers and providers of hardware and software for consumer devices like smart wearables, intelligent connected vehicles, connected industrial machinery, connected power energy management equipment, and smart home appliances—a range of IoT terminal devices.
Category 2: Enterprises providing data processing services, such as digital service providers of interconnected products offering non-electronic communication services like virtual assistants, data processing service providers offering cloud computing resources for data storage and analysis, and suppliers deploying smart contracts for EU clients.
Category 3: Upstream and downstream enterprises providing related products and services to the aforementioned industries and businesses in the EU market are also required to fulfill relevant obligations.
Core Obligations of the EU Data Act: Four Compliance Requirements for Enterprises
1. Obligations Toward Users (Including B2B and B2C Users)
◆ Transparency Requirements: Before signing sales, leasing, or service provision contracts with users, enterprises are required to provide relevant product data information (such as the type, format, volume, generation frequency, generation method, storage location, retention period, and data processing purpose of the product data), information on data holders and related sharing parties, and information on user rights exercise methods.
◆ User Consent Principle: Before using generated data, relevant enterprises should sign a user agreement with users to obtain their consent, and use the generated data according to the purpose specified in the agreement. If the generated data involves personal data, GDPR requirements must also be met.
◆ Data Access Business: Internet products and services must ensure, from the design stage, that users can conveniently, securely, and freely access the data they generate, and provide users with free, structured, machine-readable product and service data.
◆ Third-Party Sharing Obligations: Users may directly share data with third parties (such as repair shops, data analytics companies). When third parties receive data, enterprises must ensure that the sharing process is approved by users and that the purpose is clear and compliant.
2. Obligations to Data Recipients (Another Enterprise) and Governments
◆ Share data upon user request or based on other legal obligations.
◆ Open data to government agencies under reasonable requests (such as in emergencies or utility optimization).
◆ Prohibit the abuse of data monopoly power.
3. Obligations to Data Processing Service Providers
◆ Do not artificially create barriers for users to switch data service providers (such as high fees).
◆ Ensure data migration and interoperability between cloud platforms. ◆ Legal and technical measures are required to prevent unauthorized access to non-personal data by non-EU countries.
Consequences of Violating the EU Data Act
The Data Act does not affect the implementation of the General Data Protection Regulation (GDPR) and the powers of the data protection supervisory body under it (Article 1(5) of the Data Act).
For data processors that violate the obligations under Chapters 2, 3, and 5 of the Data Act (i.e., the obligation of data holders to share data with users, data recipients, and EU public sectors), the supervisory body responsible for overseeing the implementation of (EU) 2016/679 may, within its jurisdiction, impose an administrative penalty of up to €20 million, or 4% of the previous fiscal year’s total global turnover, whichever is higher.
For data processors that violate the obligations under Chapter 5 of the Data Act, the European Data Protection Ombudsman may, within its jurisdiction, impose an administrative penalty under (EU) 2018/1725, with a maximum penalty of €50,000 per violation and a maximum administrative penalty of €500,000 per year. User/Consumer Rights Protection Channels
◆ Users can file complaints with the relevant competent authorities (data coordinators in their respective member states);
◆ File legal action;
◆ Consumers can file complaints with the EU Consumer Centre Network.
Compliance Guidelines: Enterprise Implementation Suggestions
1. Basic Preparation: Clarifying Identity and Asset Inventory
◆ Define Data Role: Through contractual agreements and technical assessments, clarify your role in the data chain (data holder/receiver/third party) and delineate the boundaries of responsibility.
◆ Comprehensive Asset Inventory: Compile a catalog of data assets related to EU-related business, complete data classification and grading, and highlight the scope of personal data, non-personal data, and trade secret data.
2. Product and Process Optimization: Full Compliance from Design to Market
◆ R&D: Optimize product interface design according to the principle of "data acquisition is design," reserving technical channels for data access and sharing; complete the compliance transformation of new products by September 2026.
◆ Contractual Agreements: Revise sales contracts and supply chain agreements, clarifying data usage rules, user rights exercise methods, and responsibility division, avoiding unfair terms.
◆ Operations: Establish a data sharing application processing mechanism, standardize the third-party data reception process, and ensure that all sharing activities obtain explicit user consent.
3. Organization and Capacity Building: Solidify the Foundation of Compliance
◆ Establish a Dedicated Team: A compliance team jointly formed by the legal, compliance, R&D, and business departments will be established, with clear division of labor and timelines.
◆ Enhance Training and Empowerment: Conduct company-wide compliance training, focusing on core content such as data rights protection, cross-border transmission rules, and emergency response procedures.
◆ Appoint a Data Protection Officer (DPO): In accordance with GDPR requirements, appoint dedicated personnel to oversee data processing activities and ensure the implementation of compliance measures.
4. Dynamic Adaptation: Respond to Regulatory and Market Changes
◆ Track Enforcement Developments: Monitor updates to the implementation rules of the EU and its member states, especially adjustments to penalty standards and enforcement priorities.
◆ Regular Compliance Audits: Establish a data security check-up mechanism, continuously optimize data processing processes, and promptly identify and rectify compliance vulnerabilities.
◆ Flexible Strategy Adjustment: Develop phased compliance goals for grace period requirements in special areas such as cloud services, balancing compliance costs with business development.
Warm tips
In the short term, the mandatory implementation of the EU's Data Protection Act may put pressure on companies in terms of costs related to product transformation, process optimization, and team building. However, in the long run, establishing a compliance system in advance can help companies mitigate penalties and gain a competitive edge in the EU data market. Our company has a professional technical team and extensive product testing experience, which can help companies enter their target markets with compliant products. If you have any needs, please feel free to contact us. Our engineers will serve you as soon as possible!
