On 11 January 2024, the EU Data Act entered into force, with the majority of its provisions applicable from 12 September 2025. Among other requirements, the Data Act regulates the access of usage data generated by products connected to the internet (i.e. IoT devices).

In practical terms, this means that Data Holders (i.e. people with the right to use and make available usage data, which may also include providers of connected products and providers of related services) will be required to implement certain design and manufacturing requirements, provide certain information to users, and give effect to user rights to relating to usage data. This article focuses on the key requirements between Data Holders and users in a business-to-consumer (B2C) context.

Key provisions applicable to Data Holders in a B2C context

1. User-friendly design and transparency requirements on connected products

Data Holders must ensure that their relevant products and services enable the sharing of usage data by default. Such products and services must also make usage data free-of-charge, easily, and securely available in a "comprehensive, structured, commonly used and machine-readable format", and where possible, such usage data should be made directly accessible to users.

These requirements have a longer lead time, as the relevant article in the Data Act that provides these design requirements will only apply after 12 September 2026. Providers of relevant connected products (such as sellers, rentors or lessors of connected products, which may include the manufacturer of the connected product) and related services are also required to provide certain information to users.

The extent and type of information to be made available differs between the provision of a connected product and the provision of a related service (i.e. digital services essential to one or more functions of the connected product, other than electronic communications service). The provision of related services generally requires more comprehensive information to be provided to users, such as information with regards to the: (i) identity, contact information and intended use of data by the Data Holder, (ii) user rights in relation to their data (see below), (iii) the identity of the relevant trade secret holder, if any, and (iv) contract between the user and the prospective Data Holder.

Regardless, in both cases information regarding (i) the type, volume and frequency of usage data capable of being obtained from the connected product, (ii) how such data is stored, and (iii) how users may access usage data must be provided. Such information must also be provided before the conclusion of a contract with users for the provision of connected products and/or services.

2. Empowers users

The Data Act empowers users by providing them with certain rights, including rights to (i) request access to usage data; (ii) request data holders to make available certain usage data to third parties; and (iii) lodge complaints against the relevant data holder with a competent member state authority. Certain rights, however, are conditional:

  • the right to access may be contractually restricted if such processing could undermine security requirements of the product, which result in a serious adverse effect on the health, safety or security of others, or if such data falls within a qualifying trade secret (see below);
  • the right to make available usage data to third parties only applies if the relevant connected product has been designed to enable such data being stored or transmitted externally, and such usage data can be obtained without disproportionate effort, and the third party is not a "gatekeeper" within the meaning of the Digital Markets Act (for more information on gatekeepers and the Digital Markets Act, see our article here).

3. Protection available to Data Holders

The Data Act provides for certain protection and exemptions for Data Holders, including the following:

  • Protection for small enterprises/microenterprises: Organisations that qualify as small enterprises or microenterprises (i.e. enterprises which employ fewer than 50 people and whose annual turnover and/or annual balance sheet total does not exceed €10 million, and enterprises which employ fewer than ten people and whose annual turnover and/or annual balance sheet total does not exceed €2 million respectively) are exempt from the Data Act's requirements to share usage data with users and businesses. However, the Data Act will apply if such organisations are partnered or linked with non-microenterprises or non-small enterprises, or if such organisations have been subcontracted to provide a connected product or a related service.
  • Protection for prototypes and trade secrets: Prototypes are exempted from the scope of the Data Act. Data that can be identified as a trade secrets are exempt from disclosure, unless all necessary measures to preserve their confidentiality can be agreed and implemented. If users fail to agree or implement such measures, Data Holders may withhold or suspend the sharing of trade secret data. On a case-by-case basis, a Data Holder may refuse a user's request to access data if the Data Holder can demonstrate that it is highly likely to suffer economic damage from the disclosure of such trade secrets. Upon such refusal, the Data Holder must notify the relevant competent authority.
  • Restrictions on users: The Data Act further imposes certain access and use restrictions on users. Users are prohibited from deploying coercive means or abusing evident gaps in the technical infrastructure of a device in order to gain access to data, and may not use data derived from a connected product to develop a competing connected product, or to derive insights about the economic situation, assets and production methods of the IoT manufacturer or Data Holder.

Commentary

Many products may potentially be within scope of the Data Act, as long as the product is capable of generating data concerning its use of environment and can convey such data by electronic means, and its primary function is not the storing, processing or transmission of data on behalf on any party other than the user.

While prior publications by the European Commission indicate that the scope of the Data Act is aimed at IoT products, such as smart household appliances and intelligent industrial machines, the wide definition of a "connected product" under the Data Act may mean that most products with an internet connection capable of generating service data may be within scope. Indeed the Data Act notes in its recitals that connected products may be "found in all aspects of the economy and society, including in private, civil or commercial infrastructure, vehicles, health and lifestyle equipment, ships, aircraft, home equipment and consumer goods, medical and health devices or agricultural and industrial machinery" – indicating a potentially wide scope of application.

It is also notable that the European Commission's initial draft of the Data Act expressly excluded personal computers, servers, tablets, smartphones, cameras, webcams, sound recording systems and text scanners, but this omission is no longer present in the published Data Act, and consequently such products may also be within scope.

Nevertheless, while further clarification on the scope of the Data Act is awaited , most organisations whose businesses involve IoT products or related services are likely to be within scope. Such organisations should consider the timeline presented by the Data Act and plan accordingly.

As there is an additional year to implement design requirements for connected products and related services, such organisations should consider prioritising compliance with the Data Act's transparency requirements and requirements relating to user rights to access data. To this end, organisations may consider consolidating an inventory of applicable products or services and related data. Such an inventory will also enable organisations to identify prototypes and trade secrets in order to avail themselves of the exemptions provided for in the Data Act.

The Data Act also contains further provisions for business-to-business data sharing, providers of data processing services (i.e. cloud services), public sector access to data, data spaces, and smart contracts. These impose further requirements on Data Holders, as well as other organisations such as providers of cloud services, third-party data recipients, and public sector bodies. These topics will be explored in subsequent articles.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.