The central goal of the Data Act is to leverage data from connected products and related services to improve competition and support the common good. To achieve this goal, the Data Act grants users of these products and services a new right of access to data that they help generate. We explore what this right means in this article. There are also new rules on sharing data with third parties to promote related and aftermarket services which we will explore in Part Three.

1. What do I need to understand about the Data Act’s new access rights?

• The Data Act enables users of connected products and related services to access data generated by their use of the connected product both directly (where technically feasible) and indirectly.
• First, any new connected products or related service placed on the market after 12 September 2026 must be designed to allow direct access (where relevant and technically feasible) by the user to product and related service data. Data holders must also provide users with certain information about their access rights prior to entering the contract. For example, information on the type and volume of data, retention of data and the means of access.
• Second, and where data cannot be accessed directly by the user, the data holder must make what is called “readily available data” and metadata available indirectly (i.e. via a user request) to the user without undue delay and for free. Where possible this data must be provided continuously and in-real time.
• Trade secret data is not automatically exempt from disclosure but there are certain limits on its access and use.

2. Who do these rights apply to?

The right of access is exercisable by a user, meaning an individual or business in the EU that uses a connected product or a related service. A connected product is any product that collects or generates data and is able to share this data (i.e. via an internet connection or physical connection). A related service is a service that would make a connected product behave in a specific manner (e.g. adjust its temperature). A data holder is generally the manufacturer of the product or provider of the related service and may or may not be in the EU.

3. What type of data is in scope?

The scope of data which falls within the new access rights is very broad. It covers personal and non-personal data. It includes all raw data generated from the use of a connected product or related service including metadata used to interpret that data along with data that is pre-processed to make the data understandable. Product data only includes data which was designed by the manufacturer to be retrievable by the user, the data holder or a third party.

For many products this will mean data from sensors, which collect information on the surrounding environment or user actions. The European Commission’s FAQs on the Data Act (the “FAQs”) state that such data should be easily usable and understandable, to achieve the objectives of the Data Act and should be shared in a manner that aligns with industry standards.

The Data Act is without prejudice to the GDPR, and the data holder must ensure it complies with the GPDR when the exportable data constitutes personal data. Consideration should be given to situations where the user is not the relevant data subject. 

Where data is not directly accessible by the user (perhaps if such direct access is not technically feasible), the data holder must only provide the user on request with access to “readily available data”. This refers to product and related service data that can be accessed from the connected product or service by the data holder easily – without disproportionate effort.

Content and data generated when the user records, transmits, displays or plays content is not included as such content would typically be covered by third party IP rights. It also does not cover derived data, in other words, using several data points to infer a characteristic of the user or product or data that results from additional investment (such as the application of algorithms to the raw data). For example, derived data may be that data from in-car sensors infers that a driver is sleepy.

It is important to note that the data holder cannot use any non-personal data generated by the product without the user’s agreement. This aligns with the approach to personal data as the data holder will not be able to use any personal data of user without an appropriate lawful basis.

4. How is a data holder required to make data available?

Direct access to data by user: New products placed on the market after 12 September 2026 will need to be designed in such a way as to allow access to product and related service data directly by the user, where relevant and technically feasible. This will require input from product and engineering teams so stakeholders should be identified now. The FAQs note that the Data Act leaves some flexibility to the manufacturer to decide whether to design for direct access.

Provision of data by data holder to user: To the extent that a user cannot access data directly themselves (for example if direct access is not technically feasible), data holders must provide a user with access to readily available data and metadata “without undue delay, of the same quality as is available to the data holder, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time. This shall be done on the basis of a simple request through electronic means where technically feasible”.

Some organisations may already provide users with access to all raw data. But for those that do not they will need to be able to locate, package and share this data with users from 12 September 2025 (perhaps via a portal on the connected product or related web/mobile platform) and ensure that new products are designed to allow for direct access from 12 September 2026.

5. Can users or data recipients use data to create a competing product?

No. While the purpose of the Data Act is to improve competition in related and aftermarket services, it is not designed to provide a means for a competitor to create a competing connected product. Users and data recipients (i.e. third parties to whom the user authorises sharing of data) are prohibited from developing a connected product that competes with the original product.

The Data Act however does not prevent the development of competing related services. The user must also not use the data they receive to gain economic insights into the original data holder’s business, e.g. in relation to their economic circumstances, assets or production methods (and vice-versa in terms of the data holder using data to gain insights about users).

6. Data holders – what about our trade secrets?

The treatment of trade secrets under the Data Act was bitterly contested during the legislative process. In the end, the bar by which data holders can refuse to share data which constitutes a trade secret was set quite high. The data holder can only refuse to share data on the basis of preserving a trade secret in exceptional circumstances where disclosure of that trade secret is likely to cause serious economic damage to the data holder.

In these exceptional circumstances, the data holder must record the basis for this refusal and notify the competent authority(ies) and the user. If the intended recipient wishes to challenge this refusal, then they can lodge a complaint with the competent authority(ies) or refer the matter to the designated dispute settlement body.

If this high bar is not met, trade secrets “shall be preserved and shall be disclosed only where the data holder and the user take all necessary measures prior to the disclosure to preserve their confidentiality in particular regarding third parties” (Articles 4(6) and 5(9) of the Data Act). Therefore, the data holder and the data recipient must agree proportionate technical and organisational measures to preserve the confidentiality of the data, for example pursuant to confidentiality agreements or access controls.

If agreement cannot be reached between the parties on the necessary measures to protect trade secrets or of the user fails to implement these measures or if the confidentiality of the trade secret is undermined, then the data holder may withhold or suspend data sharing, but it will need to notify the competent authority that it is doing so and provide the basis for such suspension.

In practice, data holders should review their data sets to determine what, if any, constitute trade secrets. They should ensure they have a comprehensive assessment as to why trade secret status applies, the technical measures in place to protect confidentiality and how disclosure of the trade secret would cause serious economic damage.

If you require further information on the Data Act, please contact any member of our Technology and Innovation Group or your usual Arthur Cox contact.