Tech & Sourcing @ Morgan Lewis


The European Council adopted the EU Data Act (the Act) on November 27, 2023, representing a major regulatory shift in cloud services and data processing. The Act’s objectives include ensuring fairness in the allocation of value from data among actors in the digital environment and making data more accessible to all in order to open opportunities for data-driven innovation.

The Act’s provisions are aimed at enhancing customer flexibility and competition in the data market and rely on cloud service providers (CSPs) to (1) remove barriers to customer switching, (2) phase out switching charges over a three-year period, (3) clearly define their contractual obligations, and (4) meet their technical obligations for data migration.

The Act will affect the competitive landscape thanks to its extraterritorial scope, which applies to CSPs servicing recipients in the European Union.

CSPs are being recommended to take action ahead of implementation, including reviewing policies, evaluating pricing models, and investing in technologies for compliance, taking into account potential enforcement risks and fines.

Summary of the Act

Below are the main provisions of the Act, including its impact on products and services (which are further discussed in a recent LawFlash):

  • The GDPR remains applicable when personal data is involved—the Act is designed to enhance the value creation of non-personal data from connected products and services, primarily within the Internet of Things (IoT) ecosystem.
  • The Act outlines conditions for accessing such data on fair, reasonable, and non-discriminatory terms.
  • The Act applies to manufacturers of connected products and providers of related services within the EU market, irrespective of their location. Its scope includes product data and related service data, with disclosure requirements for connected products. The Act makes it easier for individuals and businesses to regain control over their own data through easy data transfers between devices and a reinforced portability right.
  • The Act focuses on the scope of allowing users of connected devices, such as smart household appliances and industrial machines, to access data generated by their use. It distinguishes between “product data” and “related service data,” emphasizing the functionalities of data collected by connected products, including disclosure requirements.
  • Users benefit from enhanced mobility between cloud providers, safeguards against unlawful data transfers, and interoperability standards. The Act encourages the development of interoperability standards for data sharing and processing and aims to protect trade secrets and intellectual property rights with safeguards against abusive behavior. Measures are in place to prevent contractual imbalances in data sharing contracts, offering protection to EU companies, especially small and medium-sized enterprises (SMEs).
  • The Act applies within and outside of the European Union—it allows data storage outside the European Union but imposes limitations and measures to prevent conflicts with EU or national laws.
  • EU member states can flexibly organize the implementation of the Act, designating a “data coordinator” for coordinating tasks at a national level. The Act’s compliance oversight is organized at the national level, and penalties for noncompliance are determined by said data coordinators. The Act’s focus is on ensuring adherence to contractual and access obligations rather than revenue-based penalties.
  • The Act enables public sector bodies and EU institutions to access private sector data in exceptional circumstances, such as public emergencies, with provisions for fair compensation.
  • Overall, the Act aims to balance data access, industry support, and consumer benefits while providing safeguards and flexibility at the national level.

European Digital Innovation Efforts

The legislation is set to guide the European Union’s digital transformation by 2030, promoting innovation, new services, and increased competition in the aftermarket services and repairs of connected objects, particularly within the IoT. The Act is a crucial component of the European Union's broader data strategy, following the adoption of the Data Governance Act in 2022. This Act, together with the European Commission's February 2020 European strategy for data, aims to position the European Union as a leader in data innovation.

While the Data Governance Act establishes processes and structures to facilitate data sharing, the new Act complements it by specifying who can derive value from data and the conditions under which this can occur. This clarification serves as a fundamental digital principle, fostering the development of a robust and equitable data-driven economy.

The European Council adopted the Act on November 27, 2023, with obligations becoming applicable 20 months after entering into force, with the exception of Article 3 paragraph 1 (requirements for simplified access to data for new products), which will apply after 32 months.

Trainee solicitor Lucrezia Noiret contributed to this blog post.