New EU Data Act: Impact on Data Flows Within and Outside the EU’s Borders

December 05, 2023

The Council of the European Union adopted the Data Act on November 27, 2023. The Data Act, together with the Data Governance Act and EU General Data Protection Regulation (GDPR), as key elements of the broader European data strategy of 2020, aims to create a unified market for the free flow of data within the EU and across various sectors as well as address data flows of nonpersonal data from the EU to countries outside of the EU differently from the GDPR, which continues to cover personal data.

This pivotal legislation is set to become effective on the 20th day after its publication in the EU’s Official Journal, becoming applicable 20 months thereafter.

Below we highlight aspects of the new Data Act that companies should consider in regard to the act’s impact on their products and services (privacy by design).


What Is the Purpose of the Data Act?

The Data Act’s primary objective is to enhance value creation of data generated by connected products and services for the industry in the EU. The Data Act also outlines circumstances in which EU public institutions can access certain types of data.

What Are the Implementation Mechanisms?

The Data Act stipulates conditions for access to (nonpersonal) data from connected products and services. These products/services should be designed and produced to make data easily accessible to users. For public sector bodies, the Data Act provides mechanisms to access private sector data in public emergencies or when fulfilling a legal mandate. Data holders are required to provide data to third parties upon request from a user or representative.

The Data Act aims to ensure that data holders offer data access under “fair, reasonable, and non-discriminatory” terms, achieved by adapting contract law rules. This includes the obligation of precontract disclosure in a clear format.

Additionally, the Data Act promotes the development of interoperability standards for data sharing and processing.

What Is the Scope and Coverage?

The Data Act primarily covers connected products within the Internet of Things (IoT) ecosystem, excluding prototypes. These products are those capable of gathering, generating, or collecting performance, use, or environment data communicated via an electronic communications service, a physical connection, or on-device access.

Most of the provisions of the Data Act will apply to “data holders,” defined to include a natural or legal person that has the right or obligation to use and make available data including, where contractually agreed, product data or related service data that it has retrieved or generated during the provision of a related service. Under this definition, manufacturers of connected products and providers of related services typically are covered. “Providers of data processing services” are also covered.

Will the Data Act Be Relevant Beyond EU Borders?

Yes, the Data Act, similar to the GDPR, applies to manufacturers of connected products and providers of data-processing services offered in the EU market regardless of their location of establishment(s). However, the provisions of the Data Act regarding data sharing are limited to benefitting their users within the EU.

Can the Data Be Stored or Otherwise Processed Outside of the EU?

Yes, but there are limitations for the data export to places outside of the EU. Article 32(1) of the Data Act states that “[p]roviders of data processing services shall take all adequate technical, organisational and legal measures, including contracts, in order to prevent international and third-country governmental access and transfer of non-personal data held in the [EU] where such transfer or access would create a conflict with [EU] law or with the national law of the relevant Member State.”

This provision, which is narrower than Chapter V of the GDPR (data transfers to third countries), has been criticized outside of the EU as “protectionist.” There are some exemptions foreseen in this article (e.g., for following a binding court order in the receiving country under existing mutual legal assistance agreements of the EU).

Is Data Generated by Use of a Connected Product Regarded the Same?

No, the Data Act distinguishes between “product data” and “related service data,” focusing on data functionalities rather than the products themselves. Under the Data Act, “product data” refers to data generated by the use of a connected product that the manufacturer designed to be retrievable from the connected product by a user, data holder, or a third party including, where relevant, the manufacturer.

“Related service data” refers to data, which also represents the digitization of user actions or events related to the connected product, that are generated during the provision of a related service by the provider.

What Disclosure Is Required Before Offering a Connected Product?

Prior to finalizing a contract for the purchase, rent, or lease of a connected product, the responsible party (e.g., the manufacturer) must provide to the user information regarding the product data that the connected product is capable of generating, including the type, format, and estimated volume of such data, in a clear and comprehensible manner. The disclosure could be made by maintaining a URL distributed as a web link or QR code.

What Are the Impacts on Users Renting or Leasing a Connected Product?

The Data Act considers an owner, renter, or lessee to be a user, including where several entities can be considered to be users. Access rights should not interfere with the rights of data subjects who may be interacting with a connected product or a related service regarding personal data generated by the connected product or during the provision of the related service.

For products typically used by multiple people, manufacturers or designers of a connected product are advised to put in place the necessary mechanisms to allow separate user accounts for individual persons, where relevant, or for the possibility of several persons using the same user account.

Is Data Sharing with EU or National European Public Institutions Included?

Yes, private data holders that are legal entities are obligated to make data available to EU public institutions, upon a duly justified request, in scenarios of exceptional need.

Does the GDPR Apply?

Yes, the GDPR is always applicable when personal data is exchanged or disclosed. The Data Protection Authorities (DPAs) maintain their authority to intervene, and the rights of data subjects remain enforceable for personal data.

Who Will Oversee Compliance with the Data Act?

The regulation allows member states to retain flexibility in organizing the implementation and enforcement of the Data Act at the national level. In member states where such coordination is necessary, a designated “data coordinator” will act as the central point of contact.

What Are the Penalties for Noncompliance?

Penalties for noncompliance will be determined by the data coordinator, which refers to the competent authorities in the EU member states. Unlike the GDPR, the Data Act does not establish revenue-based penalties.


  • Cloud Switching. The Data Act provides for interoperability standards on providers of cloud and other data-processing services to facilitate switching. Noncompliance will lead to penalties set and enforced by EU member states.
  • Virtual Assistants. The Data Act acknowledges that virtual assistants play an increasing role in digitizing consumer and professional environments and serve as an easy-to-use interface to play content, obtain information, or activate products connected to the internet. However, only the data arising from the interaction between the user and a connected product or related service through the virtual assistant should be covered by the Data Act. Data produced by the virtual assistant that is unrelated to the use of a connected product or related service is not covered.
  • Smart Contracts. Also noteworthy is the requirement that smart (data sharing) contracts must have the capability to be “interrupted and terminated” (kill switch), which has been criticized by the blockchain community.
  • Transparency Obligations. Providers of data-processing services are further required to disclose on their websites, and keep up to date, certain key information, including the jurisdiction of their ICT infrastructure for data processing and a comprehensive description of measures taken to prevent international governmental access to nonpersonal data that conflicts with EU or member state law. Additionally, these websites must be listed in contracts for all data-processing services offered by the providers, ensuring transparency and adherence to data protection standards within the EU.


Despite criticisms regarding discriminatory elements in the Digital Markets Act and Digital Services Act, upcoming legislation such as the European Cybersecurity Certification Scheme for Cloud Services and the Artificial Intelligence Act (AI Act) are under scrutiny.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: