Stephenson Harwood LLP | Katie Hewson | Nic McMaster | Sarah O’Brien
The EU Data Act (the “Act“), which entered into force on 11 January 2024, is a comprehensive piece of legislation aimed at fostering a fair and competitive digital environment in the European Union. It focuses on ensuring that data is shared more effectively, while protecting the rights of individuals and businesses.
In this article, we do a deeper dive into: (i) the right of users to request data holders to share data with third parties; and (ii) the right of certain EU institutions to request access to certain data from data holders.
If you haven’t already, we recommend you read our overview article for this series first, available here.
What are the data sharing rights under the EU Data Act?
The Act mandates that “readily available data” must be made available to third parties following a request from the user (Article 5) and that “data” must be made available to public sector bodies, the Commission, the European Central Bank or an EU body (“EU Institution“) where there is an exceptional need (Article 14). The Act splits the exceptional needs into (i) those where there is a public emergency; and (ii) those where there is no public emergency. An example of the former is where an EU Institution cannot obtain the data by alternative means in a timely and effective manner, such as in the case of a pandemic.
Making data available to third parties
What data sharing is the Act targeting?
The third-party data sharing rights are targeted at allowing users to port their usage data to alternative providers of the same product or service, or to services that can allow them to analyse and optimise their use of the relevant product or service. An example of the type of data sharing that may be anticipated under these provisions includes a user sharing data from its connected vehicle with its insurance company.
What data needs to be made available to third parties?
Under Article 5 of the Act, data holders must make “readily available data” available to third parties following a request from the user. This is in addition to the obligation to provide data to the user themselves upon request. See our article on the right of access under the EU Data Act here for more information on that.
The “readily available data” that must be made available to third parties is:
- product data, which is data generated by the use of the connected product that is designed to be retrievable via an electronic communications service (e.g., near-field communication networks), physical connection or on-device access;
- related service data, which is data representing the digitisation of a user’s actions (including in-actions) and events related to the connected product, in each case that are recorded intentionally by the user or generated as a by-product of the user’s actions; and
- metadata that is necessary to interpret the above categories of data.
Such data need only be readily available on request where to do so does not require disproportionate effort. This means that raw and pre-processed data falls in scope, but derived and inferred data does not.
If trade secrets form part of the readily available data, these must only be made available if strictly necessary to achieve the purpose of sharing and on the condition that the third party takes all necessary measures to preserve their confidentiality. If the third party does not agree to take such measures, such data need not be made available. Further, if the holder of the trade secrets can demonstrate that it is highly likely to suffer serious economic damage as a result of the disclosure (even with the necessary measures), the data may be withheld. However, in both cases the data holder must notify the competent authority.
Finally, it is worth noting that the above categories of data include both personal and non-personal data.
Who does the obligation to make data available to third parties apply to?
Data holders. See our article on the right of access under the EU Data Act here for an explanation of who a data holder is.
Microenterprise, small enterprise, and companies that have only been a medium enterprise for less than one year, are all exempt from the obligation in Article 5 of the Act.
How does the data need to be made available to third parties?
Readily available data needs to be made available easily, securely and free of charge in a comprehensive, structured, commonly used and machine-readable format and, where technically feasible, continuously and in real time.
Is the data holder entitled to compensation for making data available?
Data holders can charge non-discriminatory and reasonable compensation for making readily available data available to third parties in a business-to-business context. If the third party is an SME or not-for-profit organisation, the amount of compensation the data holder can charge is limited to the costs incurred in making such data available. In other cases, the data holder may also take into account any investments it has made in the collection and production of the readily available data.
The Act requires the European Commission to publish guidelines on the calculation of reasonable compensation so we will look out for, and report on, these once published.
Are there certain conditions under which data holders must make data available to third parties?
Yes. Data holders must make readily available data available to third parties under fair, reasonable, and non-discriminatory terms and conditions and in a transparent manner. If any terms are found to be unfair or, to the detriment of the user, exclude the application of, derogate from or vary the effect of the user’s rights to share data, such term(s) shall not be legally binding. Article 13 of the Act provides further guidance on what will be considered an unfair term and includes a term that is of a nature that its use grossly deviates from good commercial practice, contrary to good faith and fair dealing.
Data holders must not make readily available data available on an exclusive basis unless directed to do so by the user.
What are the obligations on third parties following receipt of the data?
The third party must only use the readily available data provided by the data holder for the purposes agreed with the user and must delete the data when it is no longer necessary for those purposes.
Article 6 of the Act places several prohibitions on third parties with respect to the readily available data including:
- not to use the data for profiling (as defined under the GDPR), unless it is necessary to provide the service requested by the user;
- not to make the data available to another third party unless it is under a contract with the user and the other third party agrees to take all necessary measures to preserve the confidentiality of trade secrets; and
- not to develop directly or indirectly a product that competes with the connected product from which the data originated.
Is the data sharing mandatory and what is the penalty for non-compliance?
Yes, once the request has been made by the user, the data sharing is mandatory.
The decision on the maximum penalty for failing to comply with the data sharing provisions has been devolved to each Member State (who are yet to legislate for this) but they can legislate up to the greater of €20 million or 4 % of the total worldwide annual turnover.
How does the right to make data available to third parties interplay with the GDPR?
Data subject rights under GDPR must continue to be respected.
The Act does not provide a legal basis to share data with third parties. As such, data that is “personal data“, as defined under the GDPR, shall only be readily available if the user is the data subject. If the user is not the data subject, personal data can only be readily available data if there is a valid legal basis for providing such data under Article 6 GDPR (and an Article 9 exemption applies in the case of personal data that is special category).
The Act is not explicit about which party is responsible for ensuring a legal basis for the data sharing exists. However, the natural conclusion is that this would be that the user, as the sharing would be on their instruction, meaning they would be the controller.
Making data available to EU institutions
What data sharing is the Act targeting?
The EU Institutions’ data sharing right is targeted at enabling data sharing in the public interest and to fulfil their public duties. Examples of the types of data sharing that may be anticipated include public health emergencies, emergencies resulting from natural disasters including those aggravated by climate change and environmental degradation, as well as human-induced major disasters, such as major cybersecurity incidents.
What data needs to be made available to EU Institutions?
Article 14 requires “data” to be made available to EU Institutions where they can demonstrate an exceptional need for such data to perform their statutory duties. Such data corresponds to the data that the data holder has control over at the time of the request and must include metadata necessary to interpret and use such data.
The data may include personal data only in limited circumstances so long as the data holder pseudonymises such personal data.
Who does the obligation to make data available to EU Institutions apply to?
Data holders. See our article on the right of access under the EU Data Act here for an explanation of who a data holder is.
How does the data need to be made available to third parties?
The data needs to be made available online without undue delay.
Is the data holder entitled to compensation for making data available?
Data holders (other than micro and small enterprises) must provide the data free of charge where the exceptional need is a public emergency. In such cases, the EU Institution will make a public acknowledgement of the data holder’s contribution if requested by the data holder. In all other cases, the data holder may charge fair compensation to cover its costs plus a reasonable margin.
What are the obligations on EU Institutions following receipt of the data?
EU Institutions may not use the data in a manner that is incompatible with the purpose for which it was requested, and they must erase the data as soon as it is no longer necessary for such purposes.
Article 19 of the Act places limited prohibitions on EU Institutions in respect of the data. Such prohibitions include not using the data to develop or enhance a connected product or related service that competes with the connected product or related service of the data holder, and not to share the data with a third party for such purposes.
Is the data sharing mandatory and what is the penalty for non-compliance?
Yes, once a lawful request has been made by an EU Institution, the data sharing is mandatory.
The decision on the maximum penalty for failing to comply with the data sharing provisions has been devolved to each Member State (who are yet to legislate for this) but they can legislate up to the greater of €20 million or 4 % of the total worldwide annual turnover.
How does the right to make data available to EU Institutions interplay with the GDPR?
Guidance from the EU Commission suggests that the focus of Article 14 is on non-personal data and the interplay will depend on whether the exceptional need for the data is for a public emergency:
- in a public emergency, EU Institutions should request non-personal data but, if this is insufficient to respond to the situation, personal data may be requested but the data holder should anonymise (or at the very least pseudonymise) it;
- in non-emergency situations, EU Institutions may only request non-personal data.
Where personal data is within scope of the data requested, Recitals to the Act suggest that it is the requesting EU Institution’s role to demonstrate the necessity and the specific and limited purposes for processing the personal data as part of the request.
Important dates
The right of users to request data holders to share readily available data with third parties, and the right of EU Institutions to request data from data holders applies from 12 September 2025.
Practical steps for compliance
Any business involved with connected products or related services, should think about taking the following practical steps:
- Data sharing contracts: Consider developing template data sharing contracts for use with third parties.
- EU Institutions data sharing request: Consider developing a process through which EU Institutions can request data and a checklist to ensure each request is lawful and can be fulfilled.
- Lawful basis assessment: For personal data, users will need ensure that they have a valid legal basis to allow the data to be shared with third parties. If you are a data holder, who is also a controller under GDPR, you may want to consider requesting the user’s lawful basis assessment prior to sharing readily available data with third parties.
- Transparency and documentation: Update/prepare privacy notices to data subjects setting out the limited circumstance where personal data generated by a connected product or related service may be shared with EU Institutions.
This article first appeared on Lexology. You can find the original version here.