From Sept. 12, 2025, the European Data Regulation (Data Act) will go into effect. This new legislation should encourage the sharing and use of data, strengthen the position of users of connected devices and cloud services and counter unfair contract terms. During our knowledge session, Jan Baas, attorney/partner at La Gro, explained the most important changes.
The regulation is broad in scope and applies to all sectors and types of data (not just personal data). It includes data arising from connected devices (such as smart watches, cars or machines), as well as cloud services and contracts between companies in which data plays a role. The regulation aligns with existing privacy laws such as the AVG, but goes much further in certain respects.
One of the key points is the principle of "data access by design." New devices should be designed so that users can automatically access the data they generate. In addition, users can more easily share their data with third parties, such as a repairman, an insurer or a competitor of the original supplier. This should encourage innovation and competition.
At the same time, there are restrictions on use: companies that have access to data may only use it if they have contractually agreed to do so. The data may not be used to undermine the user's position or resold to third parties outside the agreements.
Cloud providers are subject to exit arrangements to facilitate switching. Contract terms must provide reasonable assistance and transparency about business continuity risks. Switching fees will be completely eliminated by Jan. 12, 2027. In addition, requirements around interoperability and measures to prevent international government access will apply, with a duty to inform customers.
The Data Regulation introduces a gray and black list for B2B agreements on data access and use. Provisions imposed unilaterally or limiting liability in violation of good faith and fair dealing, for example, are invalid.
Blacklist: including exclusion of remedies for noncompliance, or unilaterally determining whether data is compliant.
Gray list: including improperly limiting remedies, extensively restricting use by the other party, or unilateral modification clauses without valid reason.
These rules apply to contracts entered into after Sept. 12, 2025. From Sept. 12, 2027, they will also apply to open-ended contracts and after Jan. 11, 2034, to all current contracts.
The Data Regulation is seen as a fundamental step in the development of a fair data economy. Companies would be wise to timely align their products, contracts and processes with the new obligations imposed by the regulation.
