EU Data Act Implementation Challenges

Enforcement of the EU Data Act (“The Act”) will begin in September of 2025. The goal is to lay the foundations of a data economy by providing users of connected products or services with more rights over their data, and subsequently, to increase competition in digital markets. The Act will achieve this goal by (1) compelling user access to connected device data; (2) easing the burden of switching cloud providers; and (3) imposing interoperability requirements for industrial data across the European Union.

Among the three major provisions of the Data Act, the access requirement will require the most far-reaching modifications to existing business models to meet compliance. The access provision follows a growing global pattern of allowing individuals more control over their data. Other examples of this pattern include the Patient Access that allows individuals to access claims data from their insurers, and PSD2 that allowed customers access to their banking data.

The Data Act applies in business-to-business and business-to-consumer relationships. The most common example is aftermarket service providers who will be able to access the data they need to compete with services offered by manufacturers that block access to service data to create a “service moat.” There are other players and use cases, like Allianz who are excited to get access to new manufacturer data to unlock new value for their customers:

“Imagine the scenario … when out of the blue, another vehicle runs into you from behind, sending you crashing into the car in front. As you ponder your next move, your phone starts to ring. It’s Allianz; in-vehicle sensors have told us you’ve had a collision, and we’re calling to tell you what to do next. What’s more, you won’t have to worry about those reluctant witnesses fleeing the scene; there will be no doubt as to the sequence of events — it’s all in the data.”

While the EU Data Act holds the promise of unlocking data access and promoting market competitiveness, its implementation faces challenges for both Device and Service Providers, and the third parties like Allianz that wish to access this data.

Challenges — Data Providers

Manufacturers and service providers with an EU presence will fall into one of two categories within the rule. The first category is manufacturers of connected products and related services that have direct access to product and service data. These companies must design, manufacture and/or provide their products and services in a way that allows direct user access to data without having to ask for it.

The second category is for companies (usually the provider of a connected service) where data cannot be directly accessed by users. For this category, the data holder must make data readily available to the user upon request and without undue delay.

For both categories, the data must be of the same quality as is available to the data holder, and provided continuously and in real time. It also must be provided in a comprehensive, structured, commonly used, and machine-readable format.

Challenge One: Data Segmentation

The EU Data Act explicitly states that effected companies do not need to share data that amounts to trade secrets and intellectual property. Given the fact that few IoT companies share this data today, the Act will require segmenting trade secrets and intellectual property data before sharing. This will require both analyzing what data is and is not considered trade secrets and IP, and then the ability to dynamically segment this data based on each product, service, and use case.

Challenge Two: Contracts and Educating Users

Sellers of connected products are obligated to furnish users with comprehensive information about the product’s data capabilities. This includes details on the type, format, and estimated volume of data the connected product can generate. The provided information must be presented in a clear and understandable manner, and include data structures, formats, vocabularies, and classification schemes. Additionally, users should receive adequate details enabling them to exercise their rights, covering aspects like data storage, retrieval, and access. This amount of detail presents challenges at both user experience and the infrastructure level, as companies must assure the right users get the right information, and that their access is tailored to the products and services they use.

Challenge Three: Complex Relationships

When there are several people using a connected product, like in the home, or in a business context, the product’s design should let each person access their own data, and allow businesses to extract data for their employees to provide necessary services. In both the home and in B2B context, organizations will need new ways to model complex relationships and consent frameworks.

Challenge Four: Conflicting Laws

When sharing data, especially sensitive information, businesses must navigate complying with the EU Data Act (release information) while ensuring they do not violate other existing laws or regulations (gate information). The simplest example is a connected healthcare device.

In the healthcare scenario, access privileges vary across EU member states for dependents depending on age or status (e.g. emancipation, wards of the state). Access privileges also must model spousal status (e.g. including married, civil union, divorced) and the rules around how sensitive categories of healthcare data can be shared (e.g. mental health, alcohol and substance abuse, genetics, communicable disease, sexual & reproductive health).

Challenge Five: Sending Data to Third Parties

The Act imposes specific conditions on data holders, requiring them to make data available to third parties upon user request. This makes sense as individual users do not have the technical ability to use the data themselves, and most will not understand the value of this data. This requirement will require a consent flow that enables companies to verify that consent has been granted, for what purposes, and for what specific data elements.

Challenges — Data Receivers

Access to data under the EU Data Act holds substantial value for third parties. Access is gated by a crucial factor: user consent. The Act emphasizes the importance of obtaining clear and informed consent, and explicitly prohibits the use of deceptive tactics or “dark patterns” to manipulate user consent. This means that to both comply with the rule, and to win the trust from individuals to grant their consent, businesses must educate users on what data will be accessed, the specific purpose for collection, and the value individuals get back by sharing their data.

According to the Act, data receivers must also ensure that they limit their use of the data to what was agreed to with the user. This means building a smart governance solution to ensure that data is only used as intended.

If the EU Data Act is a topic of interest we would love to talk: info@tranquildata.com