Europe's Data Act reshapes connected device rules for marketers

The European Data Act entered into force on December 22, 2023, establishing comprehensive rules for accessing and sharing data generated by connected devices across the European Union. According to the regulation published in the Official Journal of the European Union, most provisions became applicable on September 12, 2025, fundamentally changing how businesses handle data from Internet of Things devices, cloud services, and digital platforms.

The regulation targets data generated by connected objects—devices that obtain, generate, or collect information about their performance, usage, or environment and communicate through electronic services or physical connections. This encompasses vehicles, health wearables, smart thermostats, industrial machines, and any device capable of transmitting data electronically. For marketing professionals relying on connected device data for audience insights, attribution modeling, or campaign optimization, the regulation introduces mandatory data access obligations that override previous contractual restrictions.

Connected device manufacturers face September 2026 design deadline

Manufacturers must design connected products and associated services to make data directly accessible to users by September 12, 2026. The French data protection authority CNIL explained in its December 22, 2025 guidance that this requirement applies to all devices communicating data through internet or other public networks. The obligation extends beyond simple data extraction—manufacturers must provide information in complete, structured, commonly used, and machine-readable formats at no cost to users.

Data holders cannot restrict access through technical barriers or impose fees for user data retrieval. The regulation defines "easily accessible data" as product data and connected service data that holders obtain or can legally obtain from devices without disproportionate effort. According to CNIL, this includes data intentionally recorded by users and data resulting indirectly from user actions, such as environmental information or device interactions.

The design requirements specifically target the asymmetry in data access between manufacturers and users. Connected watch manufacturers must enable users to retrieve health tracking data. Vehicle manufacturers must provide drivers access to telemetry information. Smart home device makers must allow homeowners to extract usage patterns and environmental readings. These obligations apply regardless of existing contractual terms limiting data access or usage.

Users gain rights to share IoT data with third parties

Users of connected products obtained explicit rights to share their data with third-party service providers starting September 12, 2025. According to the regulation's Article 5, when users or parties acting on their behalf request data sharing, holders must make information available to designated recipients without delay. The data must match the quality level available to the holder, provided free of charge to users, and delivered in complete, structured, machine-readable formats.

This provision enables competitive after-sales services, auxiliary offerings, and innovation based on device-generated data. A vehicle owner can authorize an independent mechanic to access diagnostic information previously restricted to manufacturer-approved service centers. Smart home users can share thermostat data with third-party energy optimization services. Wearable device owners can transmit health metrics to independent fitness applications beyond manufacturer ecosystems.

Brussels recently proposed substantial GDPR amendments allowing AI developers broader data processing capabilities, creating potential tension with Data Act restrictions. The regulation prohibits third parties from using shared data to develop competing connected products or obtain competitive intelligence about data holders. Recipients cannot profile users unless strictly necessary for requested services and must delete information when no longer needed for agreed purposes, except with explicit consent for non-personal data retention.

The Data Act specifically excludes companies designated as "gatekeepers" under the Digital Markets Act from receiving data through user sharing provisions. This means Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft cannot leverage these data access rights, preventing dominant platforms from using regulatory mechanisms to expand data collection beyond existing capabilities.

Cloud service switching costs eliminated by January 2027

Cloud computing providers must facilitate customer transitions to alternative services or on-premise infrastructure, with all switching fees eliminated by January 12, 2027. According to Article 29, providers can impose reduced switching fees from January 11, 2024 through January 12, 2027, but only covering costs directly attributable to individual migration requests. After the transition period, any switching fees—including data transfer charges—become prohibited.

The regulation addresses lock-in effects preventing businesses from changing cloud service providers. European Commission launched market investigations on November 18, 2025 examining whether Amazon Web Services and Microsoft Azure should face Digital Markets Act gatekeeper designation, highlighting regulatory scrutiny of cloud market concentration.

Providers must complete switching processes within maximum 30-day transition periods following customer notifications, maintaining service continuity and security throughout migrations. Technical impossibilities extending this timeline require documented justification within 14 working days, with alternative periods capped at seven months. Customers retain rights to extend transition periods once for durations they determine appropriate for their operational requirements.

The switching framework mandates that providers supply comprehensive information about migration procedures, data formats, technical limitations, and estimated completion timelines. Article 26 requires online registries detailing data structures, formats, and interoperability specifications for exportable information. Providers cannot impose contractual obstacles preventing service decoupling or create technical barriers hindering migrations to competing platforms or private infrastructure.

Public sector gains exceptional data access for emergencies

Government authorities, the European Commission, the European Central Bank, and EU bodies can compel private data holders to provide information during exceptional need situations. Article 15 defines exceptional needs as time-limited circumstances including public health emergencies, natural disasters, major cybersecurity incidents, or urgent public interest missions explicitly authorized by law.

For emergency situations, public entities can request both personal and non-personal data when necessary to respond effectively and when data cannot be obtained through alternative means with equivalent speed and efficiency. Requests must specify needed information, demonstrate exceptional need justification, explain intended data usage, identify potential third-party sharing, and detail technical measures protecting privacy when personal information is involved.

In non-emergency exceptional circumstances, authorities can only request non-personal data for specific public interest missions like official statistics production or emergency recovery. These requests require exhausted alternative acquisition methods, including market purchases at standard prices or existing legal obligations. Providers must respond within five working days for emergency requests and 30 working days for other exceptional needs.

The French government recently acknowledged limitations in protecting data from foreign access despite sovereignty requirements, demonstrating practical challenges in data governance that the Data Act attempts to address through explicit legal frameworks. Data holders can challenge requests before competent authorities when circumstances don't meet regulatory criteria or when disclosure risks serious economic harm despite protective measures.

Compensation frameworks differ by request type. Microenterprises and small enterprises can claim reimbursement even for emergency responses. Other businesses provide emergency data free but receive reasonable compensation for non-emergency exceptional needs, covering technical and organizational costs plus reasonable margins. National statistics authorities in jurisdictions prohibiting data purchases for official statistics cannot compensate providers.

Marketing technology faces compliance obligations

The regulation directly impacts marketing technology operations relying on connected device data for targeting, measurement, and analytics. Smart speaker interactions, connected television viewing patterns, automotive infotainment engagement, and wearable device usage all generate data subject to Data Act provisions. Marketing platforms aggregating this information must enable user data extraction and third-party sharing upon request.

Consent management platforms and customer data platforms processing connected device information face obligations to facilitate data portability. Google recently launched enhanced first-party data tools including Tag Diagnostics and integrated consent management, reflecting broader industry preparation for strengthened data access requirements. Attribution systems tracking cross-device consumer journeys must accommodate user rights to retrieve complete interaction histories and share information with independent measurement providers.

The prohibition on using shared data for competitive product development restricts how marketing technology vendors can leverage information obtained through Data Act mechanisms. A company receiving smart home data through user-authorized sharing cannot use that information to build competing home automation products. Advertising technology firms accessing connected vehicle data for campaign targeting cannot develop rival automotive dashboards or navigation systems.

Trade secret protections remain intact despite data sharing obligations. Data holders can identify proprietary information and require confidentiality agreements before disclosure. However, refusing data access solely based on trade secret claims is prohibited—holders must implement technical and organizational measures preserving confidentiality while enabling legitimate access. In exceptional circumstances demonstrating severe economic harm risk despite protective measures, holders can reject specific data requests on case-by-case bases.

Contractual terms limiting user data access rights are unenforceable under Article 7. Any clause excluding, modifying, or limiting user rights to data generated by connected products has no binding effect. This invalidates common contract provisions restricting data extraction, prohibiting third-party sharing, or imposing fees for information access. The regulation treats such restrictions as unfairly imposed terms that disadvantage users regardless of business size or negotiating power.

Business-to-business data sharing gets fairness requirements

When Union law or conforming national legislation mandates data sharing between businesses, providers must offer access on fair, reasonable, non-discriminatory, and transparent terms. Article 8 establishes that compensation for mandatory data sharing can include margins unless recipients are small or medium enterprises or non-profit research organizations. For those entities, compensation is capped at direct costs attributable to individual sharing requests.

The European Commission must adopt guidelines calculating reasonable compensation considering investments in data collection and production, sharing costs including formatting and electronic distribution, and whether other parties contributed to data generation. Compensation can vary based on data volume, format, and nature. Long-term agreements or subscription models may reduce per-transaction costs compared to individual requests.

Germany pushed for GDPR simplification measures in October 2025, arguing administrative burdens particularly affect organizations with fewer than 750 employees. The Data Act's compensation framework attempts balancing legitimate cost recovery with preventing excessive charges that effectively block market access for smaller competitors.

Non-discrimination requirements prohibit varying terms between comparable recipient categories. When recipients question whether conditions are discriminatory, data holders must provide evidence demonstrating absence of discrimination. Objective justifications for different treatment—such as technical requirements, security considerations, or legitimate business distinctions—can support varied terms across recipient groups.

Dispute resolution mechanisms provide alternatives to litigation when parties cannot agree on fair, reasonable terms. Certified dispute resolution bodies must offer impartial, independent decisions using clear, non-discriminatory, equitable procedures. These bodies need relevant expertise on fair compensation, data access transparency, and reasonable sharing conditions. Resolutions should occur within 90 days of receiving dispute requests, with written decisions providing explanatory reasoning.

International data access faces strict controls

Article 32 addresses cross-border government access to non-personal data held in the European Union. Cloud service providers must take adequate technical, organizational, and legal measures preventing international authority access conflicting with Union or member state law. Any foreign court judgment or administrative decision requiring EU-held data transfer is only enforceable when based on international agreements like mutual legal assistance treaties between requesting countries and the Union or member states.

Without applicable international agreements, providers can only comply with foreign data demands meeting specific conditions. Requesting country legal systems must require exposing proportionality reasons and decision specificity. Recipients must have access to motivated objections reviewed by competent foreign courts empowered to consider relevant legal interests protected under Union or member state law.

Providers should inform customers of foreign authority data requests before granting access, unless prohibited for law enforcement purposes and only as long as necessary for effectiveness. Machine-readable consent signals proposed by Europe in November 2025 demonstrate parallel efforts strengthening user control over information flows across regulatory frameworks.

When providers believe foreign decisions conflict with Union interests regarding national security, defense, or business confidentiality, they can seek guidance from national authorities or competent bodies on whether data concerns strategic interests. Providers receiving no response within one month or receiving opinions that conditions aren't satisfied can reject transfer requests for those reasons. The European Data Innovation Board will advise the Commission on guidelines assessing compliance with international access conditions.

Interoperability standards mandate coordination

The regulation establishes essential interoperability requirements for data spaces—interoperable frameworks of sector-specific or cross-sector standards and common practices enabling data sharing. Participants offering data or data services to others must ensure content descriptions, usage restrictions, licenses, collection methods, quality indicators, and uncertainty metrics are sufficiently described in machine-readable formats enabling discovery, access, and utilization.

Data structures, formats, vocabularies, classification systems, taxonomies, and code lists require publicly accessible, consistent descriptions. Technical access means like application programming interfaces need sufficient documentation covering usage conditions and service quality to enable automated data access and transmission between parties, including continuous, bulk download, or real-time formats when technically feasible.

European data protection authorities coordinate DSA-GDPR compliance through guidelines adopted September 11, 2025, addressing overlapping obligations across digital regulations. The Data Act's interoperability provisions add another layer requiring technical coordination beyond privacy and content moderation frameworks.

The Commission can adopt common specifications through implementing acts when harmonized standards aren't available or sufficient. Before preparing common specifications, authorities inform relevant standardization committees that conditions necessitating specifications are met. Common specifications address situations where European standardization organizations either haven't accepted Commission requests, haven't delivered standards within determined timeframes, or produced insufficient standards for essential requirements.

Smart contracts face mandatory safety requirements

Vendors of applications using smart contracts or persons deploying smart contracts for third parties must ensure automated agreement execution tools meet essential requirements for robustness, access control, safe termination, data archival continuity, and consistency with underlying data sharing agreements. Article 36 establishes that smart contract operators must conduct conformity assessments and issue EU conformity declarations demonstrating compliance.

Smart contracts require design ensuring high robustness levels avoiding functional errors and resisting third-party manipulation attempts. Systems must incorporate mechanisms enabling transaction execution termination with internal functions resetting contracts or instructing operation cessation or interruption, particularly preventing accidental future executions. When contracts terminate or deactivate, transaction data archival, logic preservation, and code retention must enable past operation verification.

Rigorous access control mechanisms at governance and contract levels protect smart contract integrity. Automated execution must maintain consistency with data sharing agreement provisions the contract implements. Harmonized standards or common specifications create presumptions of conformity when smart contracts satisfy referenced requirements within coverage scopes.

The European Data Innovation Board, established under the Data Governance Act, advises the Commission on smart contract standardization requests and common specification adoption. Member states can inform the Commission when common specifications don't fully satisfy essential requirements, triggering specification evaluations and potential implementing act modifications.

Enforcement begins with designated authorities

Each member state designated one or more competent authorities responsible for Data Act application and execution by September 12, 2025. States appointing multiple authorities must designate data coordinators among them facilitating cooperation and assisting entities on all regulation-related questions. Competent authorities remain impartial, free from external influence, and maintain sufficient human resources, technical capabilities, and appropriate expertise for effective mission accomplishment.

Authority missions include promoting data literacy, raising awareness about rights and obligations, handling infringement complaints, conducting application investigations, imposing effective, proportionate, dissuasive financial sanctions, monitoring relevant technological and commercial developments, cooperating with other member state authorities, and coordinating with sectorial authorities ensuring consistent Data Act application relative to other Union and national legal provisions.

GDPR enforcement data shows low fine rates with only 1.3% of cases resulting in monetary penalties between 2018 and 2023 across European authorities, raising questions about whether Data Act enforcement will achieve greater consistency. Sanctions must account for infringement nature, gravity, scale, duration, mitigation measures, previous violations, financial benefits obtained, and economic capacity considering annual Union turnover.

Entities established in multiple member states fall under jurisdiction of states where principal establishments are located—where social or statutory seats are located and main financial functions and operational control are exercised. Entities not established in the Union but making connected products available or offering connected services must designate legal representatives in member states, creating single points of contact for competent authority communications.

Individuals and legal entities can lodge complaints with competent authorities in member states where they have habitual residence, workplace, or establishment if they believe regulation rights were infringed. Coordinators provide necessary information for complaint submissions upon request. Authorities inform complainants of procedure progress and decisions according to national law, with authorities cooperating to manage complaints efficiently and rapidly.

Timeline

The regulation's phased implementation allows gradual compliance across different obligations:

• December 13, 2023: Data Act officially adopted by European Parliament and Council establishing harmonized data access and usage rules
• January 11, 2024: Regulation entered into force, beginning transition periods for various compliance requirements
• September 12, 2025: Most provisions became applicable, including user data access rights, third-party sharing obligations, cloud switching frameworks, and exceptional public sector access
• September 12, 2026: Manufacturers must design connected products enabling direct user data access where technically possible
• September 12, 2027: Unfair contractual clauses prohibition applies to contracts concluded before September 12, 2025
• January 12, 2027: Cloud service providers must eliminate all switching fees, completing three-year reduction period
• December 3, 2024: European Data Protection Board outlined strategic vision harmonizing GDPR with emerging digital legislation
• April 17, 2025: EU's GDPR Procedural Regulation created complex enforcement framework rather than streamlining cooperation mechanisms
• November 18, 2025: European Commission launched cloud computing investigations examining AWS and Azure for potential DMA gatekeeper designation
• November 14, 2025: Europe proposed machine-readable consent signals allowing browser-level privacy preference settings
• November 10, 2025: Commission proposed GDPR amendments establishing AI training as legitimate interest basis

Summary

Who: The European Parliament and Council adopted the Data Act affecting connected device manufacturers, cloud service providers, data holders, users, third-party service providers, public sector bodies, and marketing technology companies across the European Union. The French data protection authority CNIL published implementation guidance, while competent authorities in each member state enforce compliance.

What: The regulation establishes harmonized rules governing data access from connected devices, mandating that manufacturers design products enabling direct user data retrieval, users can share information with third parties, cloud providers must facilitate switching without fees by 2027, public authorities can compel data access during exceptional needs, and interoperability standards guide data space development. Contractual terms limiting user data access rights are unenforceable, and designated gatekeepers under the Digital Markets Act cannot receive data through user sharing provisions.

When: The Data Act entered into force on January 11, 2024, with most provisions applicable from September 12, 2025. Connected product design obligations take effect September 12, 2026. Cloud switching fee elimination deadline is January 12, 2027. Unfair contract prohibitions apply to pre-September 2025 agreements starting September 12, 2027.

Where: The regulation applies throughout the European Union and European Economic Area, affecting manufacturers regardless of establishment location when products are made available in Union markets, cloud service providers serving Union customers, data holders making information available to Union recipients, and public sector bodies within member state jurisdictions.

Why: The regulation addresses obstacles preventing optimal data distribution across society, including absence of data sharing incentives, uncertainty about data rights and obligations, technical interface costs and implementation challenges, information fragmentation in data silos, poor metadata management, lack of semantic and technical interoperability standards, data access bottlenecks, and contractual imbalance exploitation regarding data access and usage rights.