As of September 12, 2025, the EU Data Act will impose new obligations concerning the sharing of, and access to, data generated by certain products and services offered in the EU. This alert highlights the data sharing obligations for providers of connected devices and related services.

Background

The Data Act imposes data-sharing obligations on certain companies processing data, in particular, companies operating in the IoT sector (e.g., smart home devices, wearables, connected cars, industrial equipment). The Data Act has extraterritorial effect, meaning that it applies to businesses providing products or services in the EU, irrespective of where they are established. It is part of the EU Commission's European Digital Strategy that also includes other data-related laws (e.g., the AI Act, the Data Governance Act, the Digital Services Act).

New Data Sharing Requirements

By September 12, 2025, covered businesses should be capable of granting users access to their raw usage data upon request, provided that the data is “readily available” to the business (e.g., data collected from a sensor, usage data generated by a user interface or via a related service). Businesses must also provide access to any metadata that is necessary to contextualize the raw data (e.g., timestamps).

By contrast, information inferred or derived from such raw data, which is the outcome of additional investments into the data (e.g., by means of proprietary, complex algorithms) are out of scope. In practice, the distinction between raw usage data and derived data may not be clear-cut, and businesses will need to carefully assess their obligations regarding the various data elements they hold.

Businesses are expected to adapt their processes to ensure that users can access their data upon request. This may involve reviewing how and when data is uploaded to their servers. In addition, businesses must ensure that data retrieval is free of charge and secure (e.g., by providing the data through the user account). Businesses must also make the data available to a third party if requested by a user. Products placed on the EU market after September 12, 2026, must be designed in a manner that provides users with direct access to the raw usage data.

We recommend reviewing the EU Commission’s Data Act FAQs for guidance on some practical issues of Data Act compliance.

Next Steps

The Data Act will be enforced by national regulators in each EU country, subject to penalties under local laws. These regulators may closely monitor compliance and take action against companies that deny users access to their data. As the Data Act approaches its effective date, businesses should proactively prepare for compliance by assessing and enhancing their data transmission processes (e.g., identifying relevant data in their datasets that may be covered, setting up processes to enable data retrieval and data sharing, and updating internal data access request handling policies).

Wilson Sonsini Goodrich & Rosati routinely advises clients on EU data regulatory issues. For further inquiries about the EU’s Data Act and other data regulations, please contact Laura De Boel, Laura Brodahl, or any attorney from Wilson Sonsini’s EU Data, Privacy, and Cybersecurity practice.