Clifford Chance
Navigating the EU Data Act
Insights from the Clifford Chance Tech Policy Forum
Introduction
The EU Data Act ("EUDA") is the culmination of many years of debate and work, parts of it are already applicable, and it comes fully into force on 12 September 2025. It is a pivotal piece of legislation in the broader context of European tech policy, as it directly addresses some of the most pressing global issues in data governance and the digital economy. Companies, the EU institutions, and stakeholders across the data ecosystem are working towards its implementation but some critical questions remain.
Clifford Chance held the inaugural event of its Tech Policy Forum in Brussels on 2 October 2024 on these questions, and will be holding future meetings on this, and other key areas in the rapidly evolving tech policy space, in Brussels and globally.
We were joined at the event by a range of stakeholders, including clients, non-clients and trade bodies for industry discussions that were held under the Chatham House Rule. We were also joined by Malte Beyer-Katzenberger, Policy Officer at the European Commission, a key official in the drafting and implementation of the EUDA and its supporting materials, for a discussion of the issues that emerged in those sessions.
Malte Beyer-Katzenberger summarised the ambition of the EUDA as follows: "The underlying idea is that we want users to have control of their data, and the question is how much control you give them. It is about industrial data. This is also linked to the consideration about how we grow an AI industry. Certain data should become a commodity. If data is the new oil – the companies are the oil wells and we need to "drill" now so that the oil can flow and people have access to it."
This article sets out the main challenges that emerged from the discussion and a summary of the key issues and themes that were discussed. It also places the EUDA in the broader context of European tech policy, and the key global issues that it interacts and deals with.
The EU Data Act in context – regulation, growth, skills and net zero
The EUDA is part of the EU's strategy to seek to ensure that the digital economy remains open and competitive. The EU has a Data Strategy European data that "aims to make the EU a leader in a data-driven society" (see the EU Data Strategy page on the EU Commission website here, and the 2020 communication on "A European strategy for data" here).
The largest tech companies have been founded in the USA, and China, with the EU lagging significantly. However, the EU has market leaders in the automotive, aerospace, energy, financial, pharmaceutical, healthcare and industrial sectors. These sectors depend on large-scale data flows and innovative data usage to drive future growth. The EU's strategy includes putting into place a legislative and regulatory framework that includes a number of key pieces of legislation. Key parts of that framework include the EUDA, the Data Governance Act (DGA), the General Data Protection Regulation (GDPR), the Digital Markets Act (DMA) and Digital Services Act (DSA) and Artificial Intelligence Act (AI Act).
Regulation is only one part of the bigger picture, which includes fostering continued economic growth, developing skills across societies and continuing to move towards the EU's aim of achieving net-zero.
In its 2024 State of the Digital Decade report (here), the EU Commission says, "2023 and 2024 have been watershed years for the EU’s leadership in the digital age, and its role as a bolder global-class regulator, inspiring other regions of the world to act." Only time will tell how effective the EU's numerous and complex legislative initiatives will be in achieving their regulatory aims, and the EU's wider economic and social objectives. This article focusses in on one of the key initiatives in that landscape – the EUDA.
The challenge – achieving clarity in relation to the implementation of the EUDA
Most of the provisions of the EUDA come into force on 12 September 2025. As of early October 2024, industry stakeholders are still looking for further clarity on implementation.
The EUDA is a complex and ambitious piece of legislation requiring a high volume of analysis, design and resources in relation to compliance. Successful compliance rests on companies having clarity which enables engineering, legal and other teams to carry out implementation. The high level themes that emerged from the discussion were as follows:
- The need for clarity on the interpretation of the language of the EUDA, particularly regarding the key terms and definitions that determine the scope of application of the EUDA (e.g. the identification of 'related services' or 'readily available data').
- The issue of trust in the relationship between manufacturers, customers and third parties, especially when it comes to obligation not to use data shared under the EUDA to develop competing products and the application of security and/or trade secret provisions.
- A desire for appropriate flexibility regarding the implementation of the EUDA, in particular having regard to the differences between business models, as not all are consumer-facing, and different approaches to contractual agreements and regulatory requirements in relevant legislation (e.g. the GDPR's lack of notification requirements in case of security handbrakes).
EUDA FAQs
The European Commission issued a FAQ containing further guidance on the implementation of the EUDA, which is non-binding, on 13 September 2024. Whilst the EC's FAQs are helpful, additional clarity on the key issues, explained in further detail below would be of benefit to companies as they seek to comply.
Some participants also mentioned that it would be desirable to have additional sector specific guidance or standardised approach. There was a general consensus on the importance of a continued dialogue and communication with the EC.
Issues that would benefit from further clarification
The following section sets out six key issues that were identified during the discussions as a source of uncertainty for the businesses.
Issue 1: Connected products / related services
The current definition of connected products can in theory capture any device connected to the internet. Further clarification on the definition or guidance on how to determine if a product is a connected product would be helpful.
Another difficulty relates to legacy models and systems. Some products, especially those with long lifecycles, were not designed to be connected, but overtime have been modified to collect and transmit data. Such modifications may have been made by the manufacturer, the user, or a third-party servicer. In those circumstances, it is unclear whether the products fall into the connected product category and which parties are required to comply with the different EUDA obligations.
Further clarification would also be helpful on how to identify related services, particularly for apps and services linked to multi-function products.
Issue 2: Scope of design obligations
A question was raised about whether manufacturers are expected to design devices to capture and make available data the devices do not use. Malte Beyer-Katzenberger explained that the principle is that data should be shared by the manufacturer if the manufacturer holds the data, e.g., in their IT Systems, or use that gives a certain benefit, e.g., data held for a manufacturer's quality assurance purposes should be shared, but that data held purely for the purpose of complying with a legal obligation may not need to be shared.
Direct vs. indirect access
Malte Beyer-Katzenberger explained that in general, product data/related service data should be made directly accessible, but this is not a direct obligation on design. Articles 3(1) and 4(1) provide flexibility for manufacturers to decide whether to design for direct or indirect access (with reference to "where relevant and technically feasible" was included for this purpose). Such decisions may depend on how much trust the manufacturers can place on the users/third parties who may request the data. Non-compete and privacy by design/data minimisation principles can be reasons for design choices.
Readily available data
Malte Beyer-Katzenberger stated that whether data is readily available data will ultimately depend on the manufacturer's design choices. Businesses find the threshold of "simple operation" to be unclear, hence they would find it useful to be provided with guidance on the estimated time, effort, cost, etc., that would be required for an effort to be considered a "simple operation".
The relationship between anonymised data and readily available data would benefit from further clarity, e.g., to what extent does anonymisation make data not "readily available"? De-anonymisation can require a significant amount of effort. How should de-anonymised data be shared whilst complying with GDPR and the EUDA?
Issue 3: Data portability
Further clarity on the process to be used for complying with data portability requirements would be helpful. For example, would it be sufficient to utilise the process used for complying with the requirements on data portability under the GDPR?
Malte Beyer-Katzenberger stated that businesses utilising the procedures implemented for GDPR compliance would be a "good way of thinking" but noted that the EUDA has an additional emphasis on real-time availability of data, which is similar to what is seen regarding portability under the EU Digital Markets Act.
Issue 4: Security and trade secrets handbrake
Security handbrake: Article 4(2) sets a high bar for a data holder to refuse sharing data due to security considerations. The acceptable security requirements are those laid down by EU and member state law. The EUDA also only refers to security concerns for natural persons and therefore creates uncertainty as to whether wider security concerns, e.g., cybersecurity, and concerns regarding the security of B2B businesses, can be considered as legitimate.
Trade secrets handbrake: There are concerns relating to how the handbrake in Article 4(6)-(8) & Article 5 (9)-(11) will operate in practice and how it would effectively protect trade secrets, particularly where data is shared with users. The EUDA assumes that all parties will work in good faith, but the concern is what happens when this is not the case. On the one hand, the emphasis is given on the data holders implementing the technical and organisational measures to protect the trade secrets. On the other hand, it is necessary to consider the difficulty often encountered in enforcing protection mechanisms, e.g., enforcing confidentiality agreements.
Notification: Regarding Articles 4(2) and (7), i.e. the notification requirements for the security and trade secret handbrakes, Malte Beyer-Katzenberger explained that the requirement to notify the competent authority, for security and trade secret handbrakes, is to enable them to monitor the use of the handbrakes across the industry. If the authorities observe problematic trends arising this might provide them with grounds for investigation. Notification is likely required for each data request in respect of which the data holder wishes to rely on the handbrakes. A question arises as to how making such notification would impact the data holder's obligation to give access to the data "continuously and in real-time", as emphasised by the EUDA.
Issue 5: Model Contractual Terms for B2B data sharing ("MCTs") / Standard Contractual Clauses for cloud computing contracts ("SCCs")
Model Contractual Terms and Standard Contractual Clauses for cloud computing contracts should allow for some flexibility, as achieving standardisation for all scenarios would be difficult. MCTs appear to be designed for a scenario where two parties are negotiating a written contract. However, MCTs do not fit well with sales models used by many manufacturers/related service providers where the conclusion of contracts happens on-line. In essence, all use cases should be respected.
Issue 6: Enforcement
There are concerns regarding the de-centralised and fragmented enforcement model, with the risk that different authorities take different positions on similar issues, depending on the EU Member State and the area of specialisation of the relevant authority, i.e. competition authority, telecoms regulator or data protection authority. Such differences in views risk the introduction of inconsistencies across Member States and hence compliance challenges for businesses, as IoT devices are not designed differently for each country and many manufacturers distribute devices to the entire EU.
There are significant concerns regarding how enforcement precedents are likely to develop over time. Since the EC does not plan to issue any further guidance at the moment, businesses run the risk of being found non-compliant despite having expended significant resource in seeking to comply with the EUDA.
Conclusion
The Clifford Chance Tech Policy Forum's inaugural meeting on the EUDA highlighted the complexities and challenges surrounding its implementation. As the Act's provisions come into force in September 2025, stakeholders are grappling with issues of clarity, interpretation, and compliance. The discussions underscored the need for precise definitions, effective communication with engineering teams, and trust in data sharing processes. Flexibility in implementation, sector-specific guidance, and continued dialogue with the European Commission were identified as crucial for successful compliance and implementation.
The EUDA's role within the broader European tech policy framework is pivotal, aiming to foster an open and competitive digital economy. However, the challenges of enforcement, data portability, and security remain significant. The decentralised enforcement model and potential inconsistencies across Member States pose risks for businesses striving to comply.
As the EU continues to position itself as a leader in the digital age, the effectiveness of the EUDA and other legislative initiatives will be closely monitored. Ongoing collaboration and clarity will be essential to navigate the evolving landscape and achieve the EU's wider economic and social objectives.