EU – The “Data Act”: New rules on switching cloud services and IoT data
The EU has recently taken another step towards the implementation of its digital reform agenda by adopting Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data – more commonly known as the Data Act.
Like much of the EU’s new digital package, the name of the instrument does not always clearly explain what it actually does. Here, the Data Act covers four main areas:
- Cloud providers will have to help their customers switch providers.
- Providers of Internet of Things devices, and related services, must make data available to users and, potentially, third parties.
- Unfair terms in standard form business-to-business data licences will not be binding.
- Public authorities and EU bodies will be given new rights to ask for pseudonymised personal data and non-personal data where they have an exceptional need for that data.
Most of these provisions apply from 12 September 2025 (although some obligations are deferred to a later date). Further details about the EU’s wider package of reform is available in our EU Digital Package Handbook.
The Data Act contains new obligations on the providers of cloud services to enable their customers to switch to other cloud providers or to take the processing in-house.
These obligations apply to “data processing services”. While this sounds broad, it is defined by reference to digital services that enable ubiquitous and on-demand access to a shared pool of configurable, scalable and elastic computing resources that can be rapidly provisioned with minimal effort. In other words, cloud services.
However, this is not limited to commodity cloud services. While the definition of data processing services refers to those that can be “rapidly provisioned and released with minimal management effort or service provider interaction” (Article 2(8)), there are specific provisions in Article 31 which make it clear that these obligations also apply to custom-built services that are not offered on a broad, commercial scale.
The providers of cloud services will have the obligations set out below. Importantly, these are all expressed in high level terms – working out how to implement them in practice is unlikely to be straightforward and will likely raise complex technical questions in many cases.
- Good faith: All parties will be under a general duty to cooperate in good faith to make the switching effective and timely and to ensure the continuity of the relevant service.
- Contractual commitments: Providers will need to make significant new contractual commitments to facilitate switching. By way of example, this includes that: (a) the customer can trigger the switching process at any time by giving a maximum of two months’ notice; (b) the data must then be ported to a new provider within 30 days (extendable to up to seven months if this is not technically feasible); and (c) the provider must provide an exhaustive specification of all categories of data that can be ported as part of the switching process, including at a minimum all exportable data.
- No charges for switching (eventually): The provider can only charge for costs directly-incurred by the switching process and must phase out all such charges by January 2027.
- Functional equivalence for IaaS: There are complicated provisions intended to allow customers of Infrastructure-as-a-Service (IaaS) services to obtain “functional equivalence” from a new cloud provider. Functional equivalence is described as ensuring the new cloud service can deliver materially comparable outcomes in response to the same inputs. This is likely to raise numerous practical and technical implementation issues. Open specifications and standards are likely to play an important role in determining how the obligation works in practice.
- Standards and parallel running: Significant emphasis is placed on cloud providers complying with relevant open specifications and standards. This includes helping facilitate in-parallel use of multiple cloud services, i.e. the ability to share the computing workload across multiple different cloud providers who provide interoperable services.
- Prohibition on third country access: There are new provisions that require cloud providers to take appropriate measures to prevent third-party countries accessing or transferring
non-personal data, where that would be in breach of EU or Member State law. In particular, third-country orders for the disclosure of non-personal data should only be enforceable if based on an international agreement (such as an MLAT) or if certain strict provisions are satisfied.
Internet of Things data
With the number of devices connected to the internet steadily increasing, the Internet of Things has become a reality. However, only a small part of the data generated by these devices is used and the economic value in the data is available only to a few large companies.
The EU Data Act addresses this by imposing new obligations on those providing “connected products” (i.e. devices that collect data and communicate that data via an electronic communications service) and related services. The obligations generally relate to “product data” (which is data intended to be retrieved from the connected product) and service data.
The key obligations are:
- User rights to IoT data: Connected devices, and related services, must de designed so that product and service data is, by default, in a comprehensive, structured, commonly-used and machine-readable format. Where technically feasible, that data should be directly accessible by the user – but, if not, it should be provided on request.
- New disclosure obligations: Providers of connected devices, and related services, must inform users of the data collected, and the data made available to the user, prior to entering into a contract.
- Right to share IoT data with third parties: Users can ask that this data, to the extent readily available, is made directly available to a third party, where feasible, continuously and in real time. The data must be made available on FRAND terms and the third party may have to pay to access that data. However, large technology companies, designed as “gatekeepers” under the Digital Markets Act, are not eligible third parties to receive data on a user’s request.
- Removal of database rights for IoT data: The sui generis database right will not apply to product or service data.
- Protection for personal data, security data and trade secrets: Various additional protections may apply where the data contains personal data, trade secrets or could undermine the security of the relevant connected products. For example, data holders may require users to preserve the confidentiality of data considered to be trade secrets, such as through confidentiality agreements, strict access protocols, or technical standards.
The obligations in the Data Act are potentially onerous for product manufacturers. There is interest in these new rights in some sectors, such as the automotive industry. However, the scope of these provisions is very broad and it is not immediately clear that the data from some connected products (for example, eToys or smart televisions) would be of any real economic interest to users or third parties.
Unfair standard form business-to-business data licences
Unfair terms in a standard-form business-to-business data licence will not be binding. The definition of an unfair term broadly follows the structure used for unfair consumer terms, i.e.:
- Unfair terms are generally defined to be terms that grossly deviate from good commercial practice in data licensing, contrary to good faith and fair dealing.
- Some terms are blacklisted and so automatically unfair, e.g. excluding liability for deliberate breach or gross negligence.
- Some terms are grey listed and so presumed unfair, e.g. unilateral rights to change the price save in certain cases and subject to the right of the licensee to terminate.
- Terms relating to the main subject matter of the contract or price are excluded from any fairness assessment.
Importantly, these provisions appear to be of general application, and are not just limited to IoT data.
Public body access to data
Finally, public sector bodies and EU institutions have a right to request data from private sector entities to fulfil their public functions where there is an exceptional need to do so.
In the case of a public emergency, this right extends to both personal and non-personal data, albeit the personal data must be first anonymised or pseudonymised. This data must be made available free of charge.
In other cases of exceptional need, this right is limited to non-personal data and the holder of data is entitled to fair compensation.
Brexit – Position in the UK
While the UK is mirroring some aspects of the EU Digital Package, there is no equivalent measure to the EU Data Act.
The UK has proposed some new data portability rights in the Data Protection and Digital Information Bill but they are likely to be much more targeted than the broad obligations in the EU Data Act. Ofcom also issued a report into the cloud services market in October 2023 that included a referral of the market for public cloud infrastructure to the UK Competition and Markets Authority. That could lead to new remedies in the UK to enable cloud switching.
The Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data is here.
Our EU Digital Package Handbook is here.