Series
Blogs
Series
Blogs
The EU Data Act is something of an enigma. Its primary focus is ensuring the portability of IoT data and cloud switching rights. However, it includes a range of other provisions, such as disapplying unfair terms in business-to-business data contracts (“Unfair B2B Controls”).
The scope of the Unfair B2B Controls is far from clear, as is the extent to which they would apply to an English law contract. We dive into some messy legal analysis to try to solve this regulatory puzzle.
The Unfair B2B Controls are set out in Chapter IV. This states:
“A contractual term concerning access to and the use of data or liability and remedies for the breach or the termination of data related obligations, which has been unilaterally imposed by an enterprise on another enterprise, shall not be binding on the latter enterprise if it is unfair.” (Article 13(1))
Similarly, Article 1(2)(c) states:
“Chapter IV applies to any private sector data accessed and used on the basis of contract between enterprises.”
There are a number of important points to note about this:
There are different market positions on scope. Some commentators suggest the Unfair B2B Controls just apply to licences of IoT data under Chapter II and III. However, while IoT data licences are definitely subject to the Unfair B2B Controls (see Article 8(1)) it is not clear they should be limited in this way given Chapter V is expressed as apply to all “enterprises”. Others think the provision is wider and could, for example, apply to cloud computing contracts (here). We understand the EU Commission takes a similarly broad approach to the contracts caught by the Unfair B2B Controls.
These questions will most likely be settled by private parties seeking to rely on the Unfair B2B Controls in disputes in the national courts, with these questions then percolating up to the CJEU. Given the CJEU’s loose teleological approach to interpretation, it is difficult to know what their conclusions will be.
Regardless of the scope of the Unfair B2B Controls, there are real questions whether they would apply to an English law contract before the English courts.
By way of example, assume a UK company enters into a standard form “data” contract with a Hungarian entity, and that contract is subject to English law and the exclusive jurisdiction of the English courts.
In this situation, the application of the Unfair B2B Controls would be primarily determined by the English courts in light of the assimilated Rome I Regulation (“UK Rome I”). The starting point in business-to-business contracts under UK Rome I is freedom of choice; a contract shall be governed by the law chosen by the parties. In this case, we have assumed English law has been chosen by the parties. As the EU Data Act is not part of English law, the Unfair B2B Controls will not apply to an English law contract unless an exception applies, e.g. where:
For completeness, regardless of the strict application of the Unfair B2B Controls to English law contracts, there are also jurisdictional/cross border issues to consider. There are indications that, in the EU, unfair terms legislation may be given a status approaching rules of public policy (e.g. Mostaza Claro, C-168/05). If so, in our example enforcing an English law judgment in Hungary might be difficult and/or the Hungarian courts could take jurisdiction notwithstanding the exclusive English jurisdiction clause.
Separately, is there is a potential regulatory risk for a UK company who enters into a standard form “data” contract with an EU counterparty and does not comply with the Unfair B2B Controls? The position here is, if anything, even less clear.
Article 13(9) states that “the parties” to a relevant contract “shall not” exclude, derogate or vary the Unfair B2B Controls. However, the jurisdictional scope of the EU Data Act is set out in Article 1(3) and is completely silent on whether it applies to “enterprises” outside of the Union or at all. This contrasts with the position of “data holders” which are subject to the Data Act “irrespective of their place of establishment” if they make data available to “data recipients” in the Union.
The most obvious answer is that as the Unfair B2B Controls apply directly to relevant contracts, the legislature decided there was no need for direct obligations on “enterprises” to adjust their terms. This conclusion is reinforced by the enforcement provisions. Article 40 contains specific penalties for breach of the IoT obligations (Chapters II, III), but is silent on any penalty for breach of the Unfair B2B Controls in Chapter IV.
For completeness, the UK company might be a “data holder” so directly caught by the EU Data Act even if it doesn’t offer IoT products or services. The term “data holder” also includes those with “the right or obligation” under “applicable Union law or national legislation adopted in accordance with Union law, to use and make available data”. If the UK company has those rights or obligations, it still might be caught qua “data holder”. (Though, even then, perhaps only if the law enters into force after 12 September 2025, as per Article 50. Who knows?).
Things could become clearer when Member States legislate for the EU Data Act. It is a Regulation (so directly effective) but national legislation is still needed to establish a national regulator amongst other things. Those national provisions could include sanctions for enterprises whose standard form contracts infringe the Unfair B2B Controls as part of the general requirement on Member States to provide for penalties for infringements that are effective, proportionate and dissuasive (Article 40).
Like much of the EU Data Act, the further down the rabbit hole you go, the stranger things become. The Unfair B2B Controls apply to contracts concluded after 12 September 2025 so it may not be too long before the courts are called on to solve this puzzle.
24 July 2025
Up next