The EU Data Act is something of an enigma. Its primary focus is ensuring the portability of IoT data and cloud switching rights. However, it includes a range of other provisions, such as disapplying unfair terms in business-to-business data contracts (“Unfair B2B Controls”).

The scope of the Unfair B2B Controls is far from clear, as is the extent to which they would apply to an English law contract. We dive into some messy legal analysis to try to solve this regulatory puzzle.

The scope of the Unfair B2B Controls  

The Unfair B2B Controls are set out in Chapter IV. This states:

“A contractual term concerning access to and the use of data or liability and remedies for the breach or the termination of data related obligations, which has been unilaterally imposed by an enterprise on another enterprise, shall not be binding on the latter enterprise if it is unfair.” (Article 13(1))

Similarly, Article 1(2)(c) states:

“Chapter IV applies to any private sector data accessed and used on the basis of contract between enterprises.”

There are a number of important points to note about this:

• The literal scope of this provision is extraordinarily broad. Many standard form agreements will have terms “concerning access to and the use of data” or “liability and remedies for the breach or the termination of data related obligations”. For example, a law firm’s standard engagement terms will likely contain terms regarding the “use of data” or provisions controlling “liability for the breach of…data related obligations”. Are they in scope?

• These obligations apply to “enterprises”. This term is also very broad and includes any company or individual acting for the purposes of their trade, business, craft or profession. This is distinct from the IoT portability obligations in Chapter II and III which apply to the narrower category of “data holders” and “data recipients”.

• The provision applies automatically and directly to the relevant contracts. The majority of the provision describes how the contract will be affected and when terms will be considered unfair. The exception is Article 13(9) which states that “the parties” to a relevant contract “shall not” exclude, derogate or vary the Unfair B2B Controls.

There are different market positions on scope. Some commentators suggest the Unfair B2B Controls just apply to licences of IoT data under Chapter II and III. However, while IoT data licences are definitely subject to the Unfair B2B Controls (see Article 8(1)) it is not clear they should be limited in this way given Chapter V is expressed as apply to all “enterprises”. Others think the provision is wider and could, for example, apply to cloud computing contracts (here). We understand the EU Commission takes a similarly broad approach to the contracts caught by the Unfair B2B Controls.

These questions will most likely be settled by private parties seeking to rely on the Unfair B2B Controls in disputes in the national courts, with these questions then percolating up to the CJEU. Given the CJEU’s loose teleological approach to interpretation, it is difficult to know what their conclusions will be.

English contracts - EU Data Act v UK Rome I

Regardless of the scope of the Unfair B2B Controls, there are real questions whether they would apply to an English law contract before the English courts.

By way of example, assume a UK company enters into a standard form “data” contract with a Hungarian entity, and that contract is subject to English law and the exclusive jurisdiction of the English courts.

In this situation, the application of the Unfair B2B Controls would be primarily determined by the English courts in light of the assimilated Rome I Regulation (“UK Rome I”). The starting point in business-to-business contracts under UK Rome I is freedom of choice; a contract shall be governed by the law chosen by the parties.  In this case, we have assumed English law has been chosen by the parties. As the EU Data Act is not part of English law, the Unfair B2B Controls will not apply to an English law contract unless an exception applies, e.g. where:

• All other elements relevant to the situation at the time of the choice are located in a country other than the country whose law has been chosen (Article 3(3), UK Rome I). This exception is context specific but is less likely to apply where, for example, one party is based in the UK

• The overriding mandatory provisions of the law in the country in which performance occurs render that performance unlawful. This applies under Article 9(3), UK Rome I and as a matter of substantive English law. Again, this exception is context specific (e.g. does performance take place in the UK, Hungary or elsewhere) and partly depends on whether the EU Data Act applies direct regulatory obligations so as to make the use of the relevant standard form contract illegal (more on this below).

For completeness, regardless of the strict application of the Unfair B2B Controls to English law contracts, there are also jurisdictional/cross border issues to consider. There are indications that, in the EU, unfair terms legislation may be given a status approaching rules of public policy (e.g. Mostaza Claro, C-168/05). If so, in our example enforcing an English law judgment in Hungary might be difficult and/or the Hungarian courts could take jurisdiction notwithstanding the exclusive English jurisdiction clause.

Is there regulatory enforcement risk?

Separately, is there is a potential regulatory risk for a UK company who enters into a standard form “data” contract with an EU counterparty and does not comply with the Unfair B2B Controls? The position here is, if anything, even less clear.

Article 13(9) states that “the parties” to a relevant contract “shall not” exclude, derogate or vary the Unfair B2B Controls. However, the jurisdictional scope of the EU Data Act is set out in Article 1(3) and is completely silent on whether it applies to “enterprises” outside of the Union or at all. This contrasts with the position of “data holders” which are subject to the Data Act “irrespective of their place of establishment” if they make data available to “data recipients” in the Union.

The most obvious answer is that as the Unfair B2B Controls apply directly to relevant contracts, the legislature decided there was no need for direct obligations on “enterprises” to adjust their terms. This conclusion is reinforced by the enforcement provisions. Article 40 contains specific penalties for breach of the IoT obligations (Chapters II, III), but is silent on any penalty for breach of the Unfair B2B Controls in Chapter IV.

For completeness, the UK company might be a “data holder” so directly caught by the EU Data Act even if it doesn’t offer IoT products or services. The term “data holder” also includes those with “the right or obligation” under “applicable Union law or national legislation adopted in accordance with Union law, to use and make available data”. If the UK company has those rights or obligations, it still might be caught qua “data holder”. (Though, even then, perhaps only if the law enters into force after 12 September 2025, as per Article 50. Who knows?).

Things could become clearer when Member States legislate for the EU Data Act. It is a Regulation (so directly effective) but national legislation is still needed to establish a national regulator amongst other things. Those national provisions could include sanctions for enterprises whose standard form contracts infringe the Unfair B2B Controls as part of the general requirement on Member States to provide for penalties for infringements that are effective, proportionate and dissuasive (Article 40).

Next steps?

Like much of the EU Data Act, the further down the rabbit hole you go, the stranger things become. The Unfair B2B Controls apply to contracts concluded after 12 September 2025 so it may not be too long before the courts are called on to solve this puzzle.