EU Data Act Comes into Force

29 September 2025

On 12 September 2025 the bulk of the EU Data Act began to apply in the EU. The Act sits alongside the GDPR and is designed to give consumers and businesses greater control over the data generated by their smart devices.

The Act regulates connected products (e.g. smart TVs, watches, vacuum cleaners) which together make up the Internet-of-Things (“IoT”). While these products have become widespread in recent years, concerns remain that the large volumes of data they collect could lead to monopolistic practices. For example, concerns have been raised about the amount of data Google will have on users when it combines its existing products with information gathered by Fitbit (which it acquired in 2021).

A core objective of the Act is facilitate data sharing and competition between businesses which collect data within the IoT. It contains a number of provisions, which include:

Giving users the ability to freely access, use and port data generated by their devices. That means, for example, the providers of smart watches (Apple, Google, Samsung etc) must make the data they generate available to their competitors.
Requiring providers of cloud/ edge computing services to meet minimum standards to enable switching and interoperability. For example, data holders must comply with requests to make data available in a commonly used, machine readable format. This, the EU hopes, will help drive competition between businesses.
Banning certain unfair contractual terms.
During public emergencies authorities can require data to be shared with them.

The Act does not apply directly to the UK, but any UK-based providers of IoT products must comply in order to sell their products in the EU. As a result, it is likely the Act will be of relevance. The UK is also introducing the Data (Use and Access) Act 2025, which has similar objectives.