On 12 September 2025, the Data Act (EU Regulation 2023/285), a key cornerstone of the EU’s data strategy, became applicable across the EU. The Data Act empowers users (comprising both consumers and businesses) by giving them greater control over the data generated by their connected devices and related services.
The Data Act has arguably slipped under the radar with recent focus in the EU on building frameworks to ensure compliance with the new regulatory regimes around AI and cybersecurity measures. However, given the breadth of entities that can be in scope, particularly as a result of the broad extra-territorial rules, and the significant fines for non-compliance, businesses must assess the potential application of the Data Act to their products and services.
While the Data Act is directly applicable in Ireland without further implementing legislation, certain aspects (such as national supervision and enforcement of the Data Act) will be specified in Irish implementing legislation. The General Scheme of the Data Act (the “General Scheme”) was published on 4 February 2026 and provides for the appointment of the Commission for Communications Regulation (“ComReg”) and Competition and Consumer Protection Commission (“CCPC”) as the designated national competent authorities responsible for enforcing the Data Act. The General Scheme further sets out how these competent authorities will execute their powers and functions and provides for the imposition of administrative fines.
In this first article of our three-part series, we provide an overview of the framework for data sharing and data access in the context of Connected Products and Related Services. Part II in this series will focus on the switching provisions between data processing services and Part III will explore the Irish regulatory framework for enforcement.
What does the Data Act seek to achieve?
The Data Act, together with the Digital Omnibus Regulation, aims to foster a competitive data market by advancing digital transformation through the establishment of a framework for data sharing, facilitating data access and implementing obligations on data processing providers to assist users switching between data processing providers, and promoting interoperability. Alongside the GDPR (EU Regulation 2016/679), the Data Act seeks to provide clear and secure methods for accessing data generated by a “connected product” and “related service” (as defined in the Data Act), and facilitates users’ ability to switch between data processing service providers.
What are connected products and related services?
| Category | Description | Examples |
| Connected products | Any device which obtains, generates or collects data concerning its use or environment and can communicate that data via a cable-based or wireless connection. | Smart home appliances, consumer electrics, industrial machinery, medical devices, smartphones and TVs.
Products which primarily fulfil the function of storing, processing, or transmitting data (eg, servers and routers) are outside the scope, unless they are owned, rented, or leased by the user. |
| Related services | A digital service which is connected with a product at the time of purchase, rent, or lease, in such a way that the absence would prevent the connected product from performing one or more of its functions, or the digital service is later connected to the product to add to, update or adapt its functions. | Health tracker on a smart watch, an app to adjust the brightness of lights, or an app to regulate the temperature of a fridge.
Services that do not have an impact on the operation of the connected product and do not involve the transmitting or data or commands are not related services (eg, connectivity, power supply and aftermarket services). |
What parties are in scope?
Under the Data Act, entities are placed into (sometimes overlapping) categories, with different rights and obligations for each category. The primary categories under the Data Act are as follows:
| Category of entities | Description | Additional considerations | Example |
| Users | A natural or legal person who owns or has contractual rights to use a connected product or who receives a related service. | Where a user is a natural person, and there is processing of personal data, the user will also be a data subject under the GDPR. | Drivers of cars, users of smart home applications, etc. |
| Data holders | A natural or legal person who has the right or obligation to use and make data available including, where contractually agreed, product data or related service data which it has retrieved or generated through the provision of a related service. | Non-EEA data holders will be in scope once they make data available to users in the EU. | Manufacturers of IoT devices who control access to the data, providers of related services. |
| Data recipients | A natural or legal person (based in the EU) acting in their trade, business, craft or profession, who receives data from the data holder. | This includes third-parties who have been provided data at the request of users. | Independent mechanic receiving a connected car’s maintenance data from a manufacturer, authorised by the car owner. |
What are the key obligations in relation to data access and sharing in the context of “connected devices” and “related services”?
The Data Act requires data holders to make data generated by the use of a connected product (or a related service) directly and indirectly accessible to users, data recipients, and, in the case of “exceptional need”, public sector bodies. Where data is not directly accessible, the data holder must make readily available data available to the user upon request, without undue delay and subject to no charge.
From 12 September 2026, all connected products and related services must be designed and manufactured so that the product data is directly accessible to users, easily, securely and freely. The data must be of the same quality as available to data holder and provided in a comprehensive, structured and commonly used format.
What data is in scope?
The Data Act enables users of connected products and related services to access data generated by their use of the connected product both directly (where technically feasible) and indirectly. Data arising from the interaction between a user and a connected product or related service through a virtual assistant are also in scope.
The Data Act sets out a broad definition of data, capturing “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording”. The European Commission’s FAQs on the Data Act explain that raw and pre-processed data that are readily available to a data holder as a result of the manufacturer’s technical design are in scope, together with the necessary metadata to make it understandable and readable.
Typically, connected devices generate both personal and non-personal data so both personal and non-personal data fall within scope of the Data Act. Where personal data (as defined under the GDPR) is shared with a user, it must comply with GDPR principles of lawfulness, purpose limitation and data minimisation and anonymisation, aggregation, and pseudonymisation techniques may be used by data holders to separate personal from non-personal data to ensure compliance with GDPR where necessary.
Separately, derived or inferred data which results from additional investments (eg data from sensors in cars that infer a driver is sleepy) is not within the scope of the Data Act, and the Data Act does not extend to content data that is protected by IP rights.
Are there any limitations on data access / data sharing?
Trade secrets
A data holder can refuse to share data on the basis of preserving a trade secret but only in exceptional circumstances, where disclosure of that trade secret is highly likely to cause serious economic damage to the data holder, and confidentiality cannot be preserved by other appropriate measures. In practice, this is a very high bar to meet and is subject to challenge as the data holder must notify its competent authority of the refusal.
The Digital Omnibus Regulation proposes new safeguards to strengthen the protection for trade secrets. In accordance with the proposals, data holders could refuse to share data where there is a substantial risk that such trade secrets could be unlawfully acquired, used or disclosed to entities located in third-countries, particularly where those third-country legal regimes offer weaker protection than the EU.
Restrictions on use of shared data
Where a user or data recipient receives data, they cannot use the data to create a competing product, however, they may create a competing related service.
Data holders are permitted (and recommended) to agree limitations on the use of data by the data recipient, however there is a prohibition on unfair terms, as discussed below.
Unfair contract terms in B2B data access and data sharing contracts
The Data Act categorises certain unilaterally imposed contractual terms related to data access and use between enterprises as unfair or presumed to be unfair. A contract term will be deemed unfair if it grossly deviates from good commercial practice in data access and use, or is contrary to good faith and fair dealing. Examples of unfair terms in a data access agreement include placing limitations on liability for intentional acts or gross negligence or excluding remedies available in the case of non-performance imposing restrictions on data access. While such terms in Business-to-Consumer (“B2C”) contracts were already prohibited under Irish consumer law, this expands certain unfair terms provisions to Business-to-Business (“B2B”) data access arrangements for the first time. Contracts concluded after 12 September 2025 must comply with the new requirements and companies have until 12 September 2027 to remediate long-term contracts that were concluded prior to 12 September 2025.
The Expert Group on B2B Data Sharing and Cloud Computing Contracts (the “Expert Group”), established by the European Commission, has released a report outlining a set of non-binding Model Contractual Terms (“MCTs”) and Standard Contractual Clauses (“SCCs”). Both the MCTs and SCCs are designed to facilitate fair, balanced, and legally sound B2B data sharing agreements which are in compliance with the Data Act’s requirements.
The MCTs are intended to assist parties to draft and negotiate contracts for access, and use of, both personal and non-personal data. These MCTs are split into four annexes intended to cover typical data-sharing scenarios:
| Annex | Types of contracts |
| Annex 1 | Contracts between a data holder and a user of a connected product or related service, where the data holder wishes to use data generated. |
| Annex 2 | Contracts between users of a connected product or related service and a third party data recipient, where users request the data holder to make data available to a data recipient. |
| Annex 3 | Contracts between a data holder and a third party data recipient that is a business, where a data holder is obliged to make data available to a data recipient when requested to do so by a user. |
| Annex 4 | Contracts between a data sharer and a data recipient where the data sharer wishes to make data available to a data recipient voluntarily and independent of any request by users or a similar party. |
Business-to-Government (“B2G”) data sharing
The Data Act also sets out the conditions upon which data holders (that are legal persons) shall make data available (including the relevant metadata necessary to interpret and use the data) to public sector bodies, the European Commission, the European Central Bank or other Union bodies where they have demonstrated an exceptional need to use the data (or example where the data requested is necessary to respond to a public emergency).
Next steps
The Data Act requires significant changes for businesses and Irish companies should take action now to consider how to address compliance with the impending introduction of the Irish implementing legislation. In particular, businesses should:
- identify the obligations relevant to their business;
- prepare notification documents to give to users ahead of purchasing a connected product or receiving a related service, in compliance with the Data Act;
- prepare terms and conditions for data sharing arrangements between users and the data holder;
- review all B2B data access contracts which may come within scope of the Data Act to ensure that there are no unfair terms which may render the agreement unenforceable; and
- establish a process to handle data access and portability requests.
Contact us
If you have any questions on anything contained in this article or on the Data Act in general, please feel free to reach out to a member of the Technology and Innovation Group or your usual Matheson contact.