The EU Data Act: How It Extends Data Sovereignty Beyond Personal Data

The European Union’s Data Act, which came into full effect in September 2025, represents a paradigm shift in how we think about data rights. While the GDPR focused primarily on personal data, the Data Act extends sovereignty principles to all data generated by connected devices and digital services—a crucial expansion as the Internet of Things becomes ubiquitous.

What the EU Data Act Does

The Data Act addresses a fundamental question: who owns the data generated by the smart devices you own? When your smart thermostat learns your preferences, when your connected car tracks your driving patterns, when your industrial machinery generates performance data—who has the right to access, use, and benefit from that information?

Core Provisions

The Act establishes several groundbreaking principles:

1. User Access Rights Users of connected products and related services have the right to access data generated by their use of those products. This applies to both consumers and businesses.

2. Data Sharing Obligations Data holders must make data available to third parties at the user’s request. This breaks down data silos and enables competition in aftermarket services.

3. Unfair Contract Terms Protection The Act prohibits unfair contractual terms related to data access and use, protecting smaller businesses from exploitative practices by larger data holders.

4. Public Sector Data Access In cases of exceptional necessity (such as public emergencies), public bodies can request data from private entities.

5. Cloud Switching Rights Users have the right to switch between cloud service providers without excessive costs or data loss, with providers required to remove switching charges by 2027.

The IoT Revolution and Data Rights

As analyzed in the Global AI Governance Overview (arXiv:2512.02046), the proliferation of connected devices has created unprecedented challenges for data governance. The EU Data Act directly addresses these challenges.

Scale of the Issue

Consider the data landscape in 2026:

• 75 billion IoT devices connected globally
• Smart homes generate approximately 1.5 GB of data daily
• Connected vehicles produce up to 25 GB of data per hour of driving
• Industrial IoT sensors create petabytes of operational data

This data has enormous value—for optimizing products, training AI systems, enabling predictive maintenance, and creating new services. The question is: who should benefit?

Before the Data Act

Prior to the Data Act, manufacturers typically claimed exclusive rights to data generated by their products:

• Automotive manufacturers controlled vehicle data, limiting independent repair shops
• Agricultural equipment makers restricted farmers’ access to their own operational data
• Smart home device manufacturers monetized user behavior data without sharing value
• Industrial equipment providers held customers captive to proprietary analytics services

After the Data Act

The Act fundamentally rebalances this relationship:

• Users gain access to data generated by their devices
• Third parties can compete in aftermarket services with user consent
• Data portability prevents vendor lock-in
• Fair compensation requirements ensure reasonable pricing for data access

Industrial Data: A New Frontier

One of the most significant aspects of the Data Act is its treatment of industrial and business-to-business data—territory largely untouched by the GDPR.

Manufacturing and Industry 4.0

For manufacturing companies, the Data Act creates both opportunities and obligations:

Opportunities:

• Access to data from purchased equipment for optimization
• Ability to choose independent service providers
• Data portability when switching suppliers
• Competitive aftermarket for analytics services

Obligations:

• Provide data access to customers using your products
• Ensure technical measures for secure data sharing
• Maintain reasonable pricing for data access
• Implement data portability mechanisms

Agricultural Data Rights

Farmers have been particularly affected by data access restrictions. Modern agricultural equipment generates detailed data about soil conditions, crop yields, weather patterns, and equipment performance. Under the Data Act:

• Farmers can access all data generated by their equipment
• They can share this data with third-party agronomists or analytics providers
• Equipment manufacturers cannot lock farmers into proprietary services
• Data can be transferred when changing equipment providers

Healthcare and Medical Devices

Connected medical devices generate sensitive health data with significant value:

• Patients gain clearer rights to data from connected devices (blood glucose monitors, heart rate monitors, etc.)
• Healthcare providers can access device data with patient consent
• Research institutions can receive anonymized data for studies
• Competition in health analytics services increases

Relationship with GDPR

The Data Act complements rather than replaces the GDPR. Research on rethinking data protection in the AI era (arXiv:2507.03034) notes that this layered approach creates comprehensive coverage.

How They Work Together

Aspect	GDPR	Data Act
Scope	Personal data	All data from connected devices
Focus	Privacy protection	Data access and portability
Rights holder	Natural persons	Users (individuals and businesses)
Obligations on	Data controllers	Data holders

When Both Apply

When data from a connected device includes personal data, both regulations apply:

1. GDPR requirements for consent, purpose limitation, and data protection
2. Data Act requirements for access, portability, and fair terms

Data holders must comply with both frameworks, which generally means stronger protections for users.

Cloud Switching Rights

A particularly impactful provision addresses cloud service portability—a growing concern as businesses become increasingly dependent on cloud infrastructure.

The Problem

Cloud vendor lock-in has become a significant issue:

• Proprietary data formats make migration difficult
• Egress fees penalize customers for leaving
• Technical complexity deters switching
• Data gravity keeps organizations trapped

The Solution

The Data Act mandates:

Elimination of Switching Charges

• Exit fees must be phased out by January 2027
• Data egress must be provided at reasonable cost
• No contractual penalties for switching

Functional Equivalence

• Providers must support export in formats usable by other services
• APIs for data access and portability are required
• Documentation must facilitate migration

Interoperability Requirements

• Cloud providers must ensure data can be transferred effectively
• Open standards are encouraged
• Technical barriers to switching are prohibited

Implications for AI Development

The Data Act has significant implications for artificial intelligence development, particularly in how training data is accessed and used.

Training Data Access

AI developers seeking to use IoT data for training face new considerations:

• User consent is required for data sharing to third parties
• Fair compensation may be required for commercial use
• Transparency about AI training purposes is expected
• Data provenance tracking becomes more important

Competition in AI Services

By enabling data access, the Act promotes competition:

• Independent AI developers can access data previously locked by device manufacturers
• Smaller companies can compete with integrated device/AI offerings
• Users can choose AI services independent of device providers
• Innovation is fostered through data availability

Federated Learning Opportunities

The Act’s framework is well-suited to federated learning approaches:

• Data can remain with users while contributing to AI training
• Privacy is preserved while enabling collective intelligence
• Compliance is simplified when data doesn’t leave user control
• User sovereignty over data contribution is maintained

Enforcement and Penalties

The Data Act establishes robust enforcement mechanisms:

Penalties for Non-Compliance

• Up to €20 million or 4% of global annual turnover (whichever is higher)
• National authorities designated for enforcement in each member state
• Coordination through the European Data Innovation Board

Enforcement Actions to Date

Since implementation in September 2025, enforcement has been active:

• Multiple automotive manufacturers issued compliance orders regarding vehicle data
• Cloud providers investigated for switching barrier practices
• Smart home device makers required to implement access mechanisms
• Several cases referred from national authorities to Commission

What This Means for Individuals

Your Rights Under the Data Act

As an individual user of connected devices and services, you now have:

1. Right to Access: Request all data generated by your connected devices
2. Right to Portability: Move your data to different service providers
3. Right to Share: Allow third parties to access your data
4. Right to Fair Terms: Challenge unfair data-related contractual terms
5. Right to Cloud Switching: Move between cloud providers without penalty

How to Exercise Your Rights

Step 1: Identify Data Holders Determine which companies hold data from your connected devices and services.

Step 2: Submit Access Requests Contact data holders to request access to your data. They must respond within 30 days.

Step 3: Choose Your Format Request data in commonly used, machine-readable formats.

Step 4: Select Service Providers Exercise your right to share data with third-party service providers of your choice.

Step 5: Lodge Complaints If your rights are not respected, contact your national data protection authority.

Business Compliance Checklist

For organizations affected by the Data Act:

Immediate Actions

• Inventory all connected products and data generated
• Review contracts with customers for Data Act compliance
• Implement technical measures for data access
• Train staff on Data Act obligations
• Update privacy notices to include Data Act information

Technical Requirements

• APIs for data access by users and authorized third parties
• Secure authentication for data access
• Export functionality in standard formats
• Audit trails for data access and sharing
• Data portability mechanisms

Contractual Updates

• Review and remove unfair data-related terms
• Update terms of service for Data Act compliance
• Prepare data sharing agreements for third-party access
• Establish reasonable pricing for data access services

The Broader Context: Data Sovereignty

The Data Act is part of a broader European strategy for digital sovereignty, which includes:

• Data Governance Act (in effect since September 2023)
• Digital Markets Act (in effect since March 2024)
• Digital Services Act (in effect since February 2024)
• AI Act (full implementation August 2026)

Together, these regulations create a comprehensive framework for the digital economy that prioritizes user rights and European competitiveness.

Frequently Asked Questions

Q: Does the Data Act apply to data I already have on my devices?

A: Yes, the Data Act applies to data generated by connected products, regardless of when it was generated. You can request access to historical data as well as ongoing data generation.

Q: Can manufacturers charge me for accessing my own data?

A: Manufacturers can charge a reasonable fee for providing data access, but this fee must not exceed the cost of making the data available. For consumer users, basic access should generally be free.

Q: How does this affect my smart home devices?

A: Smart home device manufacturers must now provide you with access to data your devices generate. You can use this data with third-party services—for example, using your smart thermostat’s data with an independent energy management app.

Q: Does the Data Act apply to companies outside the EU?

A: Yes, the Data Act applies to any company offering connected products or services in the EU market, regardless of where the company is headquartered.

Q: What if a company refuses to provide my data?

A: You can lodge a complaint with your national authority. Penalties for non-compliance are significant—up to €20 million or 4% of global turnover.

Conclusion

The EU Data Act represents a crucial expansion of data rights beyond personal data to encompass all data generated in our increasingly connected world. By establishing clear rights to access, portability, and fair treatment, the Act empowers users—both individuals and businesses—to benefit from the data they generate.

For the human data rights movement, the Data Act validates a core principle: data sovereignty should extend to all data that results from our interactions with technology, not just data that identifies us personally. As AI systems increasingly rely on IoT data for training and operation, these rights become ever more important.

The path forward requires continued vigilance to ensure these rights are effectively implemented and enforced. The Human Data Rights Coalition will continue monitoring compliance and advocating for strong enforcement of the Data Act’s provisions.

---

This analysis reflects the EU Data Act as implemented in September 2025. For specific legal advice, consult qualified legal counsel in your jurisdiction.