EU Data Act explained – GDPR 2.0, even more effort or false alarm?

The EU Data Act is coming in 2025 and will affect all companies that process user data in IoT contexts.

The EU Data Act follows the EU GDPR, which came into force in 2018 and ushered in a new era of data protection law. However, what previously only applied to personal data is now being applied to all types of usage data in IoT and digital products – because only what has been contractually agreed may be processed. On this basis, users are also granted far-reaching rights to the usage data in smart home appliances, for example.

Do you feel the same way? It feels like not a month goes by without a new EU regulation having an impact on our economy. The question often arises as to how everything is connected and who can keep track of everything. Even compliance experts who work full-time in this field usually specialise in data protection, EU online business or trend topics such as AI and are overwhelmed with a simple answer. Interestingly, an MEP recently compiled a suitable overview – according to Kai Zenner’s infographic, there are 104 projects.

The most recent, far-reaching and sometimes feared regulation has it all: the EU Data Act obliges companies that do not fall under the SME threshold of 50 employees and 10 million euros turnover to give customers far-reaching rights regarding access to data. As the prefix “EU” suggests, all companies in the EU economic area are affected, as well as companies from the rest of the world that operate or want to operate within the EU. There is no sector restriction.

EU Data Act: demarcation and similarities to the GDPR

For many companies, the EU GDPR (General Data Protection Regulation) was the first painful contact with the topic of EU regulations and the processing of data. According to the word “basic regulation”, this EU regulation still applies and also in the context of the EU Data Act, which is why it is important to point out similarities and differentiations:

  • The “EU GDPR”, Regulation (EU) 2016/679 deals with basic rights and obligations in the area of personal data protection – i.e. processing, right of access, erasure obligations for typical directly personal data such as names, addresses, political opinions and others.
  • The “EU Data Act”, Regulation (EU) 2023/2854, on the other hand, is aimed at data generated by a person in the context of using a networked product. The easiest example here is usage data when driving a car – but a smart coffee machine is also suitable.

An example from the agricultural sector gives the topic additional grip – where a manufacturer of agricultural machinery wanted to utilise the data generated during the use of the machines quite extensively. The key question is: Where does the legitimate interest in the use of data by a manufacturer actually end? Nobody would probably object to the use of engine speed, oil temperature and cooling water level. But if the data enables the manufacturer to record precise usage profiles, GPS data or maps and movement profiles, yield statistics and working hours, everyone will agree: There must also be limits. And this is precisely where the EU Data Act comes in, because in future such processing will only be possible with consent and on the condition that the data can also be handed over to the user at any time – and in the same quality and machine-readable standard.

EU Data Act simple and understandable: no one wants digital spies, but they do want to know if their battery lasts

In our digitalised world, there is virtually no technology that works without data or does not generate usage data. You may have a normal tap or an ordinary hairdryer – but smart kitchen appliances are the end of the line. Many people can no longer imagine checking the progress of their washing machine on foot or using any other control element than the appropriate app on their smartphone. This consumerisation and industrial focus on IoT means that such appliances, which previously only had push buttons or rotary switches, must of course generate data and send it to the mobile phone via the internet or local connections such as Bluetooth.

However, as we have seen in recent years, this does not usually stop at an initially seemingly harmless use of data: smart speakers and home assistants came under (unfortunately justified) suspicion of eavesdropping on people. TVs with cameras offered hackers the opportunity to spy on people’s private lives and fitness trackers could tell almost everything about the user’s life – from getting up in the morning to meals, movements via GPS tracking and going to bed. In principle, all data is of interest to manufacturers, because knowing everything about how the product is used means that product optimisations and software updates can be developed faster (and more cheaply). In the past, when you had to launch a complex survey to obtain this data, developers dreamed of such possibilities – now precisely this convenience is becoming a complex issue.

As customers, we want our car to “think for itself” based on the route we have chosen and suggest the next charging station, which should of course still be free. At the same time, we don’t feel particularly comfortable sending all of the vehicle’s data back and forth between the manufacturer and Google. In the end, everyone has to decide for themselves whether they prefer to operate the oven with a switch, use a normal light bulb or do everything via their mobile phone. And as with the Internet in the early 2000s, legislation will also take a pioneering step at some point, which we are experiencing right now.

Complexity of the EU Data Act for companies: What do we process where – and what does it cost us?

Regardless of whether digital-savvy customers are in the majority at a company or not, companies must now be prepared for the fact that users of their products want to be given control over data. Article 4 of the EU Data Act explicitly requires data owners to make data available at the request of data users. However, this requires companies to know what data is part of the request in the first place. The reality is that companies have already had to put in a few extra shifts with regard to the identification of personal data under the GDPR and are still finding it difficult to fulfil requests for information within the given deadlines even six years after it came into force.

Now this challenge is being massively extended: if the GDPR is about a deadline of 30 days, we are talking about “without delay, free of charge and [ideally] in real time” under the EU Data Act. This means: There is no time for searching, identifying and accumulating data. Even if certain permitted services to be paid for by the customer soften the “free” point somewhat, they must be appropriate. And this is precisely where companies should take an honest look in the mirror – because they usually do not know the actual costs for processing data, or not in the level of detail that is sufficient for a calculation. There is almost always a lack of actual transparency regarding data processing, IT architectures and processes. Only those who are already pursuing this through consistent enterprise architecture management can now draw on the full potential and prepare themselves accordingly through the transparency of their own ecosystem. After all, if you have documentation on where which data is processed and where it is transferred to, you can implement the requirements more easily.

It is also important that companies do not wait until they come into contact with the regulation for the first time through a customer enquiry. This is because from 12 September 2025, when the transition period expires and the EU Data Act becomes directly applicable law, customers must be informed of various details as soon as they sign a contract – in much the same way as a data protection declaration has to be signed in a garage today. This framework includes, among other things:

  • Types of data and their scope, how they are likely to be generated in the course of using a product and whether this is done continuously or in real time
  • What the intention is, whether the data is to be used internally or made available to third parties, and if so, why and for what purposes
  • Contact information to quickly establish contact with the data controller, including means and identity of the data controller
  • The information already known from the GDPR regarding the rights to lodge a complaint with the competent authorities

All of this requires that the case-by-case exercise of the rights securitised by the EU Data Act is not exercised for the first time when the third quarter of 2025 dawns – but that you talk to experts now who can help you take the right steps towards data management and processes in the context of your company architecture. This will also help you avoid doing more than is actually necessary.

Process-related vicious circles in the EU Data Act: rental business, leasing and shared use

Nevertheless, it should be emphasised that even for experts, there are some situational questions that cannot be answered definitively from today’s perspective. After all, the relationship of the data owner to the driver is not always just the manufacturer of the vehicle to the owner – what about rental vehicles, car pools or cars that are operated and used by several people? What role does the car hire company suddenly have if it is neither the manufacturer nor the user? Who should the user contact if they want to obtain their data? How can providers of rental vehicles prepare themselves to act as data processors and data owners vis-à-vis their customers, but at the same time transmit data to the manufacturer of the infotainment system and thus have to provide information on further processing? How does this change contracts? What happens at the end of the lease – and how should a fleet manager in a large company who has to manage thousands of changing users and groups every day, which may even include visitors, actually behave?

This will depend on the actual usage scenarios and corresponding empirical values, which are difficult to predict today. Hardly any company will have a solution in the cupboard straight away and will not be overwhelmed. Nevertheless, the remaining 1.5 years should be used to identify the main players, processes and affected IT systems accordingly and to think about the data architecture in a timely manner. This is because the EU Data Act also has painful consequences for the companies that are the first to be caught in the crosshairs because they sit the issue out. Specifically, it is about 20 million euros or 4% of annual turnover – just like the GDPR.

Conclusion on the EU Data Act: without transparency in the company, chaos awaits many

So now is the time for companies to make structured preparations:

  • Which processes are supported by applications and systems in our company, where is customer usage data processed?
  • Which products are directly dependent on the aforementioned information or are already on the market, which are in the planning stage, what will be discontinued by 2025 anyway and will therefore no longer be needed?
  • What do the information flows between these entities look like – can it already be automatically analysed which data of “Max Mustermann” is processed in which systems, for what purpose and on what legal basis?

These 3 key questions should concern every company and their answers should be documented accordingly. Only then will it be possible to plan and successfully implement necessary and unavoidable changes to products, contracts and IT systems for the coming year.

Form a team of interdisciplinary experts for this purpose:

  • Legal & Compliance: your legal and compliance experts who know the company
  • Process management: Managers who have an overview and understanding of processes and their interfaces
  • Enterprise Architects: The orchestrators of business and IT requirements and promoters of active documentation

Finally, always consider the opportunity to learn from 2018, when the GDPR kept all companies busy – regardless of whether everything went perfectly for you or whether it ended up being stressful. Now is the time to assess the impact of the EU Data Act and translate the outcome into structured planning. This article only touches on the most important key points and shows the essence of the regulation, which contains many more details.

Philipp Schneidenbach ist Experte auf den Gebieten Enterprise Architecture, Governance, Risk und Compliance. In seiner derzeitigen Position bei Materna vereint er die Erfahrung aus mehr als 25 Jahren Beratung und Linienverantwortung in verschiedenen Industriezweigen und Märkten. Als Autor, Researcher und Speaker engagiert er sich unter anderem in Organisationen und Berufsverbänden wie der IEEE, ISACA und MoreThanDigital.

Comments are closed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More