The management of personal and non-personal data now spans all economic sectors: from automotive to digital health. In a scenario where every connected device generates valuable information, the EU has opted for a regulatory framework that guarantees transparency, fair access, and fair competition.
What changes with the Data Act
The regulation does not create a new legal basis, but strengthens existing rights: it complements the portability of Art. 20 GDPR and access under Art. 15 GDPR. The key point is that companies must now ensure:
- Immediate and free access for users to data generated by devices (e.g., a connected car sharing consumption or maintenance data).
- Real cloud portability, without technical or commercial barriers (e.g., migrating from one cloud provider to another without hidden costs or incompatible formats).
- Prohibition of abusive clauses and greater transparency regarding data location, reinforcing market balance against dominant positions.
This essentially requires companies to define effective internal protocols (important to highlight efficiency), with timely measures: clear response times, designated responsible parties, secure authentication, and safeguard mechanisms. When trade secrets or third-party rights are involved, approaches like “clean rooms” are recommended instead of denying access altogether.
Data by design: the parallel with GDPR
The Data Act introduces the principle of data by design, reminiscent of GDPR’s privacy by design: access, portability, and interoperability obligations must be considered from the product or service design stage and throughout its lifecycle.
This means manufacturers and providers must not only open their systems to users but do so with technical and organizational guarantees from the outset and maintain that commitment by monitoring their systems and staying updated with advances in the state of the art.
In practice, this means that a smart appliance manufacturer must plan from the development stage how to offer users real-time access to usage data, or a cloud software company must structure its services so migration to another provider is technically feasible, contractually sound, and economically fair.
Implications for companies and users
Therefore, it is crucial to understand that the Data Act does not grant “ownership” of data to the user, but it does break the access barriers maintained by certain technological dependencies, promoting a more dynamic and competitive data market.
For companies, the consequence is clear: auditing and adapting systems, contracts, and internal processes will be necessary to comply with the new regulatory requirements.
In summary, the Data Act not only strengthens existing rights but also turns demanding requirements into practical obligations, such as effective portability, guaranteed interoperability, and more balanced relationships within the European digital ecosystem.
If you have any questions, you can write to us at contacto@metricson.com and we will resolve them.
Article written by:
Lawyer specialized in privacy and technology contracts
About Metricson
Metricson is a leading firm in legal services for innovative and technology-driven companies, with strong specialization in privacy and security. Since its founding in 2009, we have advised more than 1,400 clients from 15 different countries, including startups, investors, large companies, universities, institutions, and governments. Additionally, at Metricson, we are experts in identifying and managing security breaches in companies, helping them protect against risks and threats.
If you want to contact us, do not hesitate to write to us at contacto@metricson.com. We look forward to speaking with you!