A transformation to the European digital economy is to be seen on the coming into force of the EU Data Act (Regulation (EU) 2023/2854) on the 12th of September 2025.
Before the Regulation, data generated by connected products and related services remained with manufacturers or service providers, however the Regulation provides balance between users and providers allowing users greater access and control over the data they generate. To facilitate this, the Regulation reduces the number of barriers restricting data access and imposes new data sharing obligations, better allowing interoperability of data from different domains.
What kinds of data and products fall under the Regulation?
The Regulation refers to any connected products, services relating to those products and the data, be it raw or simple data, which can be accessed from the device or service. Data which has been overly processed or analysed does not fall under the scope of this Regulation.
- Connected products are items or technologies which collect or send data from their use. These items include ‘traditional’ items such as smart home devices and wearable devices like fridges and fitness trackers to even vehicles and aircrafts.
- Related Services are services which are intrinsic to the product and gather data from the product’s use. Such services include navigation systems in vehicles and virtual assistants within devices.
- Data which is easily accessible from the device or service and is not heavily processed also falls under this Regulation. The data may be personal and non-personal. In the case of personal data, GDPR will also apply alongside this Regulation.
To whom does this Regulation apply?
The Regulation adheres to several stakeholders.
The pivotal stakeholder are the users which will now have the right to access and share the data they generate when using the products and services. Hence, Manufacturers and Service Providers that compete in the EU Market must provide users access to their own data and update contracts and systems designs to comply with the Regulation even if they are based outside of the EU. The implementation of design related obligations is set to enact on the 12th of September 2026.
Data holders, being companies that control access to the data, under the Regulation, have the right to use and share the data under the obligation that consent from the user is acquired. Furthermore, data holders must ensure that such data is used fairly.
Data Recipients are third parties, including app developers or public authorities, which receive data from the data holder. These recipients can only use the data they receive for agreed purposes and must respect the digital competition through complying with trade secret rules and not act unfairly.
Data Processing Service Providers are companies which offer cloud services or other similar products that allow access to shared computing resources to their customers. Under the Regulation these types of service providers will now be required to allow their customers to easily terminate their contract and switch to another data processing service provider without extra costs. This new obligation removes obstacles to competition, creating a more competitive market.
GDPR and the Digital Act
When personal data is involved, the EU Data Act operates alongside the General Data Protection Regulation (GDPR). This means that data holders and recipients must comply with key GDPR principles such as consent, purpose limitation, and data minimisation when accessing or sharing personal data. For non-personal data, GDPR does not apply, however, the Data Act still imposes rules and restrictions on how such data may be used, particularly to protect trade secrets, prevent unfair competition, and ensure responsible data sharing across the EU market.
Compliance with the Regulation
Each Member State is free to apply their own enforcement of the Regulation and is to designate appropriate and specialised competent authorities. These authorities are tasked with monitoring compliance and handling complaints of any party. A complaint may be submitted by any person which deems that their rights under the Data Act have been infringed.In Malta, the prospective competent authorities tasked with overseeing the enforcement of the Regulation and its application are the Malta Digital Innovation Authority (MDIA) and the Malta Communications Authority (MCA).
The Regulation does not specify any fixed penalties nor fines in cases of non-compliance, allowing each Member State the freedom to decide. Hence, Member States are encouraged to establish effective, proportionate and dissuasive penalties. Furthermore, personal liability of directors of such companies, although it is not specified in the Regulation, is possible under Maltese Law through the Maltese Companies Act (Chapter 386 of the Laws of Malta).
Concluding Remarks
The Regulation is a pivotal milestone in creating a fair, strong and innovative digital market, and in creating a balance between companies and users. Businesses relating to the sector should ensure to update their contracts, systems and product designs accordingly and invoke oversight activities to ensure compliance. The Legal Team at BDO is here to help you navigate the Data Act. Should you require any further information or assistance, the team may be contacted here.
This article was written by Legal Intern Martina Galea and reviewed by Head of Legal Franklin Cachia
