And you thought GDPR was a Pain
If you thought GDPR was a pain then wait until you take a look at the EU Data Act. If your company stores any machine-generated data then you have a brand new EU headache on your hands. The EU Data Act comes into effect on the 12th September this year and dumps 75 pages of legal compliance clauses on your legal and IT department's doorstep. In effect, the EU Data Act forces you to make all connected device data available in machine readable format to anyone inside the EU. Yes, you read that right.
Since it was ratified in January of 2024, I have been exploring the Data Act and trying to understand what the implications are for the IoT Industry in 2025 and 2026. Unfortunately, the EU is not particularly active in communicating the act to the broad market, instead preferring to recommend to each EU country that they appoint controllers who do not seem to be specifically instructed to spread the word but rather are recommended to apply GDPR levels of penalties for non-compliance. In 90% of cases, the impacted companies I have spoken to were completely unaware of the Act. As someone on the verge of leaving corporate employment to become an independent consultant, I have decided to start to informally share all my learnings so anyone impacted can start to make informed decisions about what to do about it.
First up, here is the act. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202302854&qid=1736764269349
Choose your language, sit back with a cup of coffee and try to stay awake.
Alternatively, read my quick executive summary below then go book a meeting with your IT and legal departments. You have exactly 241 days left before you need to comply.
OK Lets get started. Firstly, who is impacted by the act. The EU defines the act as impacting
"Connected products that obtain, generate or collect, by means of their components or operating systems, data concerning their performance, use or environment and that are able to communicate those data via an electronic communications service, a physical connection, or on-device access, often referred to as the Internet of Things, should fall within the scope of this Regulation, with the exception of prototypes. Examples of such electronic communications services include, in particular, land-based telephone networks, television cable networks, satellite-based networks and near-field communication networks. Connected products are found in all aspects of the economy and society, including in private, civil or commercial infrastructure, vehicles, health and lifestyle equipment, ships, aircraft, home equipment and consumer goods, medical and health devices or agricultural and industrial machinery. Manufacturers' design choices, and, where relevant, Union or national law that addresses sector-specific needs and objectives or relevant decisions of competent authorities, should determine which data a connected product is capable of making available."
Simply put, if you have any IOT devices inside the EU and you are the Data Controller who stores the data then you need to comply with the act.
Is this your company? If so, then by September 12 of this year you need to implement the following changes to your data management systems.
"Where data cannot be directly accessed by the user from the connected product or related service, data holders shall make readily available data, as well as the relevant metadata necessary to interpret and use those data, accessible to the user without undue delay, of the same quality as is available to the data holder, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time. This shall be done on the basis of a simple request through electronic means where technically feasible."
After exhaustive reviews of the legal text, a simple interpretation is that on or before Sept 12, you will need to send updated terms of use to each of your customers describing your compliance to the act and providing them with links to what is likely a brand-new digital service where they can either:
a) Request and download all their own device data (as opposed to GDPR data) in machine readable format
b) Request that their own device data be shared by you directly with any 3PP inside the EU
If at this point you are telling yourself that you don't need to comply as your connected devices are for own usage or for B2B, the EU throws another spanner at you by adding the requirement that you must share all telemetry data immediately with any EU Public Body that asks for it. Whether a public emergency or simply for statistical purposes, every Data Controller inside the EU, irrespective of business architecture, will need to at the very least provide a digital plug for the government(s).
Once you have jumped through the hoop to comply with this requirement, you then have exactly one year to comply with the next phase which is described in the act as:
"After September 12 2026, all connected products shall be designed and manufactured, and related services shall be designed and provided, in such a manner that product data and related service data, including the relevant metadata necessary to interpret and use those data, are, by default, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format, and, where relevant and technically feasible, directly accessible to the user"
The text of the Data Act has requested that we as an industry create an EU standard for data sharing. If we don't, Brussels will do it themselves.
At this point, if you are still reading this, your heart rate may have gone up and to be honest I don't blame you. This is draconian legislation. On the bright side it also includes a lot of terms related to the data processors (read AWS, Azure and GCP) that your solution runs on and forces them to actively assist you in porting your data management off their platform onto a competitor if you want to migrate. It also defines a bunch of offshore data giants (Alphabet, Apple, Meta, Amazon, Microsoft, Bytedance) as EU enemies and specifically bars companies from sharing data with them under the Data Act.
Antony Beswick
Principal Consultant