Last week, the EU Data Act – or Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data, to give it its formal title – came into effect throughout the EU member states.

Users of connected products in the EU now have a legal right to access data generated through their use of such products and related services. These range from data collected by smart tech devices (such as washing machines, wearable fitness trackers, voice activated AI and robot vacuum cleaners) to electric and GPS enabled cars, as well online data dashboards and remote monitoring apps. Recognising that data-driven technologies have had a transformative effect on the economy, the European Commission hopes to unlock the valuable data generated by connected products and services through the “Internet of Things” (IoT). This applies to all users, including business, and not just consumers.

The subsequent use of the data by the user for lawful purposes is unrestricted. Where the data cannot be directly accessed by the user, providers are required to make the data easily available, without undue delay, free of charge and in an accessible format.

Importantly, the Act does not alter obligations to protect personal data and minimise its collection under the GDPR and, accordingly, does not grant data controllers new permission to process or disclose personal data in a way which would be incompatible with the GDPR. Also, the requirement to disclose data does not extend to additional insights or conclusions obtained by the service provider, as a result of financial investment or other allocation of resources (such as proprietary algorithms or other IPR), as the provider may wish to monetise these data sets separately.

One aspiration of the Commission is that alternative service offerings will emerge and open up competitive markets for data services. For example, until now, Google (the parent company of Fitbit) has had an exclusive monopoly over the provision of enhanced data analytics and insights services based on the data collected by Fitbit smartwatches and charges users around £80 per year in the UK to access “Fitbit Premium”. It is likely that in response to this new legislation, competing services will be launched and Google will be required to transfer the underlying tracking data to those competitors free of charge (although not the enhanced analytics generated by the Premium service).

Whilst the EU Data Act does not apply in the UK, any providers of IoT products that supply into the EU will need to be aware of the new requirements and have in place timely procedures to ensure compliance. Penalties are set at a national level and determined by each member state. If there is also a breach of the GDPR (such as a failure to grant a right of access to personal data), additional fines and sanctions may be imposed by the applicable data regulator.

Ultimately, through the legislation, the EU is continuing its drive to create a more equal playing field for businesses operating in the online space and tackling the dominance and significant market powers of the big data platforms. Notably, implementation comes hot on the heels of the Commission’s decision earlier this month (5 September 2025) to fine Google €2.95 billion for favouring its own advertising technology services to the detriment of competing providers. Although the UK Government has not gone as far or as fast with its proposals to regulate smart-data access, the direction of travel is similar and businesses in the UK can expect to be required to grant greater data sharing rights to tech users in future.