The Data Act: Europe’s Most Underestimated Digital Law
With less than six months until the Data Act becomes applicable, privacy professionals and legal consultants face an urgent deadline that many haven’t even marked on their calendars. Joost Gerritsen, CEO of Digibeetle, lawyer and affiliate researcher at Utrecht University, shares his surprising discoveries about this transformative regulation.
To be honest, we didn’t think much of it initially. We were prepared to be disappointed, just like when studying the Data Governance Act,
Joost admits. Our assumption was wrong.
The Data Act will fundamentally reshape how businesses handle IoT data sharing and B2B contracts, introducing obligations that many organisations haven’t yet considered.
Why the Data Act Matters More Than You Think
Unlike the GDPR’s focus on personal data or the AI Act’s algorithmic governance, the Data Act tackles a different challenge: unlocking the economic value of non-personal data while protecting businesses from unfair contractual terms. For legal professionals advising on data contracts, this represents a seismic shift in the regulatory landscape.
The Act applies to virtually every organisation involved in the Internet of Things ecosystem – a scope far broader than many realise. We’re talking about any tangible thing connected to the Internet, from smart consumer electronics and medical devices to connected cars and industrial machinery.
Three Critical Impacts on Your Legal Practice
1. IoT Business Transformation
If your clients manufacture or provide IoT products and related services (including apps), the Data Act imposes new data accessibility obligations. These requirements go beyond traditional product liability or consumer protection laws, mandating that:
- Users must be able to access data generated by their use of products
- Data portability to third parties must be facilitated
- Technical documentation must enable interoperability
- Switching between data processing services must be possible without vendor lock-in
2. Expanded User Rights
The Act creates new rights for both consumers and businesses using connected devices. This affects:
- Smart home device users who want to switch ecosystems
- Healthcare providers using connected medical equipment
- Fleet operators with connected vehicles
- Manufacturers using smart industrial machinery
These users gain unprecedented rights to access and share their data, fundamentally altering the power dynamics in B2B data relationships.
3. B2B Contract Revolution
Most surprisingly, the Data Act directly interferes with B2B contract freedom in ways unprecedented in EU law. When drafting or reviewing B2B data contracts where data sharing is legally required, lawyers must now screen for prohibited clauses that are automatically void. These include:
- Clauses preventing compliance with Data Act obligations
- Terms imposing unreasonable limitations on data access
- Contractual provisions creating unfair discrimination
- Exclusivity arrangements that violate data portability rights
The Prohibited Clauses Trap
The Act’s approach to prohibited contractual terms represents a dramatic departure from traditional B2B contract law. Unlike consumer protection rules, these prohibitions apply to contracts between sophisticated commercial parties. Legal consultants must urgently review existing contracts and templates to identify potentially void provisions.
Common clauses that may now be problematic include:
- Exclusive data use provisions in IoT service agreements
- Restrictions on reverse engineering for interoperability
- Unlimited liability for data sharing
- Non-compete clauses preventing switching between cloud services
The enforcement mechanism is particularly striking: these clauses aren’t merely voidable – they’re automatically non-binding, potentially creating gaps in carefully negotiated commercial agreements. Additionally, when IoT devices process mixed personal and non-personal data, organisations must ensure compliance with both the Data Act and GDPR requirements.
Preparing for September 2025: Action Items
With the September 2025 deadline approaching rapidly, organisations and their legal advisors need to:
- Audit existing IoT products for compliance with data accessibility requirements
- Review all B2B data contracts for prohibited clauses
- Update standard contractual terms to reflect Data Act obligations
- Implement technical measures for data portability and interoperability
- Train legal teams on the Act’s novel approach to B2B contract regulation
Why Most Organisations Are Unprepared
The Data Act’s relatively low profile compared to GDPR or the AI Act has created a dangerous blind spot. Many privacy professionals who’ve focused on personal data protection haven’t yet grasped how the Data Act’s non-personal data rules will affect their organisations. Similarly, contract lawyers may not realise that their carefully crafted B2B agreements could contain automatically void provisions.
This knowledge gap creates both risk and opportunity. Organisations that move quickly to understand and implement Data Act requirements can gain competitive advantages, while those that ignore it face potential enforcement actions and contract disputes.
Navigate the Data Act with Comprehensive Legal Intelligence
As September 2025 approaches, staying current with Data Act interpretations becomes critical. The regulation’s novel approach to B2B contracts and IoT data sharing will generate significant regulatory guidance and potentially contentious enforcement decisions. Legal consultants and privacy professionals need reliable access to:
- Early supervisory authority guidance on prohibited clauses
- Cross-border enforcement approaches to IoT data accessibility
- Court interpretations of the Act’s interference with contract freedom
- Practical implementation examples from across the EU
At Digibeetle, we’re already tracking Data Act developments across Europe, ensuring our users have immediate access to cross-referenced regulatory intelligence as this underestimated law becomes reality. Our expert-curated legal database connects Data Act requirements with related GDPR, AI Act, and DSA obligations, helping you navigate the increasingly complex EU digital law landscape.
Start your AI literacy journey and understand how the Data Act fits into the broader regulatory framework with our free webinar on safeguarding fundamental rights under the AI Act. The principles discussed apply equally to Data Act compliance.
Don’t let September 2025 catch you unprepared. Start your 30-day free trial to access comprehensive Data Act resources and track emerging guidance. Or book a consultation to discuss how Digibeetle can support your organisation’s journey through this B2B contract revolution.
