The European Commission published the draft Data Act on February 23, 2022. The Data Act draft regulates the provision of data by the data owner to the user, to third parties and to public bodies and includes legal frameworks for data access and data use. The background to the regulation is that there is currently no legal regulation on data sovereignty and all parties involved rely on voluntary exchange.

With the Data Act draft, the European Commission now wants to clarify who may commercially exploit data and under what conditions this takes place. In addition, special provisions are made for micro, small and medium-sized enterprises as well as so-called “gatekeepers”.

Basic content of the draft Data Act

The draft regulates the exchange of user-generated data between companies and between consumers and companies. Large parts of the data collected by companies and by consumers in connection with networked devices and digital services must in future be made technically and legally accessible to users, who can then pass the data on to third parties.

The regulations in the draft include, for example, product requirements for easy and secure data access (“access by design and by default”), pre-contractual information obligations and the need for a usage agreement between data owner and user, data access claims and provision obligations, as well as regulations on data transfer by the data owner to third parties at the instigation of the user. However, it also regulates requirements for corresponding consideration (e.g., fairness, appropriateness) and criteria for abusive contractual clauses in order to protect smaller companies.

In addition, there are to be regulations for the transfer of data to public bodies and EU institutions, bodies and other bodies in emergency situations.

The draft also stipulates that the European Commission should provide non-binding model contractual conditions for data access and use. The member states are then to issue corresponding regulations on sanctions in the event of violations.

Addressees of the draft Data Act

The Data Act draft applies to

  • All manufacturers of products and providers of related services placed on the market in the EU and users of such products or services;
  • data controllers who provide data to recipients in the EU;
  • Data recipients in the EU to whom data is provided;
  • public bodies and EU institutions, bodies and agencies;

Similar to the GDPR, the regulations are also intended to apply to companies based outside the EU if they provide relevant services to customers in the EU.


The European Parliament and the Council have adopted their positions on the draft and, like the member states, are calling for various amendments. Further negotiations will focus in particular on the scope of application of the Data Act, ensuring the protection of trade secrets, remuneration issues and regulations on provider switching and protection against unfair contract terms. On March 29, 2023, the first trilogue took place. However, as the positions of the Council and Parliament are not too far apart, an agreement is generally expected before the summer break or shortly thereafter.

  • Twitter
  • LinkedIn