Background: Data access and sharing rights under the Data Act
The EU Data Act (DA – Regulation (EU) 2023/2854) came into force on 11 January 2024 with most of its provisions applying from 12 September 2025. The goal of the Data Act is to make data more widely accessible in the EU so that data can be utilized more broadly by different parties. To achieve this, the Data Act gives users of connected products or related services new rights to access and share data generated by these products:
- Access by design (Art. 3 DA): First, the Data Act sets out obligations for the manufacturer of the connected product or related service to ensure that certain data are made directly accessible to the user – by default and in real-time. This obligation, known as "access by design," includes product data and related service data, including the relevant metadata necessary to interpret and use those data. If a product or service does not meet these standards, it could lead to warranty claims.
- Access at request (Art. 4 DA): If users are not able to access the data set out in Art. 3 DA (i.e., the product or service is generally defective), Art. 4 DA requires data holders to provide access to readily available data and the relevant metadata upon request (“access at request”).
- Share at request (Art. 5 DA): In addition to the right of access, users can also request the data holder to make the readily available data and metadata accessible to third parties selected by him (“share at request”, Art. 5 (1) DA).
Overview: Data categories covered by “data” definition under the Data Act
The EU legislator adopted a broad definition of “data” and then refined it into more specific subcategories tailored to different areas related to data access and sharing obligations under the Data Act. This creates a system that may seem complex but is coherent when it comes to claims for accessing, using, and sharing data from connected products and services.
The following table provides an overview of the various types of data mentioned in the Data Act. All these data types are covered by the general definition of "data" defined in Art. 2(1) DA as “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording.”
Key distinctions between data types
Unfortunately, the Data Act provides little guidance on several key distinctions determining which types of data are covered by rights provided under Art. 3, 4, and 5 DA. The following two data terms are of particular interest:
- (i) the definition of “readily available data” under Art. 4 and 5 DA (as opposed to “product data” under Art. 3 DA);
- (ii) The point at which data becomes “derivative data” (as opposed to “primary data” and “pre-processed data”), thus falling outside the scope of the Data Act.
a. “Readily available data” under Art. 4 and 5 DA
Art. 2 (17) DA defines readily available data as “product data and related service data that a data holder lawfully obtains or can lawfully obtain from the connected product or related service, without disproportionate effort going beyond a simple operation” – however, without providing further clarification. Examples of readily available data include information like temperature readings, energy consumption data, or activity logs.
To clarify the scope of the definition of readily available data, it makes sense to take an economic approach: If obtaining and providing access to certain data incurs significant additional costs that are disproportionate to what is provided by the product or service, then such data cannot be considered readily available. For instance, if substantial processing or analysis is needed to gain insights – such as predictive analytics, complex machine learning outputs, or aggregated user behavior trends – this type of processed information falls outside the definition in Art. 2(17) DA. While raw data might be readily available, the processed insights might require significant computational resources and expertise, resulting in additional costs.
Despite the (remaining) vagueness of the term, the distinction between product data and related service data (Art. 3 DA) on the one hand and readily available data (Art. 4 and 5 DA) on the other hand is understandable for two reasons:
- The data access and sharing obligations under Art. 3 and Art. 4, 5 Data Act address (potentially) different stakeholders: Whereas Art. 3 DA obliges the manufacturer, the obligations under Art. 4 and 5 DA address the data holder (i.e., any person who has the right or obligation under the Data Act or other law to use and provide data that they have retrieved or generated during the provision of a related service, Art. 2(13) DA). Therefore, a manufacturer who cannot access generated data is not a data holder within the meaning of the Data Act. For example, consider a washing machine manufacturer that designs and sells machines that generate usage data, such as cycle counts and energy consumption. If this usage data is stored directly on a cloud platform managed by a third-party service provider and the manufacturer does not have access to it, then the manufacturer is not classified as a data holder. In this scenario, the third-party service provider would be recognized as the data holder since they control access to that data.
- Granting access is more costly than access by design: Granting access under Art. 4 or 5 DA is usually more expensive than securing the “access by design” right under Art. 3 DA, which has already been implemented during development. Therefore, considering the rationale of the access and sharing rights under Art. 4,5 DA, it appears appropriate to grant access only to data that is easily available to the data holder.
b. Derivative data vs. pre-processed data
The second relevant distinction between pre-processed data and derivative data was subject to continuous change during the Data Act’s legislative process. Only briefly addressed in a subordinate recital clause in the Commission’s draft, the Council devoted an entire recital to the distinction in its negotiating mandate. The parliamentary draft even included it in the wording of Art. 3(1) DA. In the official text, the distinction is now somewhat hidden in Recital 15 DA, saying that information derived from pre-processed data is the outcome of additional investments into assigning values or insights from the data that do not fall within the scope of the Data Act.
While the term pre-processed data should not be interpreted in a way that the data holder would be obliged to make significant investments or a categorization based on their expertise (Recital 15 DA), derived data requires precisely such investments. To illustrate this, the Data Act names information obtained through sensor fusion and then further processed using complex algorithms. A further example of derived data could be the categorization of the pH value of arable soil as acidic or alkaline measured by an agricultural machinery robot or the subsequent recommendation of which plants the soil is best suited for.
For example: A smart thermostat collects temperature readings from a home along with the user's heating preferences. The resulting dataset is pre-processed if these readings are slightly refined or standardized (e.g., adjusting for time zones or correcting sensor errors). Next, the thermostat's data can be analyzed using algorithms to forecast future energy usage. This analysis takes into account user behavior patterns and weather forecasts through machine learning model input. The resulting predictions about energy consumption can be qualified as derivative data because it is the outcome of additional investment.
Conclusions
In order to ensure compliance with the Data Act, manufacturers and data holders should carefully consider the above distinctions of data types relevant under the Data Act. In particular, the following key take-aways should be taken into account from a product design perspective as well as with regard to the setup of customer agreements:
- Only readily available data is subject to data access rights under Art. 4, 5 DA: Whether or not data is readily available is highly relevant to the scope of a user’s “access at request” and “share at request” rights under Arti. 4 and 5 DA. Following an economic approach, data is not deemed to be “readily available” whenever the data holder incurs additional costs for obtaining and providing the data that are disproportionate to the product and service provided.
- Derivative data are out of the scope of the Data Act: Derivative data is not covered by the access and sharing rights under the Data Act. Understanding the difference between pre-processed data and derivative data is crucial for manufacturers who wish to offer additional paid advisory or analysis services related to their connected products. Simply marketing these analysis services as “powered by AI” will not suffice. Derivative data is generated when pre-processed data undergoes evaluation or categorization, or when recommendations or forecasts are made based on that data.
- Contractual considerations: The large number of data types relevant under the Data Act requires a careful drafting of customer contracts. Given the vagueness of the definitions used in the Data Act, a contract that introduces new terms which are not consistent with the definitions or rules set by the Data Act could unintentionally broaden the rights for access and sharing of data granted. Companies therefore need to be cautious when drafting contracts to ensure they do not create unintended consequences regarding data access and sharing rights under the Data Act.
Authored by Jasper Siems, Henrik Hanssen, and Lennart Knutzen-Lohmann.
