changes in law - legal aspects of new technologies

The EU’s Data Act introduces important rules for performance of data processing services. Given their importance for businesses, these rules deserve to be discussed in a separate article. Here we examine more closely the definition of “data processing services” in the Data Act. We attempt to outline what types of services may, in practice, be covered by the new regulations, and how it should be determined whether a given service constitutes a data processing service for purposes of the Data Act.

Legal definition

Under the Data Act (Regulation (EU) 2023/2854), “data processing service” is defined as “a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

One of the main new institutions introduced by the EU’s Data Act is the user’s right to access data (including metadata necessary to interpret or use the data) derived from a connected product the person is using or a service related to a connected product.

The data which a user can access may have significant commercial value for the data holder (e.g. the manufacturer of a connected product). Therefore, it may be crucial from the data holder’s perspective to ensure that such data remain undisclosed, or that use of the data be restricted.

The internet of things and related services is one of the key industries affected by the EU’s Data Act. Businesses in this sector may have to make changes to bring their operations into compliance with the new requirements. In this article we examine the key obligations under the Data Act for IoT companies, and their operational implications.

Pre-contractual information obligations

What do these duties involve?

Entities that sell, rent or lease a connected product are required to provide at least the following information before entering into a contract with users:

• What data can be generated by the connected product (type, format, and estimated volume of data)
• Whether the connected product is capable of generating data continuously and in real time
• Whether the connected product is capable of storing data on the device or on a remote server, including, where applicable, the intended duration of data retention
• How the user may access, retrieve or, where relevant, erase the data, including the technical means to do so, as well as their terms of use and quality of service.

The Data Act became applicable on 12 September 2025. What do businesses need to pay attention to under this new EU-wide regulation?

Nature and purpose of the Data Act

The Data Act—Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)—is an EU regulation, and as such applies directly in Poland and all other EU member states. At the national level the Data Act will be supplemented by local regulations, but these will essentially govern only procedural issues (e.g. infringement proceedings), not substantive issues. In other words, substantively the Data Act will govern across the entire EU.

The world pins high hopes on the development of artificial intelligence systems. AI is expected to generate huge economic and social benefits across various aspects of life and sectors of the economy, including the environment, agriculture, healthcare, finances, taxes, mobility, and public administration.

The progressing development of AI systems is forcing the creation of appropriate legal frameworks, which on one hand should facilitate further growth of AI technologies but on the other hand should ensure adequate protection of persons using such systems and raise societal confidence in the operation of AI systems.

On 30 November 2021, the Council of the European Union and the European Parliament reached a provisional agreement on the final wording of a draft Data Governance Act (DGA) (COM/2020/767 final).

The aim of the proposal is to promote the availability of data and to build a trustworthy environment facilitating the use of data (both person and non-personal) for research and creation of innovative new products and services. It is also intended to create a legal framework for easier sharing of data and mechanisms facilitating re-use of certain data held by the public sector, including data involving health, agriculture and the environment.