data economy - legal aspects of new technologies

One of the main new institutions introduced by the EU’s Data Act is the user’s right to access data (including metadata necessary to interpret or use the data) derived from a connected product the person is using or a service related to a connected product.

The data which a user can access may have significant commercial value for the data holder (e.g. the manufacturer of a connected product). Therefore, it may be crucial from the data holder’s perspective to ensure that such data remain undisclosed, or that use of the data be restricted.

The internet of things and related services is one of the key industries affected by the EU’s Data Act. Businesses in this sector may have to make changes to bring their operations into compliance with the new requirements. In this article we examine the key obligations under the Data Act for IoT companies, and their operational implications.

Pre-contractual information obligations

What do these duties involve?

Entities that sell, rent or lease a connected product are required to provide at least the following information before entering into a contract with users:

• What data can be generated by the connected product (type, format, and estimated volume of data)
• Whether the connected product is capable of generating data continuously and in real time
• Whether the connected product is capable of storing data on the device or on a remote server, including, where applicable, the intended duration of data retention
• How the user may access, retrieve or, where relevant, erase the data, including the technical means to do so, as well as their terms of use and quality of service.

The Data Act became applicable on 12 September 2025. What do businesses need to pay attention to under this new EU-wide regulation?

Nature and purpose of the Data Act

The Data Act—Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)—is an EU regulation, and as such applies directly in Poland and all other EU member states. At the national level the Data Act will be supplemented by local regulations, but these will essentially govern only procedural issues (e.g. infringement proceedings), not substantive issues. In other words, substantively the Data Act will govern across the entire EU.

EU regulations banning certain AI practices go into effect on 2 February 2025. Some institutions may assume that the bans only apply to extreme practices, which they would never be involved in. But the ban on using AI systems to assess the risk of that someone has committed a crime, or will commit a crime, shows that this is not the correct approach. A more in-depth analysis reveals that some market practices now considered standard, especially in financial services, may prove questionable once the bans enter into force. This is particularly true for monitoring of money-laundering risk and more broadly the risk of fraud.

The Digital Markets Act or DMA (Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector), which entered into force on 1 November 2022, creates many new obligations for businesses operating in the digital sector, particularly so-called “gatekeepers.”

The DMA will impact the functioning of the entire digital ecosystem—not only gatekeepers, but also other participants in digital markets, including business users and end users of core platform services, competing providers of core platform services, and providers of other digital services.

This is because the obligations and prohibitions imposed on gatekeepers will either directly or indirectly vest other groups with rights they can pursue before national courts.

Sharing, exchanging or jointly collecting data may be valuable for the businesses involved and for the development of a given industry sector, technological innovation, and, as a result, consumers. Indeed, data are of fundamental importance for the development of the digital economy, either alone or as a basis for functioning of artificial intelligence. Hence, the competitiveness of companies on the market depends on access to relevant data.

Issues related to access to data have been addressed, among other places, in the “Competition policy for the digital era” adopted by the European Commission. This policy notes that discussions between undertakings on data sharing cannot be conducted in isolation from the nature and type of data, how it is used, and the specifics of the market in question.

Businesses holding certain data may find it risky or not economically justifiable to share it at all. They may fear the loss of competitive advantage, wrongful appropriation of the data, or use of the data in breach of contract. There may also be concerns about possibly violating competition law. The latter concern is also recognised in a Commission document, the “European data strategy.” It highlights the need to update the Commission guidelines on horizontal cooperation, so that the Commission provides additional guidance on the compliance of data-sharing and -merging arrangements with EU competition law.