Regulating Data: EU Data Act & More - August Edition

Welcome to the inaugural edition of Regulating Data: EU Data Act & More.

In this newsletter, we bring you the latest developments surrounding the EU Data Act and related regulatory initiatives shaping the European data economy. With the EU Data Act becoming applicable in September 2025, now is the time to understand how it will impact cloud switching, data sharing, access rights, and relevant obligations across industries. From the EU Data Act, the evolving framework of the Financial Data Access Regulation (FiDA) to national implementing measures and sector-specific rules, we aim to provide insights and practical updates. Whether you're navigating compliance, developing data-driven services, or following the broader policy landscape, this newsletter is designed to keep you informed and prepared.

A. The EU Data Act

1. FAQs on the Data Act – Last update published by the European Commission (Version 1.2) on 3 February 2025.

The European Commission on 3 February 2025 has updated its FAQs on the EU Data Act (Regulation (EU) 2023/2854) to aid its implementation.

Key updates include:

• Scope:
  a) The EU Commission clarifies that the level of data enrichment is one of the key factors in achieving a balanced and fair allocation of data value. Recital 15 mentions “substantial modification”, “substantial investments in cleaning and transforming the data”, and “proprietary and complex algorithms” as examples of data enrichment.

  b) The FAQs clarify that privacy-enhancing technologies (PETs) do not qualify as data enrichment.

  c) In addition, content that is often covered by intellectual property rights (e.g. textual, audio, or audiovisual content) is excluded. The Act focuses on non-creative data types.

  d) Content from digital cameras and smart TVs is excluded from the Data Act, but imagery from connected vehicles and agricultural machinery, which can be considered “sophisticated sensors”, is included.

• Privacy-Enhancing Technologies (PETs):
  It cannot be concluded that data resulting from applying PETs should be treated as inferred or derived data solely due to the application of these technologies, thus not excluding data holders from obligations under Chapter II. When responding to a request under Article 4 or 5, however, applying PETs can assist with ensuring compliance with the GDPR, in case the requesting user is not the data subject or there are several data subjects using the same connected product.

• Scope Clarifications:
  The FAQs provide criteria for determining if a service falls within the Data Act’s scope, including user expectation, marketing, contractual negotiations, replicability of the service, and whether the service is pre-installed on the connected product.

• Data Sharing Limitations:
  Data holders can limit their sharing obligations if the data is used to develop competing products. The FAQ clarifies, amongst other things, that this right does not extend to data holders of related service providers. A non-compete clause introduced for a connected product does not apply to a related service. A public body in one Member State can request data from a data holder in a different Member State as such a right is important in cases of cross-border emergencies (i.e. natural disasters). Obligations do not extend to third parties outside the EU unless in cross-border emergencies.

• Standard Contractual Clauses (SCCs) and Model Contractual Terms (MCTs):
  SCCs and MCTs for data sharing and cloud contracts are expected by September 2025. The EU Expert Report, published on 2 April 2025, provides MCTs.

• User and Data Holder Distinction:
  A company cannot be both a user and a data holder for the same data simultaneously. If a user shares data with a third party, they should not be considered a data holder for that third party. The EU Commission proposes a narrow interpretation of joint controllership responsibilities.

These updates aim to clarify the Data Act’s application and ensure fair data value allocation while maintaining existing data protection.

2. EU Expert Report Provides Model Contractual Terms (MCTs) and Standard contractual clauses (SCCs)

On 2 April 2025, the European Commission published the final report of the expert group on B2B data exchange and cloud computing contracts.

The report addresses the MCTs created by the expert group for data access and usage, as well as standard contractual clauses (SCCs) for cloud computing contracts.
These are intended to facilitate the practical implementation of the EU Data Act. The report offers a practical tool for all companies that use data from connected products, share data, or utilise cloud services.

The expert group was established by the EU Commission in 2022 to develop non-binding MCTs and SCCs in accordance with Article 41 of the Data Act. The group consists of 17 independent professionals, whose drafts were discussed and revised through consultations and webinars. The goal is to assist parties in drafting and negotiating contracts with fair, reasonable, and non-discriminatory contractual rights and obligations.

Although the clauses are voluntary and non-binding, they provide valuable guidance to meet the requirements under the Data Act. They are primarily designed for B2B relationships but can also be used in the B2C sector with additional provisions.

3. EU Commission amendments to the MCTs and SCCs

Based on the draft MCTs and SCCs by the Expert Group, the EU Commission has made available amended terms and clauses. These new drafts reflect the feedback the Expert Group’s drafts received and were provided for another round of feedback from stakeholders in the beginning of June.

This is one further step to finalising the recommendation by the EU Commission for MCTs and SCCs, which is set to be published before the applicability date (12 September 2025) of the Data Act.

The amended MCTs and SCCs seem to have altered the draft of the Expert Group quite heavily. However, the overall sentiment of the draft seems to remain unchanged, as many modifications are solely in wording, without altering the actual provisions.

4. National Implementing Act in Germany (draft)

As a regulation, the EU Data Act is directly enforceable in all 27 EU member states. The EU member states shall – by adopting national implementation laws – each designate competent authorities and set the penalties for non-compliance with the Data Act (Art. 37 and 40 Data Act).

In Germany, the ministerial draft for an implementing law, dated 5 February 2025, proposes the Federal Network Authority (BNetzA) to act as competent authority (Sec. 2 para 1 Data Act-Durchführungsgesetz-Entwurf, “DA-DE-E”).

As far as the protection of personal data is covered by the Data Act, the Bundesbeauftragter für den Datenschutz und Informationsfreiheit (BfDI) is to be the sole competent authority.

Most EU member states have predominantly named their data protection authorities to ensure as uniform supervision as possible from one source.

Some criticised that choosing the BNetzA does not achieve the synchronisation with the respective competent data protection authorities that is set out by EU law. In most constellations, the respective state data protection authority is responsible for monitoring compliance with the GDPR. Implementing entities would then have to coordinate their data processing with both the state and federal data protection authority – which some see as a contradiction to Art. 37 para. 3 DA.

Others agree with this proposal as the BNetzA will likely be responsible for numerous EU regulation in the future (i.e. AI-Act, Digital Services Acts and Data Governance Act) and therefore have the necessary expertise to effectively monitor and enforce the complex and overarching regulations of the Data Act.

It is still uncertain whether the German implementation act will be passed by September 2025 and what it will include.

If no such law is passed by September, the state data protection authority will automatically become the competent authority for the provisions and constellations of the Data Act concerning the protection of personal data by Union law. There would be no supervision for non-personal data constellations initially. The data protection authorities would then temporarily be the only competent authorities for the Data Act.

If an implementation law can be passed in time, it is uncertain whether it will correspond to the current draft bill. The state data protection authorities therefore currently prepare to assume the supervisory function assigned to them in Art. 37 para. 3 DA.

For non-compliance with the obligations applicable to providers of data processing services, the German draft implementing law envisages penalties of up to 100,000 EUR. This maximum penalty can be exceeded, if the provider gained financial profits by not complying with the Data Act (Sec. 18 para 5 DA-DG-E). The accompanying explanation to the draft lays out that this is particularly introduced as a measure of deterrence. Furthermore, the competent authority can impose up to 10 Million EUR in coercive penalty payments, if the provider does not adhere to their orders (Sec. 7 para 8 DA-DG-E).

For non-compliance with the obligations applicable to data holders and/data recipients in the context of connected products, the German draft implementing law envisages in some cases fines of up 5 million euros or, in the case of a company, up to four per cent of its annual turnover achieved in the European Union in the preceding financial year, whichever amount is higher.

5. Statements of Data Protection Authorities on the Data Act

Several data protection authorities have published statements regarding the Data Act, often with a particular focus on the interplay of Data Act and data protection regulation:

• European Data Protection Board (EDPB) – Statement 4/2025 (dated 8 July 2025):
  • The EDPB assessed the Commission’s draft MCTs and provided several recommendations: (1) clarify whether “users” are natural persons or legal persons and whether different MCTs are needed when users are data subjects; (2) distinguish clearly between personal and non-personal data in the terms and restrict compensation mechanisms to non-personal data; (3) improve definitions and cross references to the Data Act and GDPR; (4) stress that the Data Act is without prejudice to EU data protection law, so in case of conflict the GDPR prevails; (5) emphasise that compliance with the MCTs alone does not ensure GDPR compliance and parties may need additional safeguards; and (6) account for consumer vulnerability and ensure penalties are proportionate.
• Hamburg Data Protection Authority (Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit - HmbBfDI) Guidance “Der Data Act als Herausforderung für den Datenschutz” (dated 29 April 2025):
  • The HmbBfDI warns that from 12 September 2025 manufacturers of connected devices will have to share data with users and third parties. The guidance notes that data access rights under the Data Act extend to personal and non-personal data but that personal data can be shared only when GDPR conditions are met. It stresses that data protection officers must prepare for new obligations and develop strategies to protect personal data and trade secrets.
• Germany’s committee of data protection authorities (Datenschutzkonferenz - DSK) statement on the draft German implementation act (dated 13 March 2025):
  • The DSK argued that the German draft law improperly assigns supervisory tasks to the Federal Network Agency; Article 37 Data Act instead expects national data protection authorities to enforce the regulation. The DSK fears that a dual supervisory regime (BNetzA plus data protection authorities) would create fragmentation and impose additional burdens on companies.

6. Efforts to set Technical Standards for Interoperability

Several European standardization institutions and the EU Commission have announced that they are working on industry standards to support data sharing under the Data Act:

• CEN and CENELEC formally accept the Commission’s Standardisation Request for the EU Trusted Data Framework (dated 7 July 2025): The European standards organisations CEN, CENELEC and ETSI formally accepted the Commission’s standardisation request (Mandate M/614). They will develop seven standardisation deliverables to support Article 33 of the Data Act: four European standards (two to be cited in the Official Journal) and three technical specifications. A joint committee CEN CLC/JTC 25 will develop standards on data governance, interoperability, lifecycle management, evaluation schemes and smart technologies to enable trusted data sharing.

• ETSI progress on trusted data ecosystems (dated 30 July 2025): ETSI announced that its Technical Committee on Data Solutions is working on technical standards for trusted data ecosystems that complement the Data Act. Projects include quality metrics and semantic interoperability, exploring possibilities to converge frameworks for seamless exchange and interpretation of data across platforms, research on data governance use cases, work regarding digital wallets and smart contracts, and collaboration with CEN and CENELEC to address Data Act requirements.

• EU Commission’s 2025 annual Union work programme for European standardisation (dated 27 March 2025): In its 2025 standardisation work programme, the Commission again prioritised developing a European Trusted Data Framework to support implementation of the Data Act. This signals that the Commission and standards organisations consider the trusted data framework a strategic priority alongside other high tech standardisation initiatives.

B. Regulation on financial data access (FiDA)

The EU Commission is working on simplifying FiDA in order to lift regulatory burden

The European Union's Financial Data Access Regulation (FiDA) is intended to facilitate access to financial data and significantly change the exchange of data between financial institutions and insurance companies in Europe.

The Commission published its FiDA proposals back in 2023, marking it out as a pivotal component of the EU’s digital transformation framework. Back in 2024, the Parliament and Council published their respective versions of the proposals, setting out where they agreed or disagreed with the Commission version. Now the Commission, Parliament and Council meet to discuss their respective versions of the text with the aim of ultimately agreeing final legislation. For a more detailed explanation of the proposals, and the divergences between the Commission, Council and Parliament versions, check out the Simmons & Simmons FiDA Tracker Table. We will continuously update this tracker to keep you informed of any new developments as they arise. Should you wish to receive future updates, please feel free to send us an email expressing your interest.

The EU Commission has published on 16 May 2025 a non-paper setting out options to simplify and thereby reduce burden incurred by the draft FiDA. This is in line with the EU Commissions new general approach aiming for a reduction in regulatory burden in order to boost innovation.

In the non-paper the EU Commission explores the following options to simplify FiDA:

• Simplify the scope of FiDA: This option would reduce both the customer data as well as the number of entities covered by the regulation.
• Simplify schemes and reducing the burden of standardisation: This measure is aimed at reducing the efforts needed to find and comply with interoperability standards to enable data access.
• Simplify rules on gatekeepers: This measure reduces the administrative burden for national competent authorities by aligning the rules for gatekeepers closer with the Data Act and the Digital Markets Act.
• Simplify empowerments for implementing and technical regulations: This measure would simplify the application of FiDA by reducing the empowerments of the EU Commission and subsequent (national) authorities to publish implemental or technical regulations.
• Simplify by aligning with the PSD3/PSR framework: This measure would reduce necessary efforts by ensuring consistency with open banking provisions under the PSD3/PSR framework.

C. EU Commission consultations on data usage

The EU Commission has initiated two consultations for the public regarding the usage and transfer of data in the EU. One consultation is aimed at the data usage specifically in regard to artificial intelligence (AI) development and training. Specifically, the EU was looking for “views on the use of data in Artificial Intelligence (AI), on simplifying the rules that apply to data and on international data flows to inform the forthcoming Data Union Strategy”.

The other consultation which was announced on 8 July 2025, splits into separate evaluations of three data regulations: the Free Flow of Non-Personal Data Regulation (FFDR), the Open Data Directive (ODD), and the Data Governance Act (DGA). Each of the evaluations is aimed at gaining insights into the effectiveness of the respective regulation and possible future improvements.

D. EU Data Act Webinar Series

Don't forget to check out our EU Data Act Webinar series - We brought together 15 lawyers from 8 jurisdictions to unpack 7 key topics, each tailored to the needs of our 4 core sectors TMT, FI, AMIF, HLS.

Watch here