Does the EU Data Act Impact Data Sharing Between EU Tech Companies?

My view is yes, but not in the way most headlines suggest.

The EU Data Act does affect data sharing between EU tech companies. It creates new leverage points, new constraints, and a more structured legal frame for certain kinds of data access and reuse. To understand what that actually means in practice, it helps to start with what the law is trying to fix.

The Data Act was built around specific recurring problems: users locked away from data generated by connected products, stronger market players imposing abusive data-sharing terms, cloud switching barriers, and legal uncertainty around mandatory B2B sharing. It is a targeted intervention, not a sweeping redesign of how data flows across the European economy.

That distinction matters, because the law is often described in language so broad it starts to sound like Europe has nationalized the concept of data. It has not. What it has done is build a framework around those specific problems and try to discipline the power imbalances behind them.

So the short answer is this: the Data Act will change data sharing between EU tech companies, but mostly by tackling specific lock-ins and specific power asymmetries, not by creating a broad culture of automatic openness.

Where the law is strongest: connected products

The biggest practical impact will probably be on companies that build or control connected products and related services. The Data Act gives users of connected products greater access to the data they generate and, importantly, the ability in many cases to have that data shared with third parties. That means a manufacturer or platform operator can no longer assume it will remain the sole gatekeeper of the commercially valuable data generated in its ecosystem. For some incumbents, that is a serious shift in bargaining power.

This is where I think the law is strongest. It challenges a lazy assumption that the company closest to the infrastructure should automatically control the downstream value of the data. In markets built around devices, platforms, and proprietary ecosystems, that assumption has often produced a kind of elegant captivity: the user generates the data, but another actor captures the advantage. The Data Act tries to break that pattern. Whether it will always do so cleanly is another matter.

Where people overstate it: B2B sharing

Where I think people overstate the law is in assuming it creates a general B2B sharing revolution. It does not. Chapter III is important, but its function is more modest than the hype suggests. It sets the conditions for cases where a business is already legally obliged to make data available to another business, including under the Data Act itself. In other words, it is not a universal "share your data" rule. It is a rulebook for fairness, reasonableness, transparency, and compensation where a sharing obligation already exists.

That means many ordinary data-sharing relationships between EU tech companies will still remain primarily contractual and strategic. If two software companies, data vendors, or platforms want to share data that does not fall into one of the Act's trigger situations, the Data Act does not suddenly force that relationship into existence. It may influence negotiations indirectly, especially through unfair terms rules, but it does not turn all commercially interesting data into a mandatory commons.

And that is probably correct as a matter of policy. A law that genuinely forced broad horizontal sharing of business data across the board would have detonated trade secret concerns, chilled investment, and produced litigation with the charm of a tax audit and the length of a Russian novel. The Data Act is more careful than that. It nudges, disciplines, and opens specific doors. It does not remove the walls of the building.

The quietly important part: contractual power

One area where the Act may have a quietly important effect is on contractual power dynamics. The unfair contractual terms provisions matter because real-world data sharing is often less about abstract rights and more about who can bully whom in procurement. The Commission's explanation of Chapter IV is refreshingly blunt: these rules are meant to protect businesses, especially SMEs, where a stronger party imposes non-negotiable take-it-or-leave-it terms related to data access and use. That is a meaningful intervention in markets where the weaker party often agrees only because the alternative is commercial exile.

This may end up being one of the most useful parts of the Act for EU tech companies that are not giant platform actors. Not because it will create dramatic new sharing rights overnight, but because it gives weaker firms more legal backbone in negotiations. Add to that the possibility of data coordinators, competent authorities, and certified dispute-settlement mechanisms at Member State level, and the law starts to look less like a philosophical statement and more like an attempt to build enforceable scaffolding.

The large caveat: GDPR still rules the room

None of this can be read without accounting for GDPR. The Data Act explicitly operates without prejudice to EU and national rules on personal data protection, privacy, and confidentiality of communications. The EDPB has been very clear on this point: in case of conflict, data protection law prevails.

In its 2025 statement on the Commission's model contractual terms, the EDPB also stressed that compliance with Data Act contract templates does not automatically mean compliance with GDPR, and that additional measures may still be needed. This is not a side note. It is one of the central reasons the Data Act's real-world effect will be messier than some policy messaging implies.

A great deal of commercially useful data in connected environments is mixed, relational, or capable of identifying natural persons directly or indirectly. Once personal data is involved, the Data Act does not sweep away the GDPR. It has to coexist with it. And coexistence in EU digital law is not always a graceful ballroom dance. Sometimes it is two legal regimes standing in the kitchen, arms crossed, asking who said what first.

The EDPB and EDPS raised these concerns early, back in their 2022 joint opinion on the proposal. They warned that the proposal covered a broad range of products and services, including sensitive contexts, and called for explicit confirmation that data protection law prevails where personal data is concerned. They also highlighted the risk that access and sharing rights could extend beyond the data subject and therefore require stronger safeguards. Those concerns were not academic. They go to the heart of whether "more access" can be achieved without quietly eroding privacy protections.

So what does the Data Act actually change?

It helps by clarifying access rights around connected products. It helps by setting FRAND-style expectations where sharing is legally required. It helps by limiting abusive contractual terms. It helps by lowering some cloud switching barriers and pushing interoperability. It helps by giving businesses, especially smaller ones, a clearer route to complain and seek redress.

But it also leaves major friction intact. If the data is personal, GDPR still dominates. If the data falls outside the Act's trigger points, ordinary commercial negotiation still rules. If the business model depends on exclusive ecosystem control, firms will search enthusiastically for ways to interpret scope, feasibility, trade secret protection, and compensation in their favor. None of this is shocking. It is what happens whenever regulation tries to redistribute leverage without fully redesigning the market.

My conclusion

The Data Act is best understood as a market-correcting law, not a data-sharing utopia. It is trying to reduce lock-in, rebalance some negotiating power, and open specific data access channels that were too easy for dominant actors to close. That is valuable. Europe does need rules that stop data from becoming pure gatekeeper property in connected ecosystems.

But the law is also fragmented by design. It solves some problems through access rights, others through contract fairness, others through cloud portability, and then asks companies to thread all of that through existing privacy law. The result is useful, but hardly elegant.

The EU Data Act does impact data sharing between EU tech companies, but its impact is selective, conditional, and heavily mediated by GDPR, contract structure, and technical context. It will weaken some gatekeeping strategies. It will improve some negotiations. It will create new compliance work. What it will not do is create a frictionless European data-sharing paradise.

And honestly, that may be for the best. Paradise tends to have terrible audit trails.

Sources

Regulation (EU) 2023/2854 (the Data Act). The primary legal text, available via EUR-Lex, including a plain-language summary of each chapter's scope and purpose.

European Commission, "Data Act explained". Useful for understanding how the Commission frames the law's intent, particularly the distinction between connected product access rights, mandatory B2B sharing, unfair contract terms, and cloud switching.

European Commission FAQs on the Data Act. Confirms the Act has applied since 12 September 2025 and points to implementation guidance including model contractual terms.

EDPB Statement 4/2025 on model contractual terms. Key interpretive signal on the relationship between the Data Act and GDPR: the EDPB is clear that GDPR prevails in case of conflict and that Data Act compliance tools alone do not guarantee GDPR compliance.

EDPB-EDPS Joint Opinion 2/2022. Earlier opinion on the proposal stage, still useful for understanding the core privacy concerns that shaped the final law and why the Data Act cannot be read in isolation from GDPR.