EU data law comes into effect on January 11, 2024, with full implementation on September 12, 2025.
Further strengthening protection of consumer and small business rights
With egress fees set to be completely banned starting in 2027, businesses and public institutions are expected to diversify their use of multi-cloud.
1. Background and timeline of the application of the law
The EU enacted the Data Act to clarify rights and responsibilities surrounding data utilization amid the rapidly growing Internet of Things (IoT) data and proliferation of cloud services. This comprehensive regulatory law guarantees fair access, use, and sharing of data within the EU, stimulating the data economy across industries, businesses, and consumers. Published in the Official Journal of the European Union on December 22, 2023, the Data Act entered into force on January 11, 2024, and officially began on September 12, 2025. Notably, switching between cloud service providers and data egress fees are scheduled to be completely banned on January 12, 2027, requiring companies to adopt a phased response strategy.
*Egress fee: Transfer fee charged when taking data out of a cloud service.
2. Main contents
Scope and Obligations
The Data Protection Act applies to manufacturers of connected products and companies providing related services. These companies must design and manufacture products and provide services that allow users to safely, easily, and cost-free access to data generated by their products and services. Furthermore, before selling or leasing a product or service, companies must clearly and easily notify users of the type of data generated by the product or service, how long the data will be retained, and how users can access, search, and delete the data.
Strengthening user rights and preventing unfair contracts
The core of data law is to guarantee the rights of consumers and businesses using connected products and related services to directly access, utilize, and share the data they co-create. For example, sensor data generated by automobiles, smart appliances, and agricultural and industrial machinery can be freely accessed by users and, if necessary, shared with third parties. However, such data cannot be used for the development of competitive products, and its provision may be restricted if there are concerns about trade secrets or safety violations. Furthermore, data law regulates "unfair contractual terms" to prevent companies with strong bargaining power from unilaterally imposing unfair contractual terms. In other words, data law prohibits companies from unilaterally imposing disadvantageous terms or imposing clauses that restrict choice when concluding contracts. Legal protections have been strengthened, particularly for small and medium-sized enterprises (SMEs), which often have limited bargaining power, to prevent them from being subject to unfair data-related contracts offered by large companies. Consequently, SMEs can operate in a more transparent and fair contractual environment when utilizing data.
Expanding the use of data in the industrial and public sectors
The use of industrial data offers opportunities to increase efficiency and optimize operations in diverse sectors, including manufacturing, agriculture, and construction. For example, in precision agriculture, IoT sensors can be used to collect and analyze weather, soil, and market price data to optimize resource allocation and increase yields. Data laws also play a crucial role in the public sector. Public institutions can access privately held data in emergencies such as disasters, pandemics, and cybersecurity incidents for public interest purposes. Even in non-emergency situations, public institutions can access non-personally identifiable data, such as machine operation records and traffic statistics. This data is classified as non-personal data because it is not directly linked to specific individuals. However, data requests from public institutions are governed by two principles. First, the principle of transparency. This means that the reason for the data being requested and the purpose for which it will be used must be clearly disclosed. Second, the principle of proportionality, which stipulates that the scope of data requested by public institutions must not exceed what is absolutely necessary to achieve the intended purpose. Furthermore, repetitive or unnecessary requests for the same data are prohibited.
Liberalizing Cloud Transition and International Data Protection
The Data Act focuses on eliminating the cost, time, and technical barriers that cloud and data processing service users face when switching to other providers. After 2027, data egress fees will be completely banned, and until then, charges will be limited to cost-based fees. This will allow businesses and public institutions greater freedom in developing multi-cloud strategies and reduce the risk of lock-in to a specific provider. Furthermore, the Data Act regulates attempts by governments outside the EU to access non-personal data stored within the EU. This measure protects fundamental rights and commercial confidentiality within the EU, preserving lawful law enforcement cooperation within the framework of international cooperation while preventing unauthorized access.
Sanctions for violations
Violations of the DAI Act may result in financial and administrative sanctions. Depending on the severity of the violation, fines of up to €2000 million or 4% of global revenues may be imposed. Furthermore, various sanctions are expected to exist, including fines, warnings, corrective orders, business suspensions, and user access restrictions. However, as specific fines and procedures are expected to be established based on national laws, the actual level of sanctions may vary by country, so it is important to check the relevant laws and regulations of each country.
3. Things to keep in mind for companies entering Europe
Companies seeking to enter the European market must go beyond simply exporting products and develop a systematic response strategy to the data protection laws. First, the potential for data sharing must be reflected in the product design phase, and sensor data and metadata must be easily accessible to users. Second, business-to-business contracts must adhere to the Fair, Reasonable, and Non-Discriminatory (FRAND) principles and ensure they do not include unfair provisions. Third, they must transition their cloud service strategies to a multi-cloud foundation and prepare for the ban on switching and egress fees, which will take effect after 2027. Fourth, they must establish technical and legal measures to protect trade secrets and security, and establish internal processes to respond to data requests from public institutions. Finally, ensuring compliance with existing personal data protection laws, such as the GDPR, is essential. Ultimately, companies entering the European market must recognize data protection laws not as mere regulations, but as new business environment rules for market access, and develop response strategies accordingly.
4. Future Outlook and Implications for Korean Companies
The Data Act will be fully implemented in September 2025, and may be revised if necessary after an impact assessment within three years. The Commission will also operate a legal help desk to support SMEs and industry, and will recommend standard contractual clauses for data sharing and cloud contracts by fall 2025. For Korean companies, the Data Act presents both opportunities and challenges. Manufacturers entering the European market must prepare for data access and sharing from the product design stage, while cloud and SaaS companies will need to restructure their portfolios with a multi-cloud transition in mind. Furthermore, the agriculture and mobility sectors could see expanded opportunities for data-based value-added services and aftermarket businesses.
Source: EU Commission, FT, Politico, and other local media