Why New Zealand businesses should care about the EU Data Act

The EU Data Act is reshaping how data is used, shared and protected across Europe. Understanding its impact is crucial for New Zealand businesses, especially those that manufacture IoT devices for, or provide technology services to, EU customers. The regulation entered into force on 11 January 2024, but most provisions start applying from 12 September 2025 (with further phased obligations after that) so organisations selling into the EU should be ready to comply.

What is the EU Data Act?

The EU Data Act (Regulation (EU) 2023/2854) aims to make industrial and IoT data more accessible and usable, with new rules about who can use data, in what ways, and under what terms. The goal is to boost fair competition and innovation while still ensuring data is adequately protected (more on that later). This isn’t limited to data held inside the EU – if a New Zealand business offers connected products, IoT services, or related data services to customers or partners in the EU, the EU Data Act can apply.

Cross-border impact

The EU Data Act, like the GDPR before it, is extra-territorial. That means its obligations travel. If a New Zealand organisation collects, handles, or enables sharing of data from products or services used in the EU, it likely comes under the scope of the legislation. Activities as simple as providing cloud hosting for EU clients or selling internet-connected machinery into Europe count. For example, a New Zealand agritech company exporting smart dairy equipment into Germany could fall inside the scope of these rules.

Key points about the EU Data Act that New Zealand businesses should note:

• Manufacturers or service providers of connected products for the EU must enable customer access to product-generated data.

• Any contractual terms regarding EU data sharing must meet fairness and transparency requirements.

• Failure to meet the EU Data Act’s obligations can result in enforcement action by EU authorities.

Data sharing

The EU Data Act empowers product users (businesses and individuals) to access and reuse the data generated by their devices. This is a striking change from the traditional position, where manufacturers might have considered such data proprietary.

If a New Zealand business holds this data and receives a legitimate request from an EU user (or in some cases, from a third party or EU public authority during emergencies), sharing that data may be mandatory. However, data holders can request “reasonable compensation” for making data available. For micro and small businesses, charges are capped at cost recovery.

Contractual fairness

The EU Data Act puts a spotlight on fairness in contracts relating to data access and data use. Article 13 imposes the general rule that if a data-related contractual term is unilaterally imposed by one business on another and is “unfair”, then it will not be binding.

It then introduces a three-tier test for unfairness:

• A “black list” of always unfair terms. This includes terms excluding or limiting liability for gross negligence or intentional wrongdoing, or limiting remedies for non-performance.

• A “grey list” of presumed unfair terms, which can be proven otherwise. This includes terms allowing termination on unreasonably short notice without serious grounds, or substantial unilateral price changes.

• A general fairness requirement, pegged to good commercial practice in data use/data access and the principle of good faith.

The EU Data Act explicitly addresses the relationship between contractual fairness and the relative strength of parties in data sharing agreements. Stronger parties (including large foreign providers) cannot unilaterally impose unfair conditions in contracts with weaker parties, such as SMEs. Whether a term has been “unilaterally imposed” depends on whether it has been supplied by one party and the other party has not been able to influence its content despite an attempt to negotiate it.

The wide scope of the contractual fairness requirements in the EU Data Act – applying broadly to all data-related rights and obligations between businesses (including natural persons acting in a business capacity) and covering voluntary and mandatory contracts – has been criticised for creating complexity and uncertainty. Even small Kiwi SaaS vendors selling into Europe will need to ensure that their usual boilerplate contracts are compliant. And there are severe penalties for non-compliance, especially in mandatory data sharing contexts.

New Zealand businesses dealing with EU counterparties will need to carefully review and may need to update their contracts related to data access and usage. At a minimum they should ensure:

• Contracts do not contain prohibited unfair terms.

• Data access prices comply with rules for non-discrimination and reasonableness.

• Contractual terms are negotiable or clearly fair to avoid automatic invalidation.

Trade secrets

There are carve-outs from data sharing in the EU Data Act to protect trade secrets and prevent serious harm to business or user safety, but critics argue that these exceptions are too narrow and that the burden of proof is too high. Before refusing, data holders must first take all necessary measures to safeguard trade secrets (for example, through confidentiality agreements). Only if risk cannot be mitigated can they withhold sharing – with careful documentation and possible notification to regulators. This refusal can be contested by the data user or third party requesting the data.

The EU Data Act aims to foster innovation and competition by mandating broader data sharing, but many businesses worry that it will require them to give up valuable data to competitors or third parties, weakening their competitive advantage. Others suggest the obligations to share data will disincentivise research and development investment in the EU, particularly for non-European firms wary of losing proprietary assets. There is a complex balancing act in the EU Data Act, one that – according to critics – currently leans more toward open data at the expense of protecting sensitive business information.

Cloud and data processing services

The EU Data Act introduces requirements for interoperability between cloud providers and easier switching between services for EU entities. Service providers have three primary responsibilities. First, they must inform customers about the data available and the process for switching. Second, they need to eliminate any barriers to switching, whether they are technical, contractual, or otherwise. Lastly, providers must assist customers in leaving the service, which might require technical support to enable interoperability. Early termination fees may still be charged, and switching charges are only allowed on a transitional, reducing basis until 12 January 2027. After that, switching and egress fees will be fully banned.

For New Zealand SaaS and infrastructure providers serving EU businesses, this may mean technical and contractual updates to meet these interoperability and switching standards.

Exceptions for small businesses

The EU Data Act includes several important exceptions for small businesses to reduce their regulatory burden. Micro and small enterprises are generally exempt from the obligation to provide data generated by connected products or related services to users or third parties when they themselves act as manufacturers, service providers, or data holders. These exemptions don’t prevent micro and small businesses, when acting as users of devices or services, from benefitting from rights to access data. They can also receive financial compensation when providing data in situations where larger companies must share it free of charge (such as public emergency situations or requests from public bodies).

Next steps

The EU Data Act means the days of treating connected-product or IoT data solely as a proprietary asset are ending, at least when dealing with the EU.

New Zealand businesses with European customers, distributors, or strategic partners need to check whether they generate or handle user data covered by the EU Data Act, and consider how that data is collected, managed, and able to be shared. In practice, this may mean sitting down with your European counterparties sooner rather than later. Exceptions for small New Zealand businesses may apply but you should check this by seeking legal advice. EU-facing contracts may need to be reviewed and updated, and technical changes may need to be made to enable EU users to access and move their device-generated or service data, as required. Businesses will want to think about how they can safeguard their trade secrets, while still complying with the EU Data Act – any reasons for delaying or refusing data access will need to be well documented and ready for regulatory scrutiny.

There is a phased approach to the EU Data Act requirements taking effect, to give businesses time to prepare for the different compliance obligations:

• Most of the provisions will apply starting 12 September 2025.

• The unfair contractual terms provisions will take effect in two stages:

1. For contracts concluded after 12 September 2025, the fairness check applies immediately.

2. For existing contracts concluded on or before 12 September 2025, the fairness provisions apply starting 12 September 2027 but only if they are indefinite in duration or have a term lasting at least 10 years from 11 January 2024 (i.e., ending on or after 11 January 2034). This gives businesses extra time to adjust longer-term contracts.

• Specific provisions about the design, manufacture, and provision of connected products and related services will take effect from 12 September 2026.

• There are also transitional rules leading up to the full ban on switching fees and data egress fees taking effect from 12 January 2027 onwards.

If you think your business might be impacted by the EU Data Act, reach out to one of our team.

‍