Data access and data sharing – navigating new rules in the UK and the EU
Introduction
Data is now recognised as a key economic and business asset for driving innovation, competitiveness, and growth. In the UK and the EU, new laws and regulations that are intended to make more data available for use and foster data-driven economies and societies–at the same time balancing this with the rights and interests of data holders–have been or are in the process of being implemented.
In this Law-Now article, we take a closer look at the data access and data sharing rights and obligations proposed in the Smart Data provisions of the Data (Use and Access) Bill (the ‘DUA’ Bill) and those set out in the Data Act, and set out some practical steps that UK businesses can take to prepare themselves for change.
Background
On 23 October 2024, the UK government set out its proposed reforms of UK law relating to the use of and access to data with the introduction to Parliament of the DUA Bill. The DUA Bill includes provisions that will enable new Smart Data schemes to be established, with the intention of increasing data portability between suppliers, service providers, customers, and relevant third parties. You can find out more in our earlier Law-Now article.
The UK’s proposals for Smart Data schemes have parallels with recent developments in the EU, in particular the data access and sharing requirements of the EU Data Act, which came into effect on 11 January 2024 and will become applicable on 12 September 2025 (subject to some exceptions). Along with the EU Data Governance Act (which has been applicable since September 2023), the Data Act has introduced far-reaching rules on access to and use of industrial data in the EU, with the aim of facilitating the free movement, sharing and re-use of data to create secondary markets and strengthen economic competitiveness. The data access and sharing requirements of the Data Act focus on data that is collected or generated by the use of connected products and related services (Internet of Things (IoT) devices and software). You can find out more in our earlier Law-Now article.
The data access and sharing requirements of the Data Act have extra-territorial effect. This means that they will apply to UK businesses that, for example, manufacture connected products and/or provide related services that are sold in the EU, and to UK businesses that hold data that is generated by the use of connected products or about its use and provide that data to third parties in the EU at the request of the user. UK businesses that operate within the scope of these new regulatory frameworks need to take steps to identify how their operations, products and services will be impacted by–and how they can take advantage of–the new rules, and how they may need to adapt, supplement or adopt new data strategies or data governance and management practices to accommodate these changes.
Overview
Data access and sharing under Smart Data schemes
The provisions in the DUA Bill on Smart Data schemes establish a framework to allow for sharing of customer data held by service providers with authorised third-party providers, upon a customer’s request.
Authorised third parties will then be able to use this data to provide services to the customer. Smart Data schemes are seen by the UK government as a way to increase competition, create greater opportunities for innovation, save time for consumers, reduce costs, increase the quality of services, improve the security of data sharing and increase the trust in data sharing mechanisms. Services provided by authorised third parties may include, for example, personalised market comparisons for services (such as, energy services) and automatic switching from one service provider to another (helping to overcome the ‘loyalty penalty’ which reportedly sees UK consumers who do not switch or recontract with their mobile, broadband, home insurance, savings and mortgages service providers collectively pay an estimated £3.4 billion per year more than other customers).
Open Banking is an example of a Smart Data scheme that already operates in the UK. Open Banking enables UK consumers and businesses to permit authorised third parties to access their banking data (e.g. to pre populate a form or facilitate risk analysis when assessing applications) in order to provide them with financial services. The UK government hopes that this new legislation will extend the success of the Smart Data model used in Open Banking to other sectors.
Data access and sharing in the Data Act
The data access and sharing requirements and obligations of the Data Act are primarily concerned with data that is collected or generated by the use of connected products and related services. This data would include, for example, data that is recorded or which results from a user’s actions (e.g. data about a product’s/service’s environment or interactions), data that is generated automatically by sensors (e.g. raw data) and data recorded by embedded applications (e.g. that indicate hardware status and performance).
The Data Act grants users of such connected products and related services (which includes both business users and consumers) the right to access, use and share the data generated by the use of such products and services, and it imposes obligations on holders of that data (which could be the manufacturer or provider of the connected product and related services or a third party used by the manufacturer or provider to store the data) to make it available to users and third parties of the user’s choice in certain circumstances. It also requires that data holders make data available to data recipients under fair, reasonable and non-discriminatory (FRAND) terms and conditions, in a transparent manner.
The Data Act also provides for the possibility for public sector bodies (the European Commission (EC), the European Central Bank or other EU bodies) to request data from data holders in situations of exceptional need (such as public emergencies or specific tasks carried out in the public interest), and it seeks to facilitate switching between data processing services and to enhance the interoperability of data and of data sharing mechanisms and services in the EU. These aspects are not in scope of this article but you can find out more about them in our earlier Law Now articles on the Data Act here and here.
Smart Data schemes and Data Act compared
Sectoral approach
UK: In the UK, Smart Data schemes under the DUA Bill will require regulations to made by the Secretary of State or the Treasury and reviewed by Parliament before coming into effect. The schemes will be preceded by a period of consultation and must consider factors such as the likely impact on: customers, data holders, small businesses and micro businesses, innovation, and competition.
EU: By contrast, the data sharing elements of the Data Act are directly applicable to all Member States of the EU, which means secondary legislation is not required for them to apply. And whereas the data access and sharing provisions of the Data Act target a particular technological use case–data that is collected or generated by IoT products and related services–Smart Data schemes could be applied to a variety of different use cases.
This difference reflects the UK’s focus on incremental, sector-based adoption, while the EU has opted for a broader, technology-driven approach. The UK government is seeking to replicate the success of Open Banking in the financial services sector, rather than focus on technology-specific use cases (which would apply across any sectors in which that technology is deployed, as is the case with the data access and sharing provisions of the Data Act). For example, another sector that the UK government is targeting is energy, and a consultation by the Department for Energy Security and Net Zero (DESNZ ) on introducing an energy Smart Data scheme closed in March 2025 (a government response to the consultation is yet to be published).
Obligation to make data accessible to users
UK: Smart Data schemes will require data holders to provide access to customer data and/or to business data. (Under the DUA Bill, ‘data holders’ are, in relation to customer data or business data of a trader, the trader or anyone processing such data in the course of business.) Data holders may also be required to produce, collect or retain customer data or business data and to make changes to customer data, including rectification of inaccurate customer data, at the customer’s request. The regulations establishing any Smart Data scheme may make provisions that require data holders to share data using specified means (e.g. APIs), in compliance with specified standards, or even to establish an ‘interface body’ (that is a body that establishes an ‘interface’ for the processing of customer or business data, sets standards in relation to that interface and maintains the interface and related arrangements). The regulations may allow data holders (amongst others) to charge fees to meet expenses incurred by them in complying with the scheme. The DUA Bill does not expressly deal with circumstances in which a data holder may refuse to provide customer data or business data (unlike the Data Act, which includes provisions that aim to protect trade secrets, as discussed further below) but it does envisage that this could be specified in the applicable regulations.
EU: Data holders have an obligation to make data available without undue delay following a simple request from the user (if users cannot directly access the data themselves). (Data holders under the Data Act are anyone that has the right or obligation in accordance with the Data Act or applicable EU or Member State law, to use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a related service.) The data should be made accessible easily, securely, free of charge and in a comprehensive, structured, commonly used and machine-readable format. Where relevant and technically feasible, it should be accessible continuously and in real-time. Users do not have an unfettered right to use the data as they choose: they may not use the data to develop a product that competes with the connected product from which the data originates (or share the data with a third party for that purpose), nor may they use the data to derive insights about the economic situation, assets and production methods of the manufacturer or data holder. This is not dealt with under the DUA Bill and any such limitations would have to be established by the applicable regulations.
Right of users to share data with third parties
UK: The regulations establishing the Smart Data scheme may require data holders to provide data to third parties that are authorised by customers to receive the data. Those third parties may be required by the applicable regulations to receive the data using specified means (e.g. APIs), in compliance with specified standards, or to establish an ‘interface body’. The regulations may also include rules about further disclosure by third parties of the data and the flow-down of obligations imposed on such third parties to those further recipients.
EU: Users have a right to request that data holders make data available to third parties without undue delay, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format, and (where relevant and technically feasible) it should be accessible continuously and in real-time. The Data Act governs the use of data by such third parties. For example, they may only use it for the purpose agreed in a contract with the user, may not make the data available to another third party (unless this is agreed under a contract with the user), may not use the data to develop a product that competes with the connected product from which the data originates (or share the data with a third party for that purpose), nor may they use the data to derive insights about the economic situation, assets and production methods of the data holder. In addition, data holders have a right to apply appropriate technical security measures to protect the data and to ensure compliance with the data sharing provisions of the Data Act and any contractual terms agreed for making the data available.
Protection of trade secrets
UK: The DUA Bill does not expressly say anything about the rules that may be established by the regulations for Smart Data schemes regarding the protection of trade secrets. However, it does expressly state that regulations may make provision about the circumstances in which a data holder may refuse to act on a request for customer data or business data and the Secretary of State or the Treasury (as applicable) must have regard to the effect of a proposed Smart Data scheme on data holders and the likely effect on innovation and competition in the market. It is therefore conceivable that the regulations establishing a Smart Data scheme could deal with the protection of data holders’ trade secrets or other confidential information.
EU: If the relevant data includes trade secrets, the data holder and user or third party receiving the data (as applicable) must agree proportionate measures to preserve the confidentiality of that shared data. If no agreement can be reached or the user or third party (as applicable) fails to implement the agreed measures (or otherwise undermines confidentiality), the data holder may withhold or suspend sharing of the affected data. The data holder will have a right to refuse access to data that is protected by trade secrets in certain circumstances (but doing so would have to be notified to the relevant Member State’s competent authority).
Transparency
UK: The regulations for Smart Data schemes may require data holders or third party recipients to publish specified information, including information about rights of customers and information about the activities carried out by data holders or third party recipients in performance of their obligations.
EU: Before concluding a contract for the connected products and related services, the provider must give certain information to the user in a clear and comprehensible manner. This includes the type, format and estimated volume of data; how the user may access the data; whether the data holder expects to use the data itself and, if so, for what purpose; and whether the data holder expects to allow any third parties to use the data for purposes agreed with the user.
Contracting for data
UK: Unlike the Data Act, the DUA Bill does not expressly deal with how contractual terms may be used to regulate the sharing of data between parties. Any such provisions would have to be set out in the applicable regulations for the Smart Data scheme.
EU: Although the Data Act acknowledges that parties remain free to negotiate the contractual terms on which this data is made available, they must do so within the framework set out in the Act. The Data Act controls the contractual terms that may be agreed by parties in a number of ways, including the following:
| No. | Contractual controls under the EU Data Act |
| 1. | Contractual terms that detrimentally impact the user’s rights to access data will not be binding on the user. |
| 2. | If a data holder must make data available to a third party on request of a user in a B2B arrangement, this must be on fair, reasonable and non-discriminatory (FRAND) terms and conditions. |
| 3. | The data holder may agree compensation with data recipients for making the data available in such B2B arrangements, but the charge must be non-discriminatory and reasonable (but it may include a margin). |
| 4. | Contractual terms about access and use of the data, or liability and remedies for breach or termination of data-relations obligations, will not be binding if they are ‘unfair contractual terms’, as defined in the Data Act. Unfair contractual terms are unfair terms that are unilaterally imposed (i.e. the term is proposed by one enterprise and the other enterprise has not been able to influence it despite an attempt to negotiate it). |
| 5. | A contractual term is unfair if it grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing. |
| 6. | Examples of unfair contractual terms include the following terms that are unilaterally imposed by a party: exclusions or limitations on liability for breach of contract or intentional acts or gross negligence of the party imposing the term and exclusion of the other party’s remedies for breach of contract. |
| 7. | Unilaterally imposed terms that will be presumed to be unfair include terms that: ‘inappropriately’ limit remedies or liability or extend liability; permit access to data of the other party in a manner that is significantly detrimental to the legitimate interests of that party; prevent use of the data that is provided or generated by a party during the period of the contract or limit the use of that data; prevent a party from obtaining a copy of the data provided or generated by that party during the period of the contract; allow termination of the contract at unreasonably short notice; permit the imposing party to substantially change the price in the contract or any substantive condition related to the data where the contract does not specify a ‘valid’ reason or permit the other party to terminate in such circumstances. |
These controls on contracting do not apply to the ‘main subject matter of the contract’ (which presumably means the non-data aspects) or the adequacy of the price paid for the data (although, as explained above, access to users must be free of charge and compensation for provision to recipients in B2B arrangements is subject to controls in the Data Act).
Before 12 September 2025, the EC is required to develop model contractual terms on data access and use (including terms on reasonable compensation and the protection of trade secrets) to assist parties in drafting and negotiating fair, reasonable and non-discriminatory terms and conditions. Expert Group E03840 on B2B data sharing and cloud contract was established to assist the EC with developing these model terms and they published their final report–which includes such model contractual terms–on 2 April 2025. Use of the model contractual clauses will not be mandatory and accordingly industry groups and other stakeholders may choose to devise their own terms if they consider the EC’s recommended model terms do not adequately address their requirements.
Data access ‘by design’
The Data Act also introduces a ‘by design’ requirement for connected products and related services, requiring that they are designed and manufactured or provided in a way that the data generated by their use is directly accessible to users. This does not have an equivalent in the DUA Bill’s Smart Data provisions. Manufacturers of connected products that are sold in the EU–irrespective of where those manufacturers are established–will have until 12 September 2026 to ensure that their connected products and related services meet this obligation. The effect of this may be that UK manufacturers who sell connected products in the UK and the EU and are subject to this requirement of the Data Act apply data access ‘by design’ to all of their products.
Next steps for businesses
Finalisation of DUA Bill and consultations
The DUA Bill had its third reading in the House of Commons on 7 May 2025. It will now move back to the House of Lords for final consideration of the most recent amendments–scheduled to take place on 12 May 2025.
The government previously committed in its election manifesto to support Open Banking and its extension to Open Finance. In October 2024, the government also made clear that it intends to use the Smart Data provisions to implement a statutory open data scheme for fuel prices, known as ‘Fuel Finder’, to increase price transparency. It believes that this will help drivers to compare prices easily and make more informed decisions on where to buy petrol and diesel. This follows a public consultation conducted by DESNZ. As mentioned above, the DESNZ consultation on introducing an energy Smart Data scheme closed on 10 March 2025, and industry is currently awaiting the government’s response and proposals for taking this forward.
Preparedness checklists – Data Act
The Data Act will apply from 12 September 2025 (except that some obligations will apply later, like data access ‘by design’, which applies from 12 September 2026). UK businesses that operate within the scope of the Data Act should start to identify the impact that it will have on their products and services and the ways in which they operate, and how they may need to adapt, supplement or adopt new data strategies, governance and management practices, and update their template contracts and develop new data-sharing contracts, to accommodate these changes.
Manufacturers and providers / data holders:
| ☐ | Identify connected products and services that are in scope of the Data Act |
| ☐ | Review current processes for data collection/generation, use and access and consider how these align–or not–with Data Act requirements |
| ☐ | Identify whether provision of data in compliance with requirements would disclose trade secrets and if so, conduct a risk assessment of potential impacts of disclosure and what proportionate measures can be taken to preserve confidentiality, if trade secrets are to be shared |
| ☐ | Identify any security risks related to sharing data and what technical protection measures could be implemented to prevent unauthorised access to data |
| ☐ | Identify purposes for which the data is used by the business and/or for which the business wishes to use the data |
| ☐ | Consider the manner in which data can be made available to users in compliance with Data Act requirements, including whether direct and/or continuous and/or real-time access is relevant and technically feasible |
| ☐ | If data cannot be made directly accessible to users, consider manner in which data will be made available to users in compliance with Data Act requirements, including whether continuous and real-time provision is relevant and technically feasible |
| ☐ | Familiarisation with pre-contract transparency requirements and commence steps to comply with requirements, including identifying the mandatory information to be provided |
| ☐ | Identify applicable template contract terms and conditions and review the current terms and conditions about access and use of data |
| ☐ | Review EC model contractual terms on data access and use and consider whether they are suitable in whole or in part or if bespoke terms should be prepared |
| ☐ | Identify any contracts that will require remediation to ensure compliance with contract controls under the Data Act and develop a strategy for engaging with customers |
| ☐ | Consider what additional costs may be incurred in making data available to third parties upon request by a user, and what reasonable compensation may be charged in accordance with the rules for compensation set out in the Data Act |
| ☐ | Review and update applicable policies and procedures to ensure appropriate governance and management practices for sharing and use of the data by the business, including in compliance with the Data Act |
Users
| ☐ | Identify connected products and services currently being used that are in scope of the Data Act |
| ☐ | Identify applicable contract terms and conditions that will be subject to contract controls under Data Act and review the terms and conditions to check for compliance |
| ☐ | Review EC model contractual terms on data access between users and data holders and consider whether they are suitable in whole or in part or if bespoke terms should be prepared |
| ☐ | Consider and identify the purposes for which the data will be used, for what purposes a data holder may be permitted to use the data, and with which third parties and for what purposes the data may be shared |
| ☐ | Develop a strategy for engaging with providers where data terms and conditions are non-compliant or do not provide adequate safeguards |
| ☐ | Review and update applicable policies and procedures to ensure appropriate governance and management practices for sharing and use of the data (including compliance with any purpose and disclosure restrictions), and for post-market monitoring and auditing of its use to ensure compliance with the agreed contractual terms and any technical and organisational measures to preserve confidentiality of the data or prevent unauthorised access |
Data recipients (i.e. third parties to whom data is made available, as directed by users)
| ☐ | Identify purposes for which data from connected products may be used by the business (and check to ensure that these are within scope permitted by the Data Act) |
| ☐ | Identify applicable template contract terms and conditions that may be used with data holders and users and review the current terms and conditions about access and use of data |
| ☐ | Review EC model contractual terms on data access between data holders and data recipients and users and data recipients and consider whether they are suitable in whole or in part or if bespoke terms should be prepared |
| ☐ | Develop a strategy for engaging with users and data holders |
| ☐ | Review and update applicable policies and procedures to ensure appropriate governance and management practices for use of the shared data, including in compliance with the Data Act, and for post-market monitoring and auditing of its use to ensure compliance with the agreed contractual terms and any technical and organisational measures to preserve confidentiality of the data or prevent unauthorised access |
If you would like to discuss this article or how the DUA Bill or Data Act may impact your business, please contact one of the listed lawyers or your usual CMS contact.
Our earlier analysis of the Data Governance Act can be accessed here and of the UK’s data regime reforms can be accessed here.
Our earlier articles on the data access and data sharing rights and obligations in the EU Data Act can be accessed here.
