The first data bill for the Internet of Things (IoT) is officially implemented, accelerating innovation brought by "data from things".

On September 12th, the EU Data Act (DATA ACT) was officially implemented in the European Union. It grants users the right to control the data generated by their connected devices, establishes a mechanism for the circulation of Internet of Things (IoT) data, and creates opportunities for new business models based on data services. Meanwhile, the EU is an important market for China's exports of electronic products and connected devices. The official implementation of the act has a new impact on Chinese manufacturers of IoT-related products for export. Manufacturers need to thoroughly understand the requirements of the act and make corresponding adjustments to their products and business models to ensure the compliant sales and use of products in the EU market.

Legislating on the circulation and use of IoT data forms an important part of the EU's data strategy

In 2020, the European Commission released and implemented the European Data Strategy, aiming to enhance Europe's competitiveness and social welfare by fully leveraging data-driven innovation and transform Europe into the world's most attractive, secure, and dynamic data economy. The Data Act is an important legislative initiative in the implementation of the European Data Strategy. It expands users' access to high-quality data and enhances the potential of data-driven innovation.

The Data Act applies to a wide range of "products," including any tangible, movable items (even if incorporated into real estate) that collect or generate data about their use or environment and can transmit this data through publicly available electronic communication services. From the "products" to which the act applies, we can see that it includes most IoT devices, from smart home appliances, smart wearables to connected industrial equipment. Of course, the act clearly states that the scope of application does not include products whose primary function is to display or record the content of online services, such as personal computers and smartphones.

The Data Act also applies to relevant services. Relevant services are defined as digital services other than electronic communication services, including software that is connected to a product at the time of purchase, rental, or lease in a way that causes the product to be unable to perform one or more functions, or that is subsequently connected to the product by the manufacturer or a third party to add, update, or adjust the product's functions. These services include those embedded in or interconnected with IoT products, or services connected to the product after-sales by the manufacturer or a third party, which are crucial for the product to perform its primary functions. Typical examples include voice assistants, music streaming services connected to smart speakers, lifestyle advice applications connected to fitness trackers, command and control software for industrial machines, and software for building energy optimization. These services also generate rich data.

To some extent, the Data Act can be considered a landmark legislation specifically targeting the data of IoT products. What is more significant is the mechanism related to data sharing and flow designed for IoT devices, which establishes a stable mechanism between data holders and data users and maximizes the utility of data.

First, the act grants IoT product users the right to access data or allows a third party selected by the user to request access to the data. If users cannot directly access their data, data holders must "provide the data free of charge without delay and, where applicable, continuously in real-time."

It is worth noting that the act innovatively introduces the subject of "data holders," and the definition of data holders may vary depending on the situation. In general, the product manufacturer is the data holder. However, if the manufacturer transfers control of the data, the receiving enterprise will assume the obligations of the data holder. For example, if a connected machine tool is installed in a factory and the manufacturer signs a contract with a third-party maintenance provider to monitor the performance and health of the machine tool, the maintenance provider will be the data holder in addition to the manufacturer because the maintenance provider performs the functions of collecting, storing, and analyzing data. Similarly, if the IT department of a hospital aggregates, stores, and controls access to patient data from patient monitoring devices, the IT department is the data holder, not the manufacturer.

Of course, the act clearly limits the right to access data. For example, if the access and use of data would violate the security requirements for interconnected products stipulated by EU or member state laws, data holders can impose restrictions on data sharing. In addition, relevant institutions shall not use the data obtained from data holders to develop competing products, nor shall they share the data with third parties to gain insights into the economic situation, assets, and production methods of businesses or data holders. The act also proposes restrictions on the data used by large technology companies to prevent these enterprises from strengthening their monopoly power through the data circulation rules of fair data sharing, thereby protecting the interests of small and medium-sized enterprises.

The EU's most well-known legislation in the data field is the General Data Protection Regulation (GDPR). Of course, the GDPR focuses more on data protection, especially the protection of personal data. The Data Act focuses more on promoting the circulation and utilization of data and, to some extent, provides a practical solution for the circulation of IoT data, reflecting the importance attached to data as a production factor. It is a core measure for the realization of the European Data Strategy.

The new business model based on IoT data sharing has a profound impact on IoT manufacturers

Before the introduction of the Data Act, IoT device manufacturers had exclusive control over all data generated by the use of their devices through product design and technology. To some extent, the access of enterprises or consumers using these devices to the data generated by the devices was restricted.

Except for manufacturers, other third parties could not access the data generated by IoT devices, which, to some extent, stifled innovation and limited opportunities for new business models and services. A typical example is the difficulty in innovating the secondary service market for IoT devices. Due to the difficulty in obtaining the data generated by the devices, independent service providers were often excluded from the secondary market. For example, some experts believe that the in-vehicle data generated by connected cars (including technical data about the car or the user's driving behavior) is usually completely controlled by car manufacturers. This allows manufacturers to rely on the data and have a monopoly in the secondary service market (such as repair and maintenance services). Restricting third-party service providers' access to data limits market competition and consumers' choices.

The European Commission also gave another example, which is the data generated by agricultural machinery. This data is controlled by a small number of agricultural machinery manufacturers, and farmers and third-party agricultural service providers' access to the data will be restricted. For example, the yield data collected by connected harvesters is usually only available through the manufacturer's proprietary application or approved dealers. Farmers and agricultural consultants cannot easily obtain this data for analysis, although agricultural consultants can use this data to provide customized crop management advice. In addition, usually only the manufacturer or authorized dealer can access the machine's data and provide predictive maintenance services. The Data Act aims to provide real-time data to farmers and third-party service providers, further expanding the business of third-party agricultural services and machine maintenance.

Connected medical devices are another area. The data generated by patient monitoring devices is often stored in the manufacturer's proprietary platform. Healthcare providers cannot easily access the original patient data to integrate it with other information systems. Similarly, third-party service providers (such as analysis or telemedicine platforms) cannot access the data unless the manufacturer agrees to provide a data interface - they can decide to refuse or charge prohibitively high licensing fees at their own discretion, and these fees exceed the cost required for the manufacturer to recover the investment in device development.

Driven by the Data Act, some third-party service business models based on IoT data will develop rapidly. Markets such as predictive maintenance, insurance services, and health services will receive rich data support. Taking insurance services as an example, when users insure their production scenarios, previously, insurance companies could only rely on experience for risk assessment, premium estimation, and product design for users because they could not obtain the operating conditions of production equipment. Under the relevant requirements of the Data Act, the data holder of the equipment provides the insurance company with data related to the machine's operation at the user's request. Based on this, customized insurance products can be designed for users, further reducing user costs. The after-sales service market for intelligent connected cars will also see more innovative models due to the implementation of the Data Act. Services such as car repair and maintenance and vehicle insurance will also be injected with new vitality due to the data sharing policy.

IoT enterprises going global should prepare to ensure compliant product provision

The EU is an important market for China's exports of IoT-related products. The implementation of the Data Act has a direct impact on all IoT enterprises and products going to the EU market. It is very necessary to address compliance issues; otherwise, they will receive huge fines from EU law enforcement agencies.

Taking home appliances as an example, data from the China Household Electrical Appliances Association shows that from January to May 2025, China's exports of air conditioners to the EU and the UK reached $1.388 billion, a year-on-year increase of 20.25%; the export volume reached 7.9682 million units, a year-on-year increase of 20.14%. Home appliance giants such as Hisense, Gree, and Midea have achieved rapid growth in exports to the EU. Among them, smart home appliances are the highlight products for export to the EU, and these products are all within the scope of application of the Data Act.

To meet the requirements of the Data Act, manufacturers of IoT products exported to the EU must adjust their product designs and internal data governance procedures. Many compliance consulting agencies have put forward a lot of suggestions in this area. Some of the most basic changes include:

Technical redesign: Ensure that products are designed to be data-accessible, which may require a large amount of R & D investment and changes to the existing product line.

Contract adjustment: Revise agreements with EU users and third-party service providers to comply with the new data sharing and access-related terms.

Ongoing management obligations: Manage requests from users and third parties, maintain a secure data flow, and may bear increased operating costs.

The author believes that the EU Data Act provides a very good idea for the institutional construction of IoT data elements. In the future, we can explore clarifying the rights and obligations of all parties in the IoT during the data circulation process through legislation, which will form an important support for releasing the value of the IoT and promote the "data of things" to empower various industries.

This article is from the WeChat official account "Internet of Things Think Tank" (ID: iot101). Author: Zhao Xiaofei. It is published by 36Kr with authorization.