By Luis Ignacio Vicente, Strategic Counsel at PONS IP and Begoña Otero, Legal Expert & Knowledge Architect, Affiliated Research Fellow Max Planck Institute for Innovation & Competition.

Research Fellow TheGovLab.

In today’s dizzying scene, where artificial intelligence and digitisation are developing at great speed, global dynamics are marked by competitive strategies and disruptive technological development. Initiatives like DeepSeek in China and the ambitious Stargate plan promoted by the Trump administration in the US, reflect a fierce race for AI supremacy, the implications of which go beyond technological innovation and impact geopolitics and economic security.

The recent World Economic Forum held in Davos reflected the global concern regarding the development of AI and its impact on the digital economy. The CEO of Microsoft, Satya Nadella, described the Chinese model as “incredibly impressive” and stressed the need to take the developments in China seriously. This statement, in addition to the trade tensions between the US and China, strengthened the idea that data control and access has become a strategic focus in global technology competition.

The rise of DeepSeek, which is an AI model developed by China with significantly lower training costs than those of Western competitors, has had an immediate impact on the financial and technological markets. Its rapid adoption and the fall in the share value of tech giants such as Nvidia and ASML have highlighted an undeniable reality: data access efficiency could be more crucial than simple computing power.

As governments and companies seek to consolidate their control over the AI sector, it is becoming clear that the competition will not only be decided by the power of the chips or the scalability of the models, but by data governance. The quality, availability and regulation of these data directly influence the competitiveness of the company, the legal security of its operations and the balance of power in the global digital economy. In this context, the EU Data Regulation (EU Regulation 2023/2854), known as Data Act, seeks to redefine the rules of control, access and use of data generated by connected products and related services (IoT data). It has the potential to alter market dynamics and set new fairness and competitiveness standards, by promoting data reuse by both companies and the public sector.

The Data Act entered into force on 11 January 2024 and, although the majority if its obligations will be applicable as of 12 September 2025, some obligations will enter into force the following year as of 12 September 2026, as shall be discussed below. This European regulation aims to correct existing asymmetries by fairly distributing the value of IoT data and promote a more accessible digital ecosystem. However, its practical implementation raises a number of questions regarding its effectiveness and economic consequences.

THE REASON FOR IOT DATA

As a productive resource, IoT data have particular characteristics that enhance its economic value. The fact that these data are nonrival means that their use by a market operator does not limit their availability for others. This trait highlights the potential of data to be widely shared, maximising their use without restricting access to other operators. However, the possibility of exclusion makes data a controllable resource, since those in possession of them can restrict access using technological or legal mechanisms. As such, although IoT generates data that can be, a priori, widely reused, it may be a means for establishing access barriers that reinforce the structural dependency of those who do not control these data access mechanisms. This structural dependency becomes problematic when a company needs the data of another company in order to develop or support their own business model, but does not have access to them. In this regard, control over data and the ability to access them become decisive elements for business competitiveness. Blocking access for connected product users (consumers or companies) which, in many cases, need these data to operate in secondary markets can lead to a loss of competitive capability, undue discrimination, slowing innovation, and lastly, harm to the consumer. Furthermore, technology already governs access to the data produced by connected products and derived services. Blocking access to these data is technically and legally easy to implement. Anyone who cannot access the data box of an on-line device or system is simply sidelined. It is for this reason that IoT data has been the subject of a different regulatory approach. On the one hand, due to the practical impossibility of differentiating between personal data and non-personal data, the category of IoT data includes both. On the other hand, and in line with another European data regulation such as The Data Governance Act & The Open Data Directive, the legal protection provided by the sui generis database right is excluded for databases containing data generated by the use of connected products and related services. As such, access and use of IoT data is not hindered by the sui generis database right, preventing strategic barriers that could limits their reuse and the development of innovations based on these data.

REGULATED ACCESS REGIMEN AND CONTROL OF CONTRACTUAL TERMS

The Data Act establishes a regulated access regimen over IoT data. This regulatory framework forces data holders to adopt a proactive attitude to prevent anti-competitive practices, by facilitating access and reusing data in order to stimulate innovation and the development of new markets. Unlike a model based on exclusive data property, the Data Act is based on controlling access and the need to unblock structural barriers that have historically favoured the concentration of data power in the hands of connected product manufacturers and related service providers. This approach is inspired by Industrial property rights and incorporates elements of Contract law, personal data protection and the unfair competition and antitrust law to establish a more balanced framework between data holders and users.

The main aim of the Regulation is to reduce power asymmetries in IoT data access and facilitate exchange to the benefit of society and the digital economy. To do so, it imposes a series of legal and contractual mechanisms that set up mandatory data access, simultaneously guaranteeing incentives for investment and competitiveness in the market. This regulation seeks to prevent de facto monopolies from forming in data control, promote secondary market development and connected product and service interoperability. However, the regulation does not completely remove the access barriers since it allows data holders to retain certain contractual rights and set conditions of use, which could create indirect restrictions on the reuse of data in key markets such as the automotive, health or manufacturing industry.

In order to reach these aims, the Data Act establishes a series of instruments that make up, on the one hand, a legal regimen for mandatory access, and on the other hand, within the framework of voluntarily negotiated contracts, imposes a regimen for controlling abusive clauses that are unilaterally imposed on another company that affects contracts between companies, and that therefore adapts the rules of contractual law.

MANDATORY REGIMEN

The mandatory access regimen consists of three main instruments: introducing a right to access, use and share horizontal “incomplete” data, for both companies with consumers (B2C) and between companies (B2B); including an additional data use contract between the data holder and the user, and establishing a technological precondition imposed on connected product manufacturers.

• Right to access, use and share the data: Users of connected products and related services have the right to access data generated by their use, use the data and share it with third parties. That said, the scope of these rights is limited to the raw and pre-processed data, excluding inferred data. In principle, users can decide who they share these data with (except with companies designated as access guardians according to the Digital Markets Act) and for which purposes, upon request to the holder, respecting trade secrets and intellectual property rights and allowing the data holder to request a paid license under FRAND terms, that is, fair, reasonable and non-discriminatory. What is more, the rights set forth in these articles are established as complementary to the right to access of interested people and the right to portability of personal data according to the GDPR.
• Imposition of an additional data use contract: The Data Act compels data holders to enter into an additional contract between the data holder and the users, which grants the user exclusive rights over the marketing of non-personal data. In addition to the consent required for processing, using and sharing personal data according to the GDPR, the Data Act establishes that the data holder “shall only use any readily available data that is non-personal data on the basis of a contract with the user”. This implies that, in the absence of such a contact, the holder cannot use, share or monetise the non-personal data of the connected product under its exclusive control. In practice, the lack of clarity regarding the terms of this additional use contract could create uncertainty and contractual disputes.
• Accessible design obligation: The principle of “access by design and by default” is established, which compels connected product manufacturers to guarantee accessibility to the data from their inception. This measure seeks to prevent manufacturers from using technological barriers to restrict access, ensuring that the data are available in structured and machine-readable formats. However, the implementation of this obligation comes with technical and economic challenges, since it requires the hardware and software architecture of the connected devices to be changed, which could increase the production costs and lead to resistance from the manufacturers.

VOLUNTARY REGIMEN

With respect to the voluntary data contracts, the Data Act explicitly retains the application of the general legislation of the European Union on consumer protection with regards to contracts with consumers. It is in relation to contracts between companies where the Regulation introduces a specific regimen controlling abusive clauses that are unilaterally imposed.

This specific regimen establishes a regulatory framework that is designed to prevent abusive contractual relationships between companies (B2B). Its aim is to balance out the power asymmetries in contracts related to data, in which one party can unilaterally impose disadvantageous terms, taking advantage of their superior negotiation position. Its purpose is to control excessive contractual terms when a stronger market position has been abused by exerting negotiation power derived from this position.

The regimen applies to both the data holder and the receiver, regulating situations in which either of them uses their position to impose unfair contractual terms. The data dependency of a weaker party may be a sign of inequality in the negotiation. However, the Regulation itself sets out that the fundamental criteria is the capacity of one party to unilaterally impose an abusive clause, regardless of the specific circumstances that cause this inequality.

In practice, this entails the use of an automatic criterion: any contractual clause that a party has not been able to influence after an attempt to negotiate is considered unilaterally imposed and, therefore, abusive. This approach, which is based on “take it or leave it” contractual strategies, allows an objective assessment via documentary evidence of the negotiation process. However, this criterion also has weaknesses since it can be avoided by negotiation formalities, and if one party lacks negotiation resources or ability, the abusive clauses could be incorporated into the contract without being subject to regulatory control.

Furthermore, this specific regimen of the Data Act is not limited to specific data transactions, but rather encompasses any contract that includes data exchange elements. An illustrative example is the relationship between an automobile manufacturer and an advanced sensor provider. Although the provider depends on the manufacturer to integrate its products in a wider system, the manufacturer could impose restrictive clauses that limit the ability of the provider to collaborate with other clients, taking advantage of the provider’s strategic interest in the global agreement.

These mechanisms will be applied gradually. While data access and use rights and contracts will be applied as of 12 September 2025, the precondition of making data accessible by design and by default to manufacturers and developers shall apply to products and services introduced on the market after 12 September  2026. These obligations require companies to review their current contractual practices and establish new agreements with users and third parties to guarantee regulatory compliance.

MAIN STICKING POINTS

One of the main sticking points is the obligatory access to the data of connected products and related services (IoT data) and its impact on the business models based on control over the data due to the existence of a technological precondition. That is, it is not a question of being a data holder, but rather that those who hold the data have a material and exclusive control over them due to the technological conditions that provide access (which may imply that one is the owner of these data, even though this is not the case legally). In theory, the Data Act allows connected device users, regardless of whether they are consumers (B2C) or companies (B2B), to access the data they generate, providing opportunities to optimise industrial processes, develop post-sales services and create new digital products. In practice, however, holders will continue to have significant control over the data by means of contractual restrictions, legal exclusions based on the existence of trade secrets and technological protection measures that will limit their effective use by third parties.

The agricultural machine industry in Germany provides an example of this problem. Federal Ministry of Food and Agriculture (BMEL) has prepared model contracts to regulate access to data generated by connected machinery in order to guarantee that farmers can access the data of their machinery and share it with third parties. However, manufacturers have expressed concern regarding the possible loss of control over commercially sensitive information, which has caused tension between fair access and trade secret protection.

Another critical aspect is the lack of clarity in the definition of data and which data are subject to the regulated access regimen imposed by the Regulation. The Data Act broadly defines data, covering any digital representation of acts, facts or information. However, in order to delimit which data is subject to the regulated access regimen, the Regulation differentiates between raw, pre-processed, derived and inferred data. Only raw and pre-processed data fall within the scope of regulated access, as long as the pre-processing did not require substantial investment. This distinction causes uncertainty since pre-processing includes operations such as calibration or noise removal, but it is not clear what other transformations can be considered as part of this process without excluding data from the obligatory access regimen. Furthermore, the lack of clear criteria on what constitutes a substantial investment can make it easier for data holders to argue that certain costs exceed the permitted threshold, restricting access to the data. These ambiguities could lead to prolonged legal disputes and an uneven application of the regulation in different sectors. It is especially problematic for the development of AI systems, which depend on large volumes of different and accessible data. If the data holders can limit access by citing significant pre-processing or investment, many companies that develop AI, especially start-ups and SMEs, could face significant obstacles to obtain quality data, reducing their ability to innovate and compete against dominant players that already control large volumes of data.

The ambiguity of the delimitation of accessible data also affects how the Data Act interacts with other regulatory frameworks. As the regulation does not distinguish between personal and non-personal data, it must be compatible with the General Data Protection Regulation and its respective national regulations. This adds complexity in scenarios where the data are interleaved (mixed data). Likewise, inferred and derived data fall outside obligatory access, which allows holders to retain key information that has been processed by proprietary algorithms. In the context of AI, this means that companies that depend on transformed or aggregated data in order to train models could have limited access to these data sets, hindering the creation of competitive models in sectors such as health, mobility, manufacturing, among others. Moreover, this regulatory uncertainty could discourage investment in shared data infrastructures, stalling the construction of open and collaborative AI ecosystems in Europe. If these aspects are not clarified, the Data Act runs the risk of consolidating the advantage of large tech companies that have privileged access to data, instead of promoting a more equal and dynamic market for developing AI systems.

With regards to competition, the Data Act introduces measures to prevent abusive contractual clauses in B2B relationships, thereby limiting the ability of large companies to impose unfavourable terms on their business partners. However, it does not completely eliminate the possibility that dominant players will structure agreements that continue to favour their control over the data. For example, the majority of companies of the industrial sector recently polled in Germany consider that access to the data of their own machines improves process efficiency and automation, but they also expressed doubts regarding the security of their trade secrets and the viability of sharing data with competitors.

With regards to FRAND terms, which are widely known by the telecommunications and patents sectors and essential for standards, it must be noted that their logic in the sector for licences over data has yet to be developed. For example, one of the key points that is left unresolved by the Data Act is the relationship between the contracts entered into by a data holder and a third party and the FRAND terms. These terms are designed as a standard for authorities, courts or bodies responsible for resolving access request disputes, but not as a criterion for reviewing contracts between parties. Allowing a third party to contest a contract by alleging lack of fairness or discrimination would extend the review beyond the provisions of the Data Act itself, which is even applied to individually negotiated contracts.

SMEs also face a serious regulatory dilemma with the Data Act. Although the regulation introduces an exemption to avoid disproportionate regulatory burdens, these same measures could exclude them from the benefits of fair data access. Furthermore, there is the risk that large companies will restructure their operations in order to take advantage of this exception, creating affiliates or subsidiaries that avoid the obligation to share data while they continue to control access to key information.

Moreover, the Data Act also regulates aspects of cloud computing, with the intention of facilitating data transfer between players in the digital ecosystem, in order to reduce the market power of large providers. However, removing change of provider rates and the requirement to guarantee “functional equivalence” in cloud computing services could lead to adverse effects. Although these measures are designed to promote competition and prevent technological blocks, in practice they may benefit large market players as they impose additional costs on SMEs, which cannot always take on investment in new infrastructure or in adapting their systems to obligatory interoperability standards.

Another challenge for SMEs is the uncertainty regarding the standardisation of cloud services. The obligation to guarantee interoperability could limit the ability of smaller providers to differentiate themselves in the market by using innovative and specialised solutions. Although the Regulation attempts to reduce the change of provider costs and promote competition, it may also slow investment in research and development since providers could be forced to share innovations with their competitors in order to comply with the regulatory requirements. This would not only affect the profitability of start-up companies, but it could also cause limited diversification of the market, harming SMEs that depend on specific and highly customised solutions for their operations.

The impact of the Data Act on AI innovation is cause for concern. AI depends on large volumes of quality data in order to train effective models, and the Data Act could, in theory, facilitate access to industrial data. However, its contractual restrictions and the exclusion of derived data can limit the effective use of these data for start-ups and SMEs developing innovative solutions. The interaction with the Artificial Intelligence Act (AI Act), which classifies and regulates the use of AI models according to their risk level, introduces an additional regulatory compliance burden that could slow innovation and create a competitive advantage for countries with more flexible regulations, such as the USA and China.

In order to guarantee the Spanish and European companies can benefit from the Data Act without losing competitiveness, it will be essential to adopt proactive strategies to securely and efficiently share data in the new European digital economy.

HOW MUST SPANISH COMPANIES PREPARE?

The Data Act will entail a fundamental change in IoT data management in Europe, offering new opportunities for innovation and competition, but also imposing significant regulatory and contractual challenges. This Regulation also aligns with the strategic initiatives that the Spanish government is promoting with regard to digitisation, artificial intelligence and sustainability. Within the framework of the National Strategy for Artificial Intelligence (ENIA) and the Recovery and Resilience Plans, there is a clear commitment to creating sectoral data spaces in key fields such as health, industry and energy. These initiatives aim to promote the secure and efficient exchange of data between companies, public administrations and research centres, which fits with the aim of the Data Act to democratise access to data generated by connected devices and related services.

However, in order for this transition to be effective, Spanish companies must choose to adapt early to this new regulatory framework to prevent risks and maximise benefits. Reviewing contracts must become a priority, ensuring that the data access and use clauses are aligned with the provisions of the regulation and preventing possible ambiguities that can lead to legal disputes. Likewise, protecting intellectual property and trade secrets will require more sophisticated strategies, given that regulated access to data can cause tensions between the opening and the confidentiality of the key business information.

Beyond regulatory compliance, the Data Act opens the door to a fairer digital ecosystem, where companies that know how to take advantage of IoT data access can develop new business models and services based on interoperability. However, in order for this potential to translate into competitive advantages, companies will have to adopt a strategic approach to data management, inverting in technologies that guarantee traceability and regulatory compliance. The ability to successfully navigate this regulatory environment will determine which companies will strengthen their position in the new data economy in Europe and which will be limited by contractual and technical barriers that still persist in the regulatory framework.

Furthermore, the Spanish government has made digitisation and ecological transition fundamental pillars for economic growth. AI applied to sustainability, for example, requires large volumes of data from energy infrastructures, IoT devices in smart cities or water management systems. The Data Act facilitates access to these data, promoting their reuse in predictive models and resource optimisation. However, the lack of clarity in delimiting the data that is subject to the regulated access regimen can cause uncertainty for companies seeking to develop AI-based solutions. In order to maximise the positive impact of these policies, companies must not only comply with the new regulations, but also actively participate in configuring these data spaces, ensuring that contractual frameworks and technical regulations favour both innovation and competitiveness in the European digital market.