EU Data Act part II: unfair terms on access to and use of data between companies

The European Commission is building a European data economy. Within its Digital Single Market strategy, the European Commission is trying to stimulate data exchange within the EU through policy and regulation. In this context, on February 23, 2022, the European Commission presented its proposal for the EU Data Act (“Data Act”). The Data Act follows the Data Governance Act and is the second proposal as part of the data strategy.

The Data Act proposal aims to further harmonize the rules on data sharing within the European digital economy. The main focus is to make data more accessible, while at the same time ensuring the protection of the data. Local authorities will be charged with the task of monitoring compliance with the Data Act, with the power to impose fines. Once adopted, the regulation will become directly applicable throughout the EU. However, this is likely to take some time first. It is expected that the Data Act will only come into force around 2026.

Earlier we wrote about what the Data Act will mean for Internet of Things products and services and for cloud services. This article discusses the unfair terms relating to access to and use of data between companies.


The Data Act defines data as “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording.” Therefore, the word “data” in the Data Act includes both personal data and data that is not personal data.

The Data Act provides rights and obligations for various parties involved in the use of data. Companies and consumers will have more rights to access the data they have generated through the use of a product or service. They must also be able to use this data themselves or share it with a third party. Providers of digital services are required to ensure that data can be exchanged and that services can communicate with each other. In addition, the Data Act contributes to the use of private data in the public sector, if that is in the public interest.

According to the European Commission, as a result of the Data Act, consumers and businesses will benefit from lower prices for aftermarket services (such as the supply of parts after purchase) and repair of connected objects, new opportunities for use of services that depend on access to their data and better access to data collected or produced by a device.

This includes the manufacturers of Internet of Things products and their users, parties that hold or receive data and data processing services.

Unfair terms concerning access to and use of data between companies

The Data Act protects micro, small and medium-sized enterprises from unfair contractual terms imposed by a party with significantly stronger bargaining power. micro, small and medium-sized enterprises are defined as companies employing fewer than 250 people and whose annual turnover is 50 million EUR or the annual balance sheet total does not exceed EUR 43 million. 

In order to guarantee a higher level of protection for smaller enterprises in today’s data-driven society, the Data Act, among other things, lays down rules for the agreements that may be concluded with regards to access to and use of data between enterprises. The Data Act establishes when a clause in a contract should be considered unfair if unilaterally imposed on a micro, small and medium-sized enterprise. Here, the main rule is that a contractual term is unfair if its nature is such that its use grossly deviates from good business practices in the area of data access and use, contrary to good faith and fair dealing.

In addition to this main rule, the Data Act also contains a list of contractual terms that are plainly considered unfair and contractual terms that could be considered unfair. Model contract terms recommended by the Commission can assist commercial parties in concluding contracts based on fair terms. The consequence of an unfair term in a contract between the consumer and the provider is that the provision is “non-binding”, according to the text of the Data Act. This could be compared to the ‘black’ and ‘gray’ lists that apply to general terms and conditions in the Dutch Civil Code, the consequence of which is that terms that are nevertheless included in general terms and conditions are void or voidable. Only, the Data Act calls terms considered unfair and terms deemed unfair both “non-binding”. We can imagine that the first category is automatically null and void and that in the case of the second category nullification must be requested. However, this difference is not entirely clear.

There are three contractual terms that are considered unfair under the Data Act. The first is a term that has the purpose or effect of excluding or limiting the liability of the party who unilaterally imposed the term for intentional acts or gross negligence. The second is the clause which has the object or effect of excluding the remedies available in the event of non-performance of contractual obligations or the liability of the party who unilaterally imposed the clause in the event of a breach of these obligations. And the last is the clause that gives the party, who unilaterally imposed the clause, the exclusive right to determine whether the information provided is in accordance with the contract or to interpret any condition of the contract.

A clause shall be deemed unfair if it has as its object or effect the improper restriction of legal remedies, the use of the other party’s data in a manner contrary to that party’s legitimate interests, the prevention or restriction of the other party’s use of self-generated data during the term of the contract, preventing the other party from obtaining a copy of the self-generated data, and allowing the contract to be terminated with an unreasonably short notice period, taking into account the other contracting party’s reasonable ability to switch to an alternative and comparable service and the financial loss caused by such termination, except where there are weighty reasons for doing so.

To what extent the provisions in the Data Act will make a difference in practice remains to be seen. According to Dutch case law, some of these provisions are already void or voidable. For example, liability for intentional acts or gross negligence may not, in principle, be excluded and Dutch law already prohibits unfair commercial practices. The big advantage of the Data Act is that it concretely lists a number of provisions that are considered unfair and that it is ultimately intended to include in model contracts. The European Commission will draft these non-binding model contract provisions to help parties draft and negotiate contracts with balanced contractual rights and obligations.


Although freedom of contract remains the underlying principle, according to the European Commission, micro, small and medium-sized enterprises are protected by the Data Act against unfair contractual terms. To make these rules as easy as possible to implement in practice, the European Commission will develop and recommend non-binding model contract terms. How much more protection the Data Act will actually provide for Dutch SMEs remains to be seen, as some of the provisions are already not allowed under Dutch law and according to Dutch jurisprudence.