The EU Data Act — Data Switching Rights for EU Customers

At a Glance

• Businesses will need to review their terms and conditions to assess what might be deemed undue obstacles to switching. Terms and conditions for cloud services are often relatively standardised, although compliance with standard (U.S.) market practice will not necessarily mean that the terms comply with the Data Act. 
• Information about data portability should be included prominently in the terms and conditions and user guides. As the Data Act mandates much shorter switching times than would often be market standard, this is something that will need to be provided for European customers. Proactively providing notice and help with respect to switching may help create customer loyalty in the longer-term. 
• Providers should act quickly during the transition period to mitigate the impact of eliminating switching charges on revenue streams by re-engineering the switching process. As far as technically possible, customers should be provided with the tools to do the bulk of the migration work themselves.
• U.S. service providers will need to prepare for the Data Act, given its extraterritorial scope. If noncompliance with the Data Act involves personal data (which will often be the case), data protection authorities could impose General Data Protection Regulation (GDPR)–level fines of up to €20 million or 4% of global revenue (whichever is higher).

The EU Data Act, which applies from September 12, 2025, introduces significant changes impacting how data is managed and used within the European Union. Its overarching objectives are to facilitate access to and use of data by consumers and businesses (unlocking some of the value of data currently held in proprietary locked boxes). 

U.S. companies are likely to be affected in two key areas: (1) data service providers, including providers of cloud services and analytics platforms (covered in this alert); and (2) data generated by connected internet-of-things or other smart devices (covered in Part 2). 

Scope & Extraterritorial Effect 

The Data Act applies to “data processing services,” broadly defined as digital services enabling on-demand network access to a shared pool of computing resources (e.g., cloud services, data analytics platforms).

The Data Act has an extraterritorial effect. Providers are in scope even if they do not have an EU establishment, such as a subsidiary or branch, if they provide services to customers in the EU. Therefore, a U.S.-only provider which provides services to EU customers either directly or through a reseller would need to comply with the Data Act and would need to provide EU customers with the necessary tools — such as an application programming interface (API), a set of rules and specifications that allows different software systems to communicate and interact with each other, exchanging data and functionality — to allow their customers to download all their stored files in commonly used formats.

Data Portability & Interoperability

At its core, the Data Act aims to facilitate seamless switching between data processing services. The basic aims of Chapter VI (Switching Between Data Processing Services) of the Data Act are to allow customers of data processing services to switch from one data processing service to another while maintaining a minimum functionality of service and without downtime of services, or to use the services of several providers simultaneously, without undue obstacles and data transfer costs.

Removing Obstacles to Switching & Functional Equivalence 

As a result, providers cannot impose restrictions that inhibit customers from switching services to another provider or on-premises. The Data Act includes a list of mandatory contractual provisions (summarised below) in respect of service switching. Customers must be able to achieve “functional equivalence” in the transfer of data and must be able to re-establish (with another provider or in-house) a minimum level of functionality of the same service type after switching.

Businesses will therefore need to review their terms and conditions to assess what might be deemed undue obstacles to switching. Terms and conditions for cloud services are often relatively standardised, although compliance with standard (U.S.) market practice will not necessarily mean that the terms comply with the Data Act. Information about data portability should be included prominently in the terms and conditions and user guides. As the Data Act mandates much shorter switching times than would often be market standard, this is something that will need to be provided for European customers. Proactively providing notice and help with respect to switching may help create customer loyalty in the longer-term. 

The Scope of “Exportable Data” & Trade Secret Protection 

The Data Act defines “exportable data” broadly as data generated by the customer’s use of the service. The Data Act recognizes the need to protect the provider’s intellectual property and trade secrets and excludes “any assets or data of the provider of data processing services or a third party… that are protected by intellectual property rights or constituting trade secrets of that provider or of that third party, or data related to the integrity and security of the service, the export of which will expose the providers of data processing services to cybersecurity vulnerabilities”, provided that those exemptions do not impede or delay the switching process.

In addition to clearly defining the boundaries of “exportable data” in the terms and conditions, businesses will need to be transparent with customers and should clearly justify the exclusions in their terms and conditions and their explanatory materials. 

The Switching Process

The Data Act envisages a switching process driven by the customer, consisting of the following key steps: 

1. Data extraction, which refers to the downloading of the customer’s data from the ecosystem of the source provider of data processing services
2. Transformation, to the extent the data is not yet structured in a way that does match the structure of the target location 
3. The uploading of the data in the new target location

The Data Act sets out different levels of responsibilities for each of the participants at various steps in the supply chain:

1. The source provider of data processing services is responsible for extracting the data to a machine-readable format.
2. The customer and the destination provider of data processing services are responsible for uploading the data to the new environment unless the customer has procured specific transition services. 

Again, terms and conditions will need to be reviewed to understand the scope of the provider’s responsibilities. The Data Act does not make the source provider responsible for “rebuilding the service in question within the infrastructure of the destination provider”. Instead, the source provider of data processing services must take all reasonable measures within its power to facilitate the process of achieving functional equivalence by providing adequate information, documentation, technical support and, where appropriate, the necessary tools. 

Phased Elimination of Switching Charges

The Data Act sets out a timetable for phasing out of switching charges as follows:

1. During a transition period that runs from September 12, 2025, until January 12, 2027, data processing service providers can impose switching charges which are limited to the costs directly linked to the switching process.
2. From 12 January 2027 onwards, data processing service providers cannot impose any switching charges.

Providers should act quickly during the transition period to mitigate the impact of eliminating switching charges on revenue streams by re-engineering the switching process. As far as technically possible, customers should be provided with the tools to do the bulk of the migration work themselves. 

Contractual & Information Requirements

The Data Act mandates specific contractual terms, designed to protect customer rights, including the following:

• The right to switch: After providing a maximum of two months’ notice, customers may switch to a different data services provider.
• Switching options: The contract should set out the right to: (i) switch to a different provider; or (ii) switch to on-premises infrastructure.
• Data specification: An exhaustive specification of data and digital assets that can be ported. 
• Excluded data should be clearly defined to cover data related to the internal functioning of the provider’s services, which is subject to trade secret / IP protection (provided the exemptions do not impede or delay the switching process).
• Transition period should be no more than 30 calendar days starting with the end of the maximum two-month notice period. This phase can only be extended by the provider where the mandatory maximum transition period is technically unfeasible, which must be justified by the provider. 
• The customer’s right to extend the transition period, which can only be exercised once. 
• The provider’s duty to assist: Providers must give reasonable assistance during the transition, act with due care to maintain business continuity and provide a high security standard throughout the switch, and provide clear information about known risks to service continuity.
• Exit strategy support: Providers must provide support for the customer’s exit strategy relating to the services, including providing all relevant information. 
• A minimum data-retrieval period of at least 30 calendar days.

Providers will also need to be transparent about the switching process and, in addition to changing the contractual terms, they will need to review their customer-facing materials so that they include the mandatory information required by the Data Act, including the following: 

• Procedures for switching and porting, including information on available switching and porting methods and formats as well as known restrictions and technical limitations.
• An online register: Details of all the data structures and data formats as well as the relevant standards and open interoperability specifications, in which the exportable data is available.
• Pre-contract charging information, which must be provided to all prospective customers with clear information on the standard service fees and early-termination penalties.
• Measures in respect of governmental access: A general description of the technical, organisational and contractual measures implemented by the provider to prevent international governmental access to or transfer of nonpersonal data held in the EU, where such access would conflict with EU or member-state law. 

Criticisms From U.S. Industry Bodies

Critics of the Data Act’s switching provisions, including the U.S. Chamber of Commerce, argue that they impose disproportionate burdens on service providers, particularly U.S. companies, without a clear justification for the intervention. They argue that existing contractual arrangements and market dynamics already facilitate switching to a reasonable extent, and that the Data Act’s prescriptive rules will stifle innovation and competition in the cloud market. 

The prohibition on charging for switching costs (following the transition period) will, they argue, unfairly burden U.S. service providers due to their large global customer base, of which the EU market remains a key part. Similarly, the requirement for incumbent cloud providers to ensure that customers enjoy functional equivalence in the use of the new service after switching would, critics argue, encourage a race to the bottom towards homogenous commoditised services and would inhibit innovation by reducing the incentives for providers to offer new and differentiated services. 

Concerns have also been raised regarding the technical feasibility of the 30-day switching period, which could increase the risks of data loss during the switching process. Similarly, the fixed-term 30-day termination process (and the limitations on recovering switching costs) potentially disrupts providers’ well-established commercial and financial models, which may ultimately drive up costs rather than reduce them. 

Actions for U.S. Businesses 

Criticisms aside, U.S. service providers will need to prepare for the Data Act, given its extraterritorial scope. It will come into effect on September 12, 2025, and will require EU member states to designate appropriate regulators (most likely the data protection or competition regulators) and determine appropriate penalties. If noncompliance with the Data Act involves personal data (which will often be the case), data protection authorities could impose General Data Protection Regulation (GDPR)–level fines of up to €20 million or 4% of global revenue (whichever is higher). 

An action-step plan for U.S. service providers should include:

1. Assess your EU exposure: Determine the extent of your services to EU-based customers.
2. Form a cross-functional group: Involve legal, technical, product, commercial and marketing teams so that they can look at the issues in the round and respond to customer demands.
3. Conduct a data audit: Map your data flows and identify which data fall under “exportable data.” 
4. Review and update contracts: Ensure that all service agreements with EU customers comply with the Data Act. 
5. Update technical documentation: Make sure that technical documentation and user guides reflect the mandatory information requirements. 
6. Reconfigure systems: Review and assess data sharing tools, including developing and enhancing APIs, and prioritize investments in data migration tools, particularly given the limited availability to recover the costs of switching.