Intrusti

Tuesday, June 3, 2025

Who Owns IoT Data Under the EU Data Act?

Patrick Goeler von Ravensburg
KnowledgeInsights
who-owns-iot-data-image

When a connected device streams sensor readings to the cloud, who actually owns that information? Is it the manufacturer that built the hardware, the software vendor that hosts the telemetry pipeline, or the business (or household) that bought and uses the product? Until now the answer was fuzzy. The EU Data Act changes that. It does not award classic “property” rights over data, but it re-balances access and control in ways every IoT stakeholder needs to understand.

1. The Law in a Nutshell

The EU Data Act (Regulation (EU) 2023/2854) entered into force on 11 January 2024 and starts to apply 12 September 2025, with some cloud-portability rules kicking in 2027. It covers all raw or pre-processed data generated by a connected product or a related service placed on the EU market – not just personal data. digital-strategy.ec.europa.eu

2. Key Terms You Need to Know

  • Connected product – any item that obtains, generates or collects data and can transmit it electronically (cars, machines, smart fridges, wearables, industrial sensors). eu-data-act.com
  • User – the natural or legal person who lawfully possesses or rents that product; more than one user can exist for the same device (e.g. owner and renter). dlapiper.com
  • Data holder – typically the manufacturer or service provider that has control over the data generated. digital-strategy.ec.europa.euiapp.org

These roles matter more than the philosophical idea of “ownership”: the Act grants concrete rights to users and imposes duties on data holders.

3. What Rights Do Users Get?

  1. Direct, real-time access. Products must be designed so users can fetch data themselves. If that isn’t technically possible, the data holder must provide it “without undue delay, free of charge, and in a usable format.” stephensonharwood.com
  2. Freedom to share. A user may instruct the data holder to transmit the data to any third party they choose – even a competitor of the manufacturer. hoganlovells.com
  3. Protection against “lock-in.” Data holders cannot charge the user for the mere act of receiving their own non-personal data, nor hide it behind unfair contract clauses.

4. What Obligations Do Data Holders Have?

  • Enable access by design. New devices sold after September 2026 must ship with technical interfaces (APIs, dashboards, export tools) that expose user-generated data. stephensonharwood.com
  • Contractual fairness. Any term that unilaterally restricts access, usage window, or sublicensing will be deemed unfair and unenforceable. data.europa.eu
  • Respect user primacy. The data holder may not exploit non-personal data from the product without the user’s agreement. digital-strategy.ec.europa.eu
  • Safeguard trade secrets. The Act lets data holders redact or aggregate data only when truly necessary to protect legitimate IP – a narrow defense, not a blanket exception. memfault.com
  • Impose usage limits on third parties. Third-party recipients may not use the data to develop a copy-cat product or mine sensitive business insights about the manufacturer. The data holder may police this via contracts.

5. So… Who Owns the Data?

Legally, the Act sidesteps “ownership” and speaks instead of access and usage rights. Think of it this way:

  • The user becomes a co-generator of the data and therefore gains a primary right of access and sharing.
  • The data holder retains the infrastructure, bears security duties, and may still monetise the data only with user consent.

In practice, control is shared: users hold the key to distribution, while holders remain stewards of the pipeline.

6. Practical Headaches Ahead

  • Mapping which data is “in scope”. Telemetry flows, error logs, derived analytics – are they all covered?
  • Redesigning firmware, APIs and cloud pipelines to deliver “same-quality” data exports.
  • Re-papering contracts with dealers, fleet owners, renters and third-party service firms.
  • Balancing IP protection with the Act’s very limited grounds for refusal.

Early-stage work matters: by 2026, design changes must already be on the production line.

7. How Intrusti Makes This Simple

Intrusti was built around the Data Act’s articles from day one:

  • Data Atlas™ auto-discovers IoT streams and tags them with user rights and holder obligations.
  • Secure Access Gateway delivers real-time APIs plus immutable audit trails, so you satisfy Article 4 without rebuilding your backend.
  • Contract Builder flags unfair clauses and swaps in Act-compliant language in minutes.
  • Trade-Secret Guardrails apply field-level redaction rules so you can share just enough data while defending your IP.

Instead of scrambling for ad-hoc fixes, companies leverage Intrusti to bake compliance into their products, win customer trust, and even launch new data-sharing services confidently.

Takeaway

In the EU’s new regime, data from connected products no longer belongs to whoever captures it first. Control is shared, obligations are clear, and the user’s voice is front-and-centre. Preparing now is cheaper than retrofitting later.

Ready to see how Intrusti can make Data Act compliance your competitive edge? Join our Alpha or book a discovery call — we’re listening.

Back to blog