Skip to content
Platform Strategy

The EU Data Act - Whats, Whens, What Nows

Author(s): Devon Sparks

Peer Reviewers: Juergen Kesper, Jared Bloch, Katherine Allen, the Field to Cloud team

Last Reviewed: August 2024

Adopted by the European Parliament in December 2023, The EU Data Act

“…gives users of connected products (businesses or individuals that own, lease or rent such a product) greater control over the data they generate, while maintaining incentives for those who invest in data technologies. In addition, it lays down general conditions for situations where a business has a legal obligation to share data with another business.” — The Data Act Explained

In practice, “connected products” are field devices and software that sense their usage and environment (e.g., a Total Station, GNSS receiver, or vehicle telematics system). The EU Data Act ensures that European Union customers have “reasonable” access to the unprocessed data they generate when using these devices. It specifically covers connected product data that a manufacturer or data holder (e.g., Trimble) may have access to but a device owner does not.

Scope of the EU Data Act

As a supplier of field devices to EU customers, and a “data holder” for the same, Trimble is under obligation to comply with the EU Data Act.

The Data Act is in many ways aligned with Trimble’s move towards open and accessible data by way of our data, API, and Field to Cloud strategies.

“Connected products shall be designed and manufactured, and related services shall be designed and provided, in such a manner that product data and related service data, including the relevant metadata necessary to interpret and use those data, are, by default, easily, securely, free of charge [i.e., at no additional cost to the customer], in a comprehensive, structured, commonly used and machine-readable format, and, where relevant and technically feasible, directly accessible to the user.” — Data Act, Chapter II, Article 3

By ensuring our field devices consistently share the unprocessed datasets they generate to our cloud, and making sure these datasets are available to our customers via API, we’re already fulfilling the essence of the EU Data Act.

The EU Data Act goes into effect September 12, 2025. Trimble’s tack to address compliance is to remain laser-focused on executing our data, API, and Field to Cloud strategies, recognizing that the Data Act’s requirements are use cases of broader data plays. All applicable teams are advised to:

  • Consistently share raw connected product (“device”) data to Trimble cloud services and products. Conformance with the Trimble Field to Cloud Standard can help here.

  • Ensure connected product (“device”) shared with Trimble cloud services and products carry their metadata, including sharing enterprise account ID, device ID, and timestamp. Service and product conformance with the Trimble API Standard can help here.

  • Make these capabilities available to all customers, not just those in the EU. This avoids case analysis and is done in anticipation of “copycat laws” by other jurisdictions.

  • Consider the investment-value tradeoff of the centralized collation of raw device datasets (e.g., in File Service) and the development of a monetized Google Takeout-like Platform capability.

Want to learn more?

  • See the complementary presentation to this white paper, which includes additional detail and quotes about the Data Act’s scope: EU Data Act - Crash Course

  • Review The Data Act Explained, a comprehensive overview of the legislation, intended for general audiences.

  • See how the EU Data Act relates to other EU cyber regulations in EU Cyber Regulations Compared

  • Read the regulation text itself, especially Chapters I, II, and III.

  • For further questions on the EU Data Act, reach out to eu-data-act-ug@trimble.com, which includes representation from Trimble Legal and the Office of Data Protection.

Frequently Asked Questions

Does the EU Data Act introduce or require use of a certification mark for Trimble devices?

No. The EU Data Act has no clause requiring manufacturers of “connected devices” to procure and use a specific certification mark. Instead, manufacturers and data holders must, as part of terms and conditions, document for all connected products:

  • the type, format and estimated volume of product data which the connected product is capable of generating;

  • whether the connected product is capable of generating data continuously and in real-time;

  • whether the connected product is capable of storing data on-device or on a remote server, including, where applicable, the intended duration of retention;

  • how the user may access, retrieve or, where relevant, erase the data, including the technical means to do so, as well as their terms of use and quality of service.

See Chapter II, Article III for full details.

How is the EU Data Act enforced?

Similar to GDPR, the EU Data Act delegates all enforcement of the regulation to EU member states. An EU member state designates one or more “competent authorities” to “assist entities within the scope of the Act…on all matters related to its application and enforcement”. Individuals and businesses may then lodge complaints to their respective competent authorities to investigate any claimed infringement of the Act’s regulation. The details of such enforcement procedures is covered in depth in Chapter IX.

How is Trimble’s IP protected when the EU Data Act goes into effect?

The EU Data Act includes specific provisions that constrain applicable data and its use. Specifically:

  • Data that is not designated to be accessed and not readily available is out of scope (see ‘product data’ definition, Chapter I, Article 2).

  • The data cannot be used to create competitive offerings and services.

  • Trade secrets need to be protected by data recipients.

The EU Data Act also includes dedicated clauses for arbitration should any of these conditions be violated.

Given that Trimble is both a manufacturer of connected products and a “data holder”, which role is more important for us to pay attention to?

Neither role is more important or relevant than the other. For example, while it might seem like Trimble should focus on its role as a “data holder” of connected product data, we should also be thinking about the EU Data Act when we design our connected field devices.

“In many sectors, manufacturers are able to determine, through their control of the technical design of the connected products or related services, what data are generated and how they can be accessed, despite having no legal right to those data. It is therefore necessary to ensure that connected products are designed and manufactured, and related services are designed and provided, in such a manner that product data and related service data, including the relevant metadata necessary to interpret and use those data, including for the purpose of retrieving, using or sharing them, are always easily and securely accessible to a user, free of charge, in a comprehensive, structured, commonly used and machine-readable format. — EU Data Act, Preamble, Clause 20

The Data Act says something about connected product data being provided “free of charge”. Does this mean we cannot charge for data access or monetize APIs around connected products?

No. The EU Data Act specifically covers connected product data that a manufacturer or data holder may have access to but not the device owner. “Free of charge” means that (after January 2027 for EU customers only) we cannot impose additional charges to provide connected product data that we have in our possession but is not directly accessible to the connected product user. Unprocessed data directly accessible to the user (e.g., via API) is out of scope of the EU Data Act, and we can charge for this access. The more unprocessed connected product data we make directly available to users, the less we need to worry about EU Data Act edge cases.

Who can request connected product and related service data?

“User” is our customer (businesses or individuals that own, lease or rent such a product), not the actual end user (i.e., a TID User). In practice, this means Trimble Account Owners.

Users are entitled to request access to the relevant data as well as third parties on behalf of the user. In addition, the Data Act provides specific rules for situations where a third party is entitled to access to certain data – however, the Data Act does not create additional obligations to share data with third parties (with the exception of Government entities).

Can users request their connected product and related service data at any time or just at the end of the contract?

Users (customers) can request their connected product and related service data at any time.

How long must we retain this “raw and unprocessed” data?

The simple answer is: as long as we plan to have the data.

One of the obligations under the Data Act is to inform the user before the contract is concluded about what data will be generated. In this context we would need to inform the user how long the data is kept. Data retention is based on the following: We would determine a purpose for which the data is processed. Once the purpose is achieved we would delete the data. For example, if a device has limited storage and data is overwritten whenever the storage is full – that would dictate the retention period. Retention periods for data generated for real time insights can be deleted very quickly.