Data Access for AI Systems

Data access rules as the backbone of AI

The use of artificial intelligence (AI) is already bringing about fundamental changes. The backbone for the development of these systems is large amounts of data needed to train AI models and derive “intelligence” from them. However, the full potential of the immense volume of data that is generated on a global scale, often remains unused due to issues involving data rights and data access.

Recent legislative initiatives by the EU seek to remove legal barriers for tapping into the potential of data. With the AI Act, the EU was the first major economy in the world to create a standardised legal framework for the safe and ethically justifiable use and handling of AI. The EU’s data strategy also aims to lay the foundations for the use of (machine) data. The Data Governance Act establishes structures that enable the voluntary exchange of data and the Data Act aims to better utilise the economic potential of the growing volume of data and promote a competitive data market.

One of the central provisions of the Data Act is the promotion of data access and the partly mandatory transfer of data from companies to consumers (B2C) and between companies (B2B). Users of networked products (“IoT devices”), businesses and consumers alike, can request the data owner to provide data generated through the use of such devices, including to third-party recipients. This will make it easier for small and medium-sized enterprises (SMEs) to access data that was previously mostly controlled by larger companies as data controllers. Improved data portability will also enable new, data-driven business models to be developed, which in turn will support the development and use of AI systems.

AI models are of great importance for IoT devices, as they can significantly expand their functionalities through data analyses and automation. For example, chatbots often use AI models to make conversations with users more intuitive. In principle, the obligation to provide data in this case also includes data generated by the AI model that would have to be provided to the user or a third party. However, the Data Act restricts disclosure obligations in accordance with the data protection law, intellectual property rights and trade secrets. Defining what and how much of it may be shared, will be one of the challenges at the intersection between AI models, the Data Act and IP rights.

In addition, data owners will now only be allowed to process or use certain product data and associated service data on the basis of a contractual agreement with the user. The de facto data ownership of the data owner that has often been practiced to date will be replaced by data license agreements with users. Other types of data use – including for the training of AI – will be inadmissible. Clauses on data access and data use will be subject to abuse controls under the Data Act.

Companies must therefore adapt their applications and data management systems to the requirements of the Data Act by 12 September 2025. This includes technical adjustments to ensure data access (“access-by-design”) and data interoperability, as well as the implementation of transparency obligations. If processing also involves personal data, companies must comply with the requirements of the General Data Protection Regulation (GDPR). Non-compliance may entail fines of up to EUR 20 million or 4 per cent of annual global turnover under the Data Act, similar to the data protection law.