The EU Data Act's Unfair Terms Rules – A Practical Overview

What You Need to Know

• The EU Data Act (Regulation (EU) 2023/2854) introduces a new, horizontal regime governing unfair terms in business-to-business contracts that address access to and use of data, or liability and remedies for breach or termination of data-related obligations.
• This regime applies across sectors and contract types, even where data is not the principal subject of the agreement. It requires organisations to review and adapt standard terms, templates and legacy agreements to ensure compliance and preserve enforceability of key provisions.

Scope: Unilaterally Imposed Terms

The unfair terms provisions apply to unilaterally imposed terms in B2B contracts that regulate data access and use, or data-related liability and remedies.

"Unilaterally imposed" refers to take‑it‑or‑leave‑it terms where the counterparty had no real opportunity to negotiate. Clauses that are meaningfully negotiated or amended are not considered unilaterally imposed.

The mere use of standard terms or boilerplate templates does not, by itself, render a clause unilaterally imposed; the question is whether meaningful negotiation was genuinely available.

Cross‑Sector Reach of the Data Act

The regime is horizontal and captures a wide array of contracts and industries, including agreements where data provisions are embedded within broader commercial terms.

Examples include data provisions in contracts relating to the sale of a connected product, logistics, advertising, loans, investment consulting, management advice and cloud computing services.

In practice, this means that even if a contract is mainly about something else, if it includes sections about data access and use, those sections must comply with the Data Act's fairness rules. General liability or remedies clauses also fall in scope insofar as they relate to data obligations.

What Counts as Unfair: Blacklist and Greylist

A unilaterally imposed term is unfair where it grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing. The Data Act sets out two categories.

Blacklist – Automatically unfair and void. These include clauses that:

• exclude or limit liability for intentional acts or gross negligence;
• exclude the other party's remedies for non‑performance or exclude liability for breach of data‑related obligations; or
• grant the imposing party exclusive rights to interpret contractual terms or determine data conformity.

Greylist – Presumed unfair unless justified. These include clauses that:

• inappropriately limit remedies or liability;
• allow the imposing party to access or use the counterparty's data in a manner significantly detrimental to the latter's legitimate interests, particularly where data are commercially sensitive or protected by trade secrets or IP;
• prevent reasonable use, access, retention or exploitation of data contributed or generated during the contract;
• restrict termination by the counterparty on reasonable notice;
• prevent obtaining a copy of data during or after the contract;
• enable the imposing party to terminate at unreasonably short notice without serious grounds; or
• enable unilateral changes to price or other substantive conditions without valid reason or without a termination right for the counterparty.

For contracts of indeterminate duration, unilateral change rights are permissible only if a valid reason is specified, reasonable notice is given, and the counterparty can terminate at no cost.

Interaction with Other Frameworks

The unfair terms regime sits alongside the Data Act's broader framework. It complements the Act's data access and sharing obligations for connected products and related services, which must be offered on fair, reasonable, non‑discriminatory, and transparent terms.

It also aligns with the Act's new switching framework, which aims to facilitate migration between data processing service providers and unlock the EU cloud market.

An expert group on B2B data sharing and cloud computing contracts has developed model contractual terms for data sharing and standard contractual clauses for cloud computing. Although not legally binding, once finalised by the European Commission they will serve as useful benchmarks for drafting and for aligning compliance approaches.

The regime also coexists with the GDPR, which continues to govern the processing of personal data and requires a lawful basis together with appropriate safeguards.

Enforcement and Dispute Considerations

Unfair terms are non‑binding on the counterparty, and where severable, their invalidity will not affect the rest of the agreement. Disputes may be brought before designated bodies or national courts.

When the Rules Apply

As of 12 September 2025, unilaterally imposed unfair terms falling within the blacklist are void, and grey‑listed terms are presumed unfair unless the imposing party can justify them in light of good faith, fair dealing, and good commercial practice.

From 12 September 2027, the Act will also apply to contracts concluded on or before 12 September 2025 if they are of indefinite duration or set to expire at least ten years from 11 January 2024.

Unfair terms are not binding on the party upon whom they were unilaterally imposed; severable unfair terms do not affect the remainder of the contract.

Practical Compliance Steps

Organisations should take a structured approach to compliance with the Act's rules on unfair terms from both sides of the table – as data holders granting access and as recipients negotiating for access. Priority actions include:

• mapping contract portfolios to find clauses on data access, use, liability, and termination; and
• updating standard terms and playbooks to remove blacklisted language and address grey‑listed terms.

Commission model terms can serve as a reference point for fair drafting.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.