SaaS Agreements – New EU and UK Data Laws

Below is a summary of the EU Artificial Intelligence Act, the EU Data Act and the UK Data Use and Access Act that will impact SaaS suppliers and SaaS customers in 2025. These laws will apply extra-territorially, meaning the laws apply even when a SaaS supplier is not located in the UK or the EU (respectively). It is important to be aware of these new laws in order to assess whether or not they apply to your particular SaaS business, products and services.

The EU AI Act applies to AI systems and AI models and categorises AI systems into different risk categories.

The EU Artificial Intelligence Act (EU AI Act)

The four risk categories are:

Unacceptable risk systems – prohibited since the 2^nd of February 2025 e.g. social scoring, crime prediction systems;
High Risk systems – subject to onerous requirements since August 2025 e.g. medical devices, education and recruitment systems;
Limited Risk systems – subject to transparency requirements from the 2^nd of August 2026 e.g. GPAI systems; and
Minimal Risk systems – which are subject to some general requirements.

The provisions of the EU AI Act come into effect in phases, based upon the risk category of the AI system.

The EU AI Act applies to:

Providers who place AI systems on the market or put AI systems into service, or who place general purpose AI models (GPAI) on the market in the EU, irrespective of where the provider is established or located;
Deployers of AI systems that are established or located within the EU;
Providers or deployers of AI systems that are established or located outside the EU, where output produced by the AI system is used in the EU;
Product manufacturers who place on the market or put into service an AI system together with their product, under their own name or trademark in the EU;
Authorised representatives of a provider not established in the EU; and
Affected persons located in the EU.

The European Commission has published Guidelines on prohibited artificial intelligence (AI) practices and Guidelines determining if a software system is an AI System to assist providers, deployers and other relevant persons in determining how the AI Act applies to them.

Breaches of the EU AI Act can result in fines of:

35m Euros or 7% of annual global turnover for prohibited AI systems, whichever is higher;
15m Euros or 3% of annual global turnover for general purpose AI (GPAI) systems, whichever is higher.

Each Member State must designate national competent authorities responsible for implementing the AI Act and conducting market surveillance.

The AI Act applies extra-territorially.

Non-EU entities subject to the AI Act who provide GPAI systems must appoint an EU Representative.

The EU Data Act (Data Act)

The Data Act came into force on the 12^th of September 2025.

The Data Act creates rights for individuals and businesses to access the personal and non-personal data produced through their use of smart objects, machines and connected devices. Users of connected devices have the right to access and share data they generate with third parties.

The Data Act also imposes BTB and BTC data sharing obligations on SaaS suppliers to enable easy cloud service switching. SaaS suppliers cannot impose, and must remove, pre-commercial, commercial, technical, contractual, and other barriers that inhibit customers from terminating contracts, porting data and digital assets, and (where technically feasible) unbundling infrastructure services from other types of data processing services.

The Data Act sets out clear rules and standards for ensuring interoperability across key sectors.

The Data Act impacts data holders, manufacturers of connected products or related services, users, data recipients and third parties and data processing providers globally.

Users and data recipients (who can be consumers or businesses) must be located in the EU for the Data Act to apply.

Switching Provisions

SaaS suppliers must now include mandatory contractual provisions in their SaaS agreements with customers to enable easy switching to a new SaaS provider. For example:

The customer’s right to terminate the SaaS agreement at any time, upon giving not more than 2 months notice;
Include a clear exit strategy;
Include clear cloud provider switching obligations;
Complete data export within 30 days of termination;
Guarantee deletion of exported data after 30 days;
All switching services must be provided free of charge from January 2027;
Data portability to be provided in standard formats. For example: ISO/IEC 19941:2017;
Publish security provisions; and
Promote interoperability.

The only exemptions to the above contractual provisions apply to services that are individually created specifically for a customer or services that are provided for testing purposes i.e. Beta services.

Each Member State must appoint competent authorities to ensure compliance with the provisions of the Data Act and those authorities will set penalties for non-compliance which should be effective, proportionate, and dissuasive. This means that each EU Member State will impose different levels of fines for breaches.

Internet of Things (IoT) Provisions

Where SaaS providers use connected products to provide their services (e.g. connected cars, medical devices, smart home devices) and related services (e.g. apps that control these products) users of the connected services have the right to access data generated by them using these products and services.

Data holders must allow direct or indirect access to such data;
Users may instruct a data holder to make data available to a third party i.e. another service provider, for which a reasonable fee can usually be charged;
Third parties are prohibited from using the data to create directly competing products; and
Trade secrets of data holders can be protected.

Non-compliance can result in fines of up to 4% of annual global turnover or 20m Euros, whichever is higher.

The Data Act applies extra-territorially.

Non-EU entities subject to the Data Act must appoint an EU Representative.

The UK Data Use and Access Act 2025 (DUAA)

DUAA brings specific sections of this new UK law into force in stages.

The changes made to date amend the UK Data Protection Act 2018 and the Privacy and Electronic Communications Regulation (PECR) as set out below.

PECR changes and Data Protection Law changes now in effect

The definition of “call” and “communication” in PECR, now includes all calls made and all communications transmitted, irrespective of whether they reach their intended recipient.

This is relevant for PECR direct marketing rules, as now an infringement of PECR can occur even if the call or communication did not reach the intended recipient; and
This will increase the level of the fine imposed.

Consent under PECR is now no longer needed but only in relation to UK data to:

Set cookies or use similar technologies to collect statistical information about how an organisation’s online services with the aim of improving the services;
Permit charities to send marketing materials for fundraising or to promote their charitable work to permit UK located individuals who have previously expressed an interest in their charitable purposes.

For more details on the changes the UK Government has published and will continue to publish factsheets on the Data (Use and Access) Act 2025.

PECR fines are now aligned with the Data Protection Act 2018 and UK GDPR fines, and can be imposed up to 17.5 million GBP.

Future changes

The majority of the changes made to UK Data Protection Law by DUAA, are not yet in effect and will be brought into effect by secondary legislation by the UK Government. The future changes will cover:

DSAR response protocols;
new rules on the use of automated decision making (ADM);
Exemptions to the need for consent, when using personal data for scientific research;
Creating a definition of “recognised legitimate interests” – which disposes of the need to carry out a legitimate interest assessment where the processing is carried out for a recognised legitimate interest;
Changes to the purpose limitation and clarification of what “further processing” means;
Changes to the rules on UK data exports to new third countries;
Changes to complaints handling procedures; and
Changes to the role of the ICO.

In light of the above changes to UK data protection law, the European Commission has only extended the current UK adequacy decision for international data transfers to the 31st of December 2025 – to allow the EC to assess the impact of DUAA on data transfers.

Actions to Take Now

There are a lot of new EU and UK laws now in force, coming into force in stages or into force in the next 18 months that could affect SaaS Suppliers.

After considering the above summary, SaaS suppliers need to consider which of the above laws do, could, or may, apply to their products and services that they supply or the sectors in which they their business operates. This will depend upon numerous different factors for each law, such as:

The location of the SaaS supplier;
The location of customers, suppliers, data holders;
Whether services are provided BTB or BTC;
The global turnover of the SaaS supplier;
The sector in which the SaaS supplier operates;
The types of services being provided by the SaaS supplier;
The sector in which the SaaS customer operates;
Whether or not IoT services are provided; and
The specific EU country in which the SaaS supplier, its customers or the services are being made available.

Each of the above laws will need to be assessed separately to determine if, and how, they apply. SaaS suppliers need to take action now to ensure their compliance with the above laws, as there are no grace periods for non-compliance and SaaS customers may start to try to exercise their statutory termination rights, switching rights and rights to data.

Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:

irene.bodle@bodlelaw.com

www.bodlelaw.com

To register for my newsletter click here