Who owns the data your rental cars generate? The EU Data Act, and what changes on 12 September 2026

The EU Data Act changes who can access a connected car's data from 12 September 2026. What it means for rental fleets across Europe — and who is the "user".

Modern cars are rolling sensor networks. A single connected vehicle knows its location, speed, mileage, battery or fuel level, tyre pressure, error codes and a hundred other things — and for years almost all of that flowed straight back to the manufacturer, who decided who else, if anyone, could see it. The EU Data Act sets out to change that. For a rental company, the change is not abstract: it touches who can read your fleet's data, what you can do with it, and what you have to put in your rental contracts.

There is a lot of loose commentary about this regulation, including the claim that "the Data Act starts in September 2026." That is not quite right, and the difference matters. So I have stuck to the regulation itself and to the law firms and specialists that read it closely; every date and definition below is referenced at the end. Where a point is one commentator's reading rather than settled black-letter law, I say so — because on the rental question in particular, the interpretation is still moving.

In brief

  • The EU Data Act (Regulation (EU) 2023/2854) entered into force on 11 January 2024 and has applied since 12 September 2025. It is a regulation, so it applies directly in all 27 member states — no national transposition needed.
  • The date that matters for vehicles is 12 September 2026: from then, the "access by design" obligation (Article 3) applies to connected products placed on the market after that date. New cars will have to be built so their data is accessible to the user by default.
  • The Act makes the data holder (the carmaker) give the user — and any third party the user designates — access to the data the vehicle generates, in a structured, machine-readable format, and free of charge for the user.
  • For a rental fleet, the live question is who counts as the "user." On a long-term lease, the lessee or fleet is the user. In short-term rental, specialist commentary reads the rental company as the user, with the renter gaining data rights only if the contract says so.
  • In scope: raw and pre-processed data from the vehicle — speed, location, mileage, battery charge, tyre pressure, fuel use, error codes, trip data. Out of scope: inferred or derived data and proprietary algorithms.
  • Sharing data with a business third party runs on FRAND terms and can carry reasonable compensation (Article 9); the user's own access is free.
  • The GDPR still governs personal data. A renter is usually an individual, so location and trip data are personal data. The Data Act is not a licence to harvest it.
  • This is an explainer, not legal advice. The European Commission is still finalising guidance on several points (trade secrets, compensation).

What the Data Act is — and the dates that matter

The Data Act is Regulation (EU) 2023/2854, "on harmonised rules on fair access to and use of data." Its aim, in the European Commission's words, is to give users rights over the data their connected devices generate while protecting personal data. It covers Internet-of-Things products broadly — from smart appliances to industrial machinery — and connected vehicles are one of the clearest cases.

Four dates are worth pinning down, because the loose version ("it starts in 2026") gets them wrong:

DateWhat happens
11 January 2024The regulation enters into force.
12 September 2025Most obligations apply, including the user's right to access data and have it shared with a third party.
12 September 2026Article 3 ("access by design") applies to connected products placed on the market after this date — new vehicles must be built so data is accessible by default.
12 January 2027Charges for switching cloud providers are phased out and ultimately prohibited.

So the right to access vehicle data already exists today, for vehicles on the road now. What 12 September 2026 adds is a forward-looking design duty: cars sold after that date have to make the data readily available from the outset, rather than leaving owners and third parties to negotiate access after the fact. (A further transition, on 12 September 2027, extends certain rules to some contracts concluded before September 2025.)

Why connected cars are the test case

Three roles sit at the centre of the regulation. The data holder is the party that controls the data — for a car, that is the manufacturer (OEM). The user is whoever owns the connected product or holds temporary rights to use it — an owner or a lessee — plus the third parties they authorise. A data recipient is a business the user picks to receive the data.

The mechanism is simple to state. The user can get the data the vehicle generates, and can tell the data holder to pass that data to a third party of the user's choosing. For the user, that access is free. For a business recipient, the data holder may charge reasonable compensation and must offer access on fair, reasonable and non-discriminatory (FRAND) terms (Article 9).

What data are we talking about? According to specialist guidance on the automotive sector, the in-scope product data is the raw and pre-processed signal the vehicle actually produces: sensor readings such as wheel speed, tyre and brake pressure, engine metrics, vehicle speed, GNSS location, fuel consumption, battery charge, status indicators and malfunction codes, plus trip and maintenance records. The rule of thumb the guidance offers is blunt: if the data describes a real-world event captured by the vehicle's sensors or systems, it is probably in scope. Related-service data — from things like remote lock/unlock, EV-charging management, predictive maintenance or dynamic routing — is covered too.

What is not covered is just as important: information the manufacturer has inferred or derived to create something genuinely new (predictions, insights stitched together from several sources), and proprietary algorithms or source code. The Act opens up the raw material, not the carmaker's secret recipes.

The question every rental operator should ask: who is the "user"?

This is where a rental business needs to read carefully, because the whole thing turns on a single label.

The regulation's own definition of "user" covers both the owner of a connected product and a person to whom temporary rights to use it have been contractually transferred. A lessee, in other words, can be a user. That is clear enough for a long lease. It gets more delicate for a counter rental of three days.

Here the most-cited specialist reading (from the fleet-data analysis by Transconnect, an industry source rather than the Commission) draws a line:

  • Short-term rental. The rental company is treated as the formal user of the vehicle and is therefore responsible for the product data. The renter only gains rights over that data if the rental contract grants them.
  • Long-term rental or operational lease. The fleet operator or driver is the actual user, and can request the vehicle's data and share it with third parties.

The common thread is that the contract decides. Access for a temporary user is not automatic; it is whatever the rental agreement spells out. That cuts two ways for an operator. It means your standard terms now carry weight they did not before — they determine who may pull data from a car you put on the road. And it means a gap in those terms is a decision by default, not a neutral silence.

I will flag this honestly: the short-term-versus-long-term split is a reasonable, widely repeated interpretation, not a line the regulation draws in those words, and the Commission's guidance is still maturing. Treat it as the current best reading, and check your own contracts with a lawyer rather than taking a blog's word for it — including this one.

What it actually unlocks for a rental fleet

Strip away the legalese and the upside for a fleet is concrete: you stop being locked into whatever data window your vehicles' manufacturers feel like offering.

A mixed fleet usually means several brands, each with its own portal, its own format, its own telematics walled garden. Specialist guidance notes that under the Data Act a fleet operator can ask for vehicle data in a standardised, machine-readable format and, in effect, consolidate data from different OEM systems into a single fleet-management interface instead of juggling one login per marque. The same access right lets you bring a third party of your choosing into the loop — an independent maintenance provider, an insurer, a leasing partner — rather than only those the carmaker has blessed. Predictive maintenance, accurate mileage and battery-health records, smoother handovers between rentals: all of it gets easier when the underlying data is portable and yours to direct.

Two caveats keep this honest. Your own access is free, but routing data to a business partner can carry reasonable, FRAND-based compensation to the data holder. And "machine-readable, in a timely manner" is the standard — the guidance does not mandate strict real-time feeds, only timeliness equivalent to what the manufacturer uses internally.

The catches: trade secrets, derived data, and — above all — the GDPR

No regulation is a free-for-all, and three limits deserve attention.

First, trade secrets. A manufacturer can withhold or condition data where genuine trade secrets are at stake, and in exceptional cases can refuse where disclosure would cause severe and irreversible economic harm. Proprietary algorithms stay off-limits. The Commission has said it will issue guidance on how these protections — and how "reasonable compensation" under Article 9 — should work in practice, so expect detail to firm up.

Second, derived data. As above, anything the OEM has computed into genuinely new information is outside the access right. You can get the sensor readings; you cannot demand the manufacturer's predictive model built on top of them.

Third, and most relevant to a rental operator: the GDPR still rules personal data, and the Data Act does not change that. This is the point I would underline twice. A short-term renter is almost always a natural person, which makes a car's location history, trip records and driving data personal data. The Data Act gives you a route to vehicle data; it does not hand you a lawful basis to collect or keep a customer's movements. Even a person who is not the "user" keeps their GDPR rights over their own personal data. In plain terms: being able to access the data is not the same as being allowed to process it. For anything touching a renter's personal data, the GDPR's familiar discipline applies — a clear purpose, transparency, data minimisation, a limited retention period, restricted access — with fines reaching €20 million or 4% of worldwide annual turnover for getting it wrong.

A short checklist before 12 September 2026

You do not need a compliance project to get ahead of this. A handful of questions covers most of it:

  • Read your rental and lease contracts through the "who is the user?" lens. Decide, deliberately, what data rights the renter or lessee has — and write it down.
  • Update your rental terms and privacy notice so customers know what vehicle data exists, who can access it, and how any personal data is handled under the GDPR.
  • Map your fleet's data access today, brand by brand, so you know where the Data Act will help you escape a walled garden.
  • Decide which third parties (maintainers, insurers, leasing partners) you may want to route data to, and remember a business recipient can be charged FRAND compensation.
  • Keep personal data and vehicle data separate in your head. The Act is about access to the vehicle's data; the GDPR governs the person behind the wheel.

Where PASS2RENT helps — and where it stops

The hard part of all this is rarely the principle; it is having your fleet's data in one place, in a usable shape, so that exercising these rights is practical rather than theoretical. That is the kind of job a management console is built for. The PASS2RENT admin console keeps the fleet, the contracts and their durations together, while embedded telematics report each vehicle's position and status — exactly the data the Data Act is designed to make portable, brought into one interface instead of one portal per manufacturer.

Let me be precise about the boundary, because I would rather under-claim than over-claim: PASS2RENT is fleet- and rental-management software. It is not a law firm, a data-protection authority, or a compliance certifier. It can help you centralise and structure vehicle data and run privacy-respecting telematics; it cannot tell you how the Data Act applies to your specific contracts, and it does not replace legal advice or your own GDPR responsibilities as the operator. And in keeping with our usual line, we do not name the telematics hardware behind it.

The bottom line

The Data Act quietly rewires who controls the data a car produces, and it does so across the whole EU at once. The headline date for vehicles is 12 September 2026, when new cars must be built to share their data by design — but the access rights are already live, and the work for a rental business is mostly contractual and organisational: decide who the "user" is in your agreements, get your fleet data into one place, and keep the GDPR firmly in front of any temptation to treat a customer's movements as just more telematics. Done well, a regulation that looks like a compliance chore turns into leverage — less lock-in, more choice of partners, and a cleaner view of your own fleet.

Want to see how to keep your fleet, telematics and contracts in one place? Book a PASS2RENT demo.

FAQ

Does the EU Data Act start on 12 September 2026?

Not exactly. The Data Act (Regulation (EU) 2023/2854) entered into force on 11 January 2024 and has applied since 12 September 2025, including the user's right to access vehicle data. What happens on 12 September 2026 is narrower: the "access by design" obligation in Article 3 applies to connected products placed on the market after that date, so new vehicles must be built to make their data accessible by default.

Who is the "user" of a rented car under the Data Act?

The regulation defines a user as the owner of the connected product or someone with contractually transferred temporary rights to use it. In practice, specialist commentary reads a long-term lessee or fleet operator as the user, while in short-term rental the rental company is treated as the user — and the renter gains data rights only if the rental contract grants them. The contract is decisive; this allocation is an interpretation, and EU guidance is still developing.

What vehicle data must a carmaker share?

The raw and pre-processed data the vehicle generates: sensor readings (speed, tyre pressure, location), mileage, battery charge or fuel level, status and error codes, trip and maintenance records, and related-service data. It must be provided in a structured, machine-readable format, free of charge to the user. Inferred or derived data and proprietary algorithms are excluded.

Can I track or keep my renters' location data because of the Data Act?

No. The Data Act governs access to the vehicle's data; it does not override the GDPR, which still governs personal data. A renter's location and trip data are personal data, so you need a lawful basis, a clear purpose, transparency and a limited retention period. Access under the Data Act is not permission to process personal data under the GDPR.

Is vehicle data free under the Data Act?

For the user, yes — direct access is free. If the user asks the data holder to share data with a business third party, the data holder may charge reasonable compensation on fair, reasonable and non-discriminatory (FRAND) terms (Article 9). The Commission has said it will publish guidance on how to calculate this.

Does this apply outside France, across the whole EU?

Yes. The Data Act is an EU regulation, directly applicable in all 27 member states without national transposition, so the same rules reach rental fleets everywhere in the Union.

The answers above rely on the same sources as the rest of the article (see below).

Sources

Official / EU sources

Law firm / specialist sources

Industry source (interpretation — read as commentary, not settled law)

Dates and provisions verified in June 2026 and cross-checked across more than one source (notably entry into force on 11 January 2024, application from 12 September 2025, and the Article 3 "access by design" obligation from 12 September 2026, confirmed by the European Commission together with the specialist sources above). Points attributed to industry sources are flagged as interpretation. This article is for information only; it is not legal advice. The application of the Data Act to your specific contracts, and your GDPR obligations, should be confirmed with a qualified professional and against the latest official guidance.

P2R

PASS2RENT Team

Our team of experts shares insights, tips, and best practices to help you succeed in the car rental industry. Stay tuned for more valuable content!

Topics:Car RentalBusiness
Share:

Want to read more?

Explore more articles from this category and stay updated with the latest insights.

View More Articles