EU Data Act: Auditing My Smart Devices (Part 1)
| Objective: | Audit personal IoT devices to see if manufacturers are complying with the newly active EU Data Act. |
| Target Devices: | Eufy Indoor Cam Pan&Tilt, Samsung 55" Q95TD QLED 4K TV. |
| Perspective: | I am approaching this as a consumer seeking to understand my own data, while simultaneously acting as a Solutions Architect evaluating the delivery approach and the quality of the data entities provided. |
Like a lot of people, my house contains some connected hardware. I know these devices generate a massive amount of telemetry every single day, and for years, I just accepted that the manufacturer owned it. But with the EU Data Act now active, the rules have flipped. Legally, the data generated by my connected devices belongs to me.
Out of pure consumer curiosity, I decided to test this. I wanted to see exactly what kind of data is being transmitted out of my living room and how hard it is to get my hands on it.
But because my day job is solution architecture, I can’t help but look at this through an engineering lens. When I ask for my data, I want to see the machinery the vendor built to deliver it. Are they treating compliance as a modern engineering challenge with clean APIs, or just a legal nuisance handled by manual spreadsheets?
Here is the log of my first interactions.
Log Entry 1: The Accessibility Test (Finding the Front Door)
The first hurdle under the EU Data Act is simply figuring out how to exercise your rights. The regulation intends for this to be frictionless. The reality is a mixed bag.
Target A: Eufy (Anker Innovations) Eufy makes this entirely opaque. There is no mention of the EU Data Act in their privacy policy, no dedicated FAQ, and no portal. To get my data, I had to guess and send an email to their general support address (support@eufy.com). For a regulation that demands "easy" access, hiding the process behind a manual email request is a massive accessibility failure.
Target B: Samsung Samsung built a front door. They have a dedicated self-service portal (Samsung Data Act) and a helpful FAQ section. However, the portal is only available in English, and there is no proactive communication to the user about these rights. You have to know the portal exists to use it.
Architect's Note: Access Patterns
Samsung wins the architectural baseline here. An authenticated self-service portal backed by an asynchronous job queue is the right way to build this. Eufy’s reliance on manual support tickets is unscalable and completely fails the Data Act's requirement for continuous or near-real-time access.
Log Entry 2: Data Deliverables Analysis
After submitting my requests, the responses came back quickly—Eufy on the same day, Samsung within 24 hours. But the actual deliverables told two very different stories.
Payload A: Eufy Cam (The Bare Minimum)
Eufy replied with a time-limited link to download a password-protected ZIP file. Inside were a few .xlsx (Excel) files.
As a consumer, the data itself was incredibly disappointing. I received basic account data (user_info.xlsx with my nickname and email) and device identifiers (notification_devices.xlsx). There were no movement logs, no AI detection events, and no network connectivity history. It wasn't device telemetry; it was just my user profile.
Architect's Note: Formats & Interoperability
Providing proprietary spreadsheet formats (XLSX) without any formal schema makes programmatic third-party integration—a core requirement of the regulation—almost impossible. Eufy has zero technical mechanisms to route this data via API.
Payload B: Samsung TV (Good Tech, Evasive Data)
Samsung’s portal allowed me to download my data directly. They provided it in both CSV and Parquet formats, bundled with metadata files. The portal even includes a mechanism to route data to registered third parties.
But when I opened the files, I found myself disappointed. Samsung provided a dataset called "Display Product Operation Data." It contained detailed interaction logs like WELCOMEPAGE, FAVBUTTON, LIVEBROWSERGENRE, but only for their "Samsung TV Plus" software layer.
They completely omitted the raw hardware telemetry. There were no power-on/off cycles, no HDMI source switching logs, and absolutely no logs of external server connections.
Architect's Note: Storage Choices
Delivering data in Parquet—a columnar storage format—is a brilliant architectural choice. It is highly optimized for large, structured telemetry datasets and easily ingested by third-party data lakes. Samsung's infrastructure is solid, but their data mapping is intentionally withholding the actual hardware logs.
Action Items: The Escalation
My takeaway from this first test is that vendors are playing defense. They are interpreting "product data" as narrowly as possible, handing over sanitized software analytics or basic account info while keeping the raw, behavioral hardware telemetry locked away.
I’m not accepting that. So, I drafted formal notices of incomplete fulfillment to the Data Protection Officers at both Eufy and Samsung.
To force clarity, I am demanding they provide the data in two strictly segregated datasets:
- The Data Act Dataset: The raw hardware operation logs, motor actuations (camera), physical remote signals (TV), and an exhaustive audit of all server connectivity/network handshakes.
- The GDPR Dataset: Any inferred behavioral profiles, consumer personas, or automated processing logic derived from my usage.
If they claim they don't track this data, my notice demands a formal negative declaration stating it isn't "readily available." If they try to claim "Trade Secrets," I reminded them that the Data Act requires them to duly substantiate the specific economic risk of disclosure, rather than using it as a blanket refusal.
I’ve given both companies 30 days to provide the complete datasets before I escalate the matter to my National Data Coordinator (Bundesnetzagentur, Deutschland).
Next up in Part 2: I will share exactly how their legal and engineering teams respond to being pushed on the technical details. Stay tuned.