Like a lot of people, my house contains some connected hardware. I know these devices generate a massive amount of telemetry every single day, and for years, I just accepted that the manufacturer owned it. But with the EU Data Act now active, the rules have flipped. Legally, the data generated by my connected devices belongs to me.

Out of pure consumer curiosity, I decided to test this. I wanted to see exactly what kind of data is being transmitted out of my living room and how hard it is to get my hands on it.

But because my day job is solution architecture, I can’t help but look at this through an engineering lens. When I ask for my data, I want to see the machinery the vendor built to deliver it. Are they treating compliance as a modern engineering challenge with clean APIs, or just a legal nuisance handled by manual spreadsheets?

Here is the log of my first interactions.

Log Entry 1: The Accessibility Test (Finding the Front Door)​

The first hurdle under the EU Data Act is simply figuring out how to exercise your rights. The regulation intends for this to be frictionless. The reality is a mixed bag.

Target A: Eufy (Anker Innovations) Eufy makes this entirely opaque. There is no mention of the EU Data Act in their privacy policy, no dedicated FAQ, and no portal. To get my data, I had to guess and send an email to their general support address (support@eufy.com). For a regulation that demands "easy" access, hiding the process behind a manual email request is a massive accessibility failure.

Target B: Samsung Samsung built a front door. They have a dedicated self-service portal (Samsung Data Act) and a helpful FAQ section. However, the portal is only available in English, and there is no proactive communication to the user about these rights. You have to know the portal exists to use it.

Log Entry 2: Data Deliverables Analysis​

After submitting my requests, the responses came back quickly—Eufy on the same day, Samsung within 24 hours. But the actual deliverables told two very different stories.

Payload A: Eufy Cam (The Bare Minimum)​

Eufy replied with a time-limited link to download a password-protected ZIP file. Inside were a few .xlsx (Excel) files.

As a consumer, the data itself was incredibly disappointing. I received basic account data (user_info.xlsx with my nickname and email) and device identifiers (notification_devices.xlsx). There were no movement logs, no AI detection events, and no network connectivity history. It wasn't device telemetry; it was just my user profile.

Payload B: Samsung TV (Good Tech, Evasive Data)​

Samsung’s portal allowed me to download my data directly. They provided it in both CSV and Parquet formats, bundled with metadata files. The portal even includes a mechanism to route data to registered third parties.

But when I opened the files, I found myself disappointed. Samsung provided a dataset called "Display Product Operation Data." It contained detailed interaction logs like WELCOMEPAGE, FAVBUTTON, LIVEBROWSERGENRE, but only for their "Samsung TV Plus" software layer.

They completely omitted the raw hardware telemetry. There were no power-on/off cycles, no HDMI source switching logs, and absolutely no logs of external server connections.

Action Items: The Escalation​

My takeaway from this first test is that vendors are playing defense. They are interpreting "product data" as narrowly as possible, handing over sanitized software analytics or basic account info while keeping the raw, behavioral hardware telemetry locked away.

I’m not accepting that. So, I drafted formal notices of incomplete fulfillment to the Data Protection Officers at both Eufy and Samsung.

To force clarity, I am demanding they provide the data in two strictly segregated datasets:

1. The Data Act Dataset: The raw hardware operation logs, motor actuations (camera), physical remote signals (TV), and an exhaustive audit of all server connectivity/network handshakes.
2. The GDPR Dataset: Any inferred behavioral profiles, consumer personas, or automated processing logic derived from my usage.

I’ve given both companies 30 days to provide the complete datasets before I escalate the matter to my National Data Coordinator (Bundesnetzagentur, Deutschland).

Next up in Part 2: I will share exactly how their legal and engineering teams respond to being pushed on the technical details. Stay tuned.