This message shouldn’t worry you. It’s supposed to work like that:
A client (web-browser) must not be able to access directly the data/ folder. On the admin page, there is a check on this and it tries to access https://example.org/data/.ocdata, if the test succeeded, your data/ folder would be accessible from a web browser and everybody could access sensitive user data without authentication: e.g. via https://example.org/data/username/files/my_secret.txt
So if it must be impossible to access directly through it, how does Nextcloud access the file? Apache itself blocks access, but the php process can access the files in the data folder and provides after proper authentication via webdav.