The Data Act (DA) is a new EU driven legal framework which seeks to make more data available for use in the EU resulting in ensuring fairness in the digital environment, stimulation of competitiveness in the data market and driving innovation.
The DA allows access to data generated by providers and manufacturers of connected devices and smart objects on certain terms. For end-users, the DA will reinforce the GDPR’s right to data portability as it will permit end-users to switch providers and facilitate the transfer of data gathered through smart objects and connected devices from one provider to another.
The Data Act is currently going through the trialogue process in the EU. On 14 July 2023, the committee representing the Council of the EU formally agreed to the compromised text of the DA. It is now with the European Parliament to reach a final decision and adopt the wording so that provisional agreement can be reached. The European Parliament has scheduled its next plenary session for this Autumn which is when we can next expect an update.
It is expected that the DA will come into force by early to mid-2025. However, the following obligations under the DA will apply shortly after its applicable in Member States:
- The obligation to design connected products and services in a manner that is directly accessible to the user under Article 3(1) will apply 12 months after application;
- The provisions under Chapter IV relating to unfair contractual terms will apply 2 years after application to contracts concluded on or before the date of application, provided that they are of indefinite duration or due to expire at least 10 years after application.
- In addition to the Data Governance Act (see link to previous article here), the Data Act is a further proposal which forms part of the EU’s Strategy for Data.
The political agreement clarifies the scope of the regulation allowing users of connected devices, ranging from smart home appliances to smart industrial machinery, to gain access to data generated by their use which is often exclusively harvested by manufacturers and service providers. Regarding Internet of Things (IoT) data, in particular, the focus was moved to the functionalities of the data collected by connected products instead of the products themselves. The Data Act will apply to all data recipients and third parties within the EU.
The key aims of the DA’s legal framework include:
- New measures to allow users of connected devices to gain access to data generated by such devices, which is often exclusively retained by manufacturers, and to share such data with third parties to provide aftermarket or other data-driven innovative services.
- Rebalancing negotiation power for SMEs by preventing counterparties unilaterally imposing unfair contractual terms in data sharing contracts by the inclusion of a test for fairness. The European Commission will develop model (non-binding) contractual terms to assist SMEs.
- New ways for public sector bodies to access and use data which is held by the private sector that is necessary for exceptional circumstances, for example in the case of pandemics or disasters. These data insights will facilitate an efficient response.
- New rules allowing customers to effectively switch between different cloud data-processing services providers. The DA will make it easier for customers to move data and applications from one provider to another. In addition, safeguards will be put in place against unlawful data transfer.
- Provisions for the development by the European Commission of common specifications to encourage data-processing service interoperability (the ability of computer systems or software to exchange and make use of information).
- Protection for trade secrets as balanced against the data sharing requirements. A source of contention during negotiations had been the extent and form to which a data holder could prevent disclosure of sensitive commercial information that might harm its economic interests. This issue has now been addressed in the final agreement of the Act which provides for protection of trade secrets under limited circumstances, in the form of a veto right for manufacturers to protect trade secrets of high value or sensitivity.
Impact on businesses
The new rules will allow customers to effectively switch between data-processing providers (cloud providers) and put in place additional safeguards against unlawful data transfers. When a connected product, (i.e. smart home device) which generates data is purchased, it is usually not clear who can do what with the data. It is not unusual that all data generated is exclusively harvested for use by the manufacturer. The DA will give both individuals and businesses more control over their data through the data portability right, see examples of possible impacts below.
Crucially, the manufacturer’s capacity to use data of objects they manufacture remains unaffected and the third party selected by the user compensates the manufacturer for the costs of granting access through technical arrangements to make the data available, such as through APIs.
Holders of data generated by IoT will most likely experience the costs of implementing the various measures imposed by the DA, such as:
- connected products and services are designed in such a way to allow by default easy and secure access to users (businesses and consumers);
- data generated using connected objects and related services must be made available to users, where such data cannot be accessed through the product or service itself. This requirement is subject to certain restrictions for trade secrets, personal data and the use of the data to create competing products.
- data generated using connected objects and related services must be made available to a third party without undue delay, upon request by an end-user, or the third party acting on their behalf.
- the data holder must make available to the end-user certain information regarding the data generated and how this may be accessed in a clear and comprehensible format.
What should IoT companies be doing now?
The DA introduces new obligations on data holders. In order to comply with the DA, manufacturers and providers of related services should consider taking steps to:
- Review their products, data practices, data policies and T&Cs to both businesses and consumers, to ensure compliance with the DA;
- Implement security measures to protect data. Increased facilitation of data access makes implementing and maintaining robust security measures of particular importance; and
- Prepare and put in place data sharing agreements that are compliant with the DA, especially when dealing with SMEs. The EU Commission has proposed to draft non-binding contractual clauses for use by SMEs to balance their bargaining position. Manufacturers and providers should give consideration to using these non-binding clauses in their agreements when dealing with SMEs.