On November 27, 2023, the European Union took a significant step in shaping its digital landscape. The Council approved the Data Act, which will officially take effect 20 days after its publication in the EU Official Journal. This Act establishes extensive rules for handling and sharing data from “connected products” and “related services.”
The Act aims not just to protect data but also to ensure its accessibility and interoperability. It addresses personal and non-personal data related to the performance, usage, and environment of connected products, a significant expansion over the GDPR’s scope. Of note, any processing of personal data should continue to comply with the GDPR and, where relevant, the ePrivacy Directive.
The Act applies to various “connected products” used in various sectors, such as infrastructure, vehicles, health and lifestyle equipment, ships, aircraft, home equipment and consumer goods, medical and health devices, and agricultural and industrial machinery. Connected products are essentially devices of the IoT spectrum capable of collecting and transmitting data about their use and surrounding environment, except for prototypes. These range from home thermostats to fitness trackers, encompassing even larger systems like connected cars and smart grid systems.
The Act defines and regulates “related services” as those connected to products at the time of purchase/rent/lease or added later by manufacturers or third parties to add or adapt functionality. They include everything explicitly linked to the products’ functions and involve the transmission of commands impacting products’ actions or behaviour. Services that do not impact operation are excluded, i.e., auxiliary consulting, analytics or financial services, or regular repair and maintenance. Similarly, neither the power supply nor the supply of the connectivity are to be interpreted as related services, i.e., telecom services.
“Data holders” and “data recipients” are stated among key actors by the Data Act. The data holder is not necessarily a manufacturer but any entity or individual responsible for handling and sharing product data or data retrieved or generated while providing a related service. On the flip side, the data recipient is anyone who utilizes this data other than the user. The global reach is a key aspect of the Act. Hence, the Act impacts data holders who make data available within the EU and data recipients in the EU. The manufacturers of connected products and providers of related services, regardless of their location, are subject to the Act if the products are marketed in the EU.
Simplified Data Sharing Requirements
- B2B / B2C Context
Firstly, the Data Act aims to make data accessible by default to users, be they individuals or businesses. While balancing the rights and obligations of all parties involved in data sharing for connected products and related services, the Act requires the following:
- Design and Manufacturing Requirements: Connected products must be designed and manufactured to ensure easy, secure, free, and comprehensive access to product and service data, including metadata. Data should be in a structured, commonly used, machine-readable format and directly accessible to users when feasible.
- Pre-Contractual Information: Before a user enters a contract for a connected product or service, the seller/renter/lessor, which may be the manufacturer, must provide clear information about the type, format, volume, and manner of data generation, whether generation is continuous or real-time; storing capabilities on-device or on a remote server, intended access by allowed third parties, etc. The seller must also make technical arrangements for user access to data, including means to retrieve or erase data.
- User and Data Holder Rights and Obligations: If direct access to data is not feasible, data holders must make data available to users without undue delay in a high-quality, secure, and structured format. However, access can be restricted if it compromises connected product security, resulting in serious adverse health and safety effects.
- Dispute Resolution: Users can lodge complaints with a competent authority or opt for dispute settlement regarding data access restrictions. Data holders must not hinder users’ rights or choices and should only require essential information for data access verification.
- Trade Secret Protection: Trade secrets must be identified and protected. Data sharing of trade secrets is allowed only with necessary confidentiality measures. If confidentiality is compromised, data holders can suspend data sharing.
- Exceptional Circumstances and Economic Damage: Data holders may refuse data access if it likely causes serious economic damage, despite confidentiality measures.
- User Responsibilities: Users must not use accessed data to create competing products or derive insights about the data holder’s economic situation or methods. They must also avoid coercive means to access data.
- Third-Party Data Sharing: Users can request data holders to share data with third parties for aftermarket, ancillary, and other services. Third parties must not use the data to compete with the data holder or compromise connected product security.
- Fairness in data sharing practices between enterprises
The Data Act aims to ensure transparency and reasonableness in data-sharing practices between businesses with provisions for protecting against unfair contractual terms. The key requirements are as follows:
- Fair and Non-Discriminatory Terms: Data holders must agree with data recipients on the arrangements for making data available under fair, reasonable, and non-discriminatory terms. This includes ensuring no discrimination between comparable categories of data recipients, including partner enterprises or linked enterprises.
- Compensation for Data Sharing: Any agreed compensation between data holders and recipients should be reasonable and non-discriminatory. Factors like the costs of making data available, investments in data collection, and the nature of the data should be considered. For SMEs and non-profit research organizations, compensation should not exceed certain basic costs.
- Technical Protection Measures: Data holders may use technical measures like smart contracts and encryption to prevent unauthorized data access, ensuring compliance with the Act and agreed terms. These measures should not discriminate among data recipients or hinder user rights.
- Unfair Contractual Terms: Contractual terms that are unilaterally imposed and deemed unfair, such as those limiting liability for intentional acts or gross negligence, are not binding. Terms that grossly deviate from good commercial practice, contrary to good faith and fair dealing, are considered unfair.
- Contractual Term Negotiations: A term is considered unilaterally imposed if one party supplies it and the other cannot influence its content despite negotiation attempts. The party supplying the term bears the burden of proving it was not unilaterally imposed.
- Severability and Scope of Application: If an unfair term is severable, the rest of the contract remains binding. The Act does not apply to terms defining the main subject matter of the contract or the price adequacy.
- Obligations Scope: The obligations apply in B2B relations where a data holder is required to make data available to a recipient under Union law.
- B2G Context
The Data Act sets a general obligation to provide data to public sector bodies, the Commission, the European Central Bank, and Union bodies. In this regard, of particular note is the following:
- The obligation is contingent on demonstrating an ‘exceptional need.’ This term pertains to situations where data access is vital to respond to a public emergency or to assist in the recovery from a public emergency. Requests for data must be detailed and justified, specifying the data and metadata required, the purpose and duration of use, and any sharing with third parties. For personal data, technical and organizational measures for data protection must be specified.
- Data holders should make data available without undue delay unless valid reasons exist for declining or seeking modification of the request, such as lack of control over the requested data. Data holders other than micro and small enterprises shall make available data necessary to respond to a public emergency free of charge.
- Additionally, data holders that are not micro and small enterprises can receive requests when specific data is necessary for tasks in the public interest, i.e., official statistics production. In such cases, compensation can cover i.e., the costs of anonymization, aggregation, technical adaptation, and a reasonable margin.
- Public sector bodies and Union institutions must use the data only for the intended purpose, implement measures to ensure data integrity and confidentiality and erase data when no longer needed. Trade secrets must be protected, and data must not be used to develop competing products.
Switching Between Data Processing Services
Separately, the Data Act mandates providers of data processing services, such as cloud and edge, to facilitate customer switching between different providers, ensuring transparency, support, and minimal disruption during the transition. Among other things:
- Information and Transparency: Providers are required to inform customers about switching procedures, limitations, data formats, and interoperability specifications.
- Contractual Terms: Contracts must clearly outline the rights and obligations regarding switching. They should include clauses on the switching process, customer support, maintaining business continuity, data security, exit strategies, termination of contracts, data portability, and data erasure after switching.
- Technical Assistance: Providers must facilitate functional equivalence in new services and offer necessary tools, information, and support for a smooth transition.
- Switching Charges: Initially, providers may impose reduced switching charges, which should not exceed the direct costs of switching. Eventually (three years after the Data Act entered into force), providers are prohibited from imposing any switching charges.
- Transparency on International Access and Transfer: Providers should disclose the jurisdiction of their ICT infrastructure and measures to prevent unauthorized international governmental access or transfer of non-personal data that conflicts with Union or national law.
To adapt to this new regulatory environment, businesses are given 20 months in general and 32 months for the obligations to ensure data accessibility to users. This schedule affords businesses an ample period for necessary preparations. To comply, inter alia, businesses should:
- Technically and contractually prepare to ensure users’ access to data (both personal and non-personal) generated by connected products and related services; this includes making data available to third parties upon the user’s request.
- Remember that personal data remains protected as per GDPR, and the given access rights to users shall in no way alter or interfere with the rights of data subjects.
- Be ready for obligations to share data with public sector bodies.
- For data processing services, prepare to switch customers from one service to another while maintaining a minimum functionality and without downtime of services.