2024’s Blockbuster: The EU’s Data Act

After a lengthy legislative process, the final text of the European Union’s Data Act has now been published. The Data Act will impose (sometimes far-reaching) obligations to make data available in the context of connected products. Spoiler alert: The term “connected product” is defined quite broadly. The Act will enter into force on January 11, 2024.

Following the EU Commission’s first draft of the Data Act in February 2022, the European Parliament and European Council provisionally reached agreement on the Data Act’s final cut in June 2023. But it wasn’t until November 2023 that we were able to take note of what the Data Act will finally look like.

Who are the featured actors?

Various actors are featured in the Data Act. On the one hand we have “data holders,” which are – as the name suggests – those entities that are engaged in the offering of connected products and have access to data. Data holders generally bear the responsibility to make data generated through the use of connected products or related services (i.e., a digital service that is essential to the functioning of the connected product) available. Data holders are required to make these data available to “users,” which means the persons (or legal entities) who own a connected product, or to whom temporary rights to use that product have been contractually transferred. Users, in turn, can request that data holders directly make data available to “third parties” (also referred to as “data recipients”), which may be competitors of data holders. Finally, “public sector bodies” can also request access to data in cases of exceptional need.

The Data Act also imposes obligations on data processing services (such as cloud and edge service providers) to ensure interoperability and enable users to switch from one provider to another.

What is the plot for data access?

The intention of the Data Act is to acknowledge that when connected products are used, data are often generated. Users of the products should therefore not just be limited to enjoy each product’s use, but should also have access to data generated by its use. The concept of “connected products” under the Data Act is broad and applies to the typical IoT products (e.g., consumer goods, health devices, and home equipment) but can also apply, for example, to agricultural and industrial machinery. Moreover, it includes both end-products and the components incorporated into the end-products. Depending on who has access to that data (the “data holder”), both manufacturers of end-products as well as suppliers of components may be faced with data requests under the Data Act. However, it should be noted that only products that are placed on the market fall under the scope of the Data Act. As a result, connected products that are developed solely for a company’s own use (and not otherwise made available to customers) are excluded from the Data Act’s scope.

The word “data” in the context of the Act can be broadly interpreted and comprises not only data generated by the products themselves but also metadata that are necessary to interpret and use those data.

The right to access data is limited to data that are “readily available” to the data holder. “Readily available” entails both actual access as well as potential access for the data holder, as long as such access is lawful and doesn’t require disproportionate effort. It remains to be seen when any effort will be considered disproportionate, but suffice it to say that if the data holder has access to the data, the user should have access too. User access must be given without undue delay, in the same quality that is available to the data holder, free of charge, in a commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time. Moreover, modeled after the data portability requirements under the GDPR, users can also request that access is given in the same manner directly to third parties. However, in such a case, the data holder may request compensation from the third party for providing such access. Third parties designated as gatekeepers under the Digital Markets Act are excluded from the right to receive data upon a user’s request.

Does that make data holders the antiheroes?

The EU legislators have acknowledged in their own way that the Data Act poses a significant impact on data holders, in particular in respect of their competitive position. They have therefore sought to implement some protections to be enforced by contract.

First, “non-competes”: Users and third parties are legally prohibited from using any data obtained under the provisions of the Data Act to develop a competing product. A product is considered “competing” if it is placed on the same product market (as determined on the basis of competition law) and is considered to be interchangeable or substitutable by users (e.g., on the basis of its characteristics, price, and intended use).

Second, confidentiality: Data holders are permitted to contractually agree to specific measures with users or data recipients to preserve the confidentiality of trade secrets, such as through model contractual terms, confidentiality agreements, strict access protocols, technical standards, and the application of codes of conduct. Where measures are violated or where the confidentiality of trade secrets is otherwise undermined, data holders are permitted to withhold or suspend the sharing of trade secrets. In addition, in exceptional circumstances where disclosure of trade secrets would be highly likely to cause serious damage to the trade secret holder, the disclosure of trade secrets may be refused altogether. Any suspensions and refusals will need to be notified to the competent authority.

Third, security: Users and data holders may contractually restrict or prohibit accessing, using, or further sharing data, if such processing could undermine the security requirements of the connected product, as laid down by EU or national law, resulting in a serious adverse effect on the health, safety, or security of natural persons.

Last, “fair use”: The data holder may use the user’s data for its own purposes, but it may not use the data for purposes of profiling the user, and any use of data has to be explicitly provided for in the user contract. Further, neither the data holder, nor the user, or any third party is permitted to use data to derive insights about the economic situation, assets, and production methods of any of the involved parties.

The preview and the credits

The provider of a connected product will need to make certain pre-contract information available to the user, for example:

1. The type, format, and estimated volume of the data that the connected product is capable of generating and whether it will be generated in real-time or continuously;

2. Whether the connected product is storing data on the device or on a remote server, and associated retention periods; and

3. How access, retrieval, and erasure of the data can be exercised by the user and the right to lodge a complaint.

Additional precontractual information requirements also apply to the prospective data holders.

For B2B relationships, the data holder and data recipient are required to agree on the terms for making data available. In principle, there is freedom of contract as long as the terms do not undermine the Data Act and they are fair, reasonable, and non-discriminatory. The Data Act also prohibits the use of unfair terms (as they are further defined in the Act) that are imposed unilaterally (i.e., the data recipient unsuccessfully tried to negotiate the term).

How does the Data Act fit in its genre?

The Data Act governs both personal data and non-personal data. As a result, it complements, and does not set aside the applicability of, the GDPR. In case of conflict, the GDPR takes precedence. For example, the Data Act specifies that the obligation to provide users with access to data does not also provide for a legal basis under the GDPR for processing personal data. In other words, in such cases the data holder will need to additionally secure a legal basis, such as consent. This is particularly relevant where the user who requests access to data is not also the data subject for purposes of the GDPR.

The Data Act also complements the Data Governance Act, which facilitates the reuse of, and access to, certain protected public sector data.

The EU continues to draft proposals to govern the use of, and access to, data, and the sequel to the Data Act itself can be found in the Financial Data Access Regulation. This regulation was proposed earlier this year and aims to enable access to financial data across a wider range of financial services.

Next steps

The Data Act will enter into force on January 11, 2024 and its provisions will be applicable 20 months thereafter, i.e., September 11, 2025.

Noteworthy is that there is a grace period for connected products and related services placed on the market within 32 months from the date when the Data Act enters into force. Such connected products or related services do not yet have to be designed, manufactured, or provided in a way that would make the data generated by their use, by default, accessible to the user, and therefore access to data does not have to be provided for such products or services, unless the data are readily available.