The Data Act, which entered into force on 11th of January 2024, is, alongside additional acts such the Data Governance Act, a component of the European Strategy for Data. The Data Governance Act has been applicable since September of last year, laying the foundation of the European Strategy for Data towards establishing a unified data market to protect Europe's data sovereignty and global competitiveness. Regarding the rights to use data, it is meant to be a cross-sectoral document. Because of this, it is not meant to alter or replace current sectoral regulations; rather, it will serve as the foundation for all upcoming sectoral regulations.
Regarding the data economy, the Data Act seeks to remove as many legal, financial, and technological barriers as it can. As a result, the Data Act's goals are to promote data use and access and to guarantee equity in the distribution of data's value among the many data economy participants.
Manufacturers ought to be required to create a design as "data-transparent" as possible. It should be simple for users to access any data that is generated or gathered when utilizing such a product. Furthermore, the definition of "data" is quite broad, with “data” referring to more than just personal data.
Nevertheless, the Data Act does not give the data holder a legal justification for processing data. The real control that the data holder has over the pertinent data is the foundation of the Data Act. Therefore, a data holder is required to comply with data protection regulations in addition to the Data Act's requirements such as the General Data Protection Regulation (GDPR) or the Telecommunications and Telemedia Data Protection Act (TTDSG).
The data holder must also comply with data protection regulations such as the General Data Protection Regulation (GDPR) or the Telecommunications and Telemedia Data Protection Act (TTDSG).
What products are covered by the Data Act?
Connected physical products that can transmit such data via a publicly accessible electronic communications service and that can gather or generate data about their performance, use, or environment through pertinent components are covered by the Data Act. Such items are referred to as the "Internet of Things" (or "IoT") in Recital No. 14 of the Data Act. Vehicles, consumer goods and household appliances, industrial and medical gear, and devices for agriculture and health care are examples of such Internet of things (IoT) products (Recital No. 14 sentence 3 Data Act).
Because such data represents the digitalization of user activities and events, corresponding (raw) data ought to be available. However, data that is generated from such data (e.g. using complex proprietary algorithms) will not be considered to be covered by the Data Act (Recital 15).
On the other hand, items made primarily to record and transmit material, or to display or play content, such as smartphones, cameras, webcams, are not meant to fall under the purview of the Data Act, in contrast to Internet of Things items.
To whom does the Data Act apply?
The Data Act's reach extends across national borders. It applies, inter alia, and regardless of the place of establishment, to:
manufacturers of in-scope products and suppliers of in-scope services in the EU;
data holders who make data available to data recipients in the EU; and
providers of data processing services offering such services to customers in the EU. Unlike the GDPR, the Data Act only applies to users and data receivers within the EU.
The data sharing duties imposed by the Data Act on data holders apply to "Business to Consumer" ("B2C") as well as "Business to Business" ("B2B") users. Data sharing rights are granted to B2C and B2B users, as well as, in extreme cases, Business to Government ("B2G") users.
The "user" of the good or service has the legal authority to access and/or request the exchange of data. A user is a " natural or legal person, who owns, rents, or leases a product or receives a service" (Art. 2 Nr.12). As a result, it is evident that the acquisition of devices by a legal or natural person establishes "user" status.
The organization in charge of the technical design of the product and any associated services is known as the data holder. They also have the authority (or duty, depending on the situation) to make specific data public. For instance, when it comes to medical devices, producers of those devices are usually also the holders of data pertaining to a patient's use of that device. But occasionally, patients aren't the main recipients of data from medical devices that manufacturers rent or lease (e.g. computer aided diagnosis systems). Healthcare institutions might also be eligible to utilize the patient data handled by the medical device or service. They might also serve as holders of patient data. Similarly, for the automotive industry when it comes to car rentals, the data user may either be the rental company or the natural person that rents the car.
What are the Key Provisions of the EU Data Act?
The Data Act enshrines the right of users (a person or a company) to access their data, as well as the possibility to share it with third parties, subject to certain limitations (see Article 5). Users are entitled to prompt and free access to their data, ensuring it is of the same quality as held by the data holder and available in real-time where applicable. However, when the data holder is a Small/Micro Enterprise, or the user is a very large enterprise there are some exceptions applicable to further protect the fairness of the market. Small or micro-enterprises are defined as companies with no more than 49 employees and an annual turnover of no more than EUR 10 million.
Article 3 sets out the prerequisites for manufacturers to incorporate "access by design" so that the data is accessible in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, directly accessible. In addition, further pre-contractual obligations on the part of the seller, rentor or lessor to provide comprehensive information to the user are defined. If direct access to the data is not available, the data holder shall, upon request, promptly and at no cost disclose the pertinent data, if appropriate continuously in real time.
Certain limitations on data access and usage are also included in Article 4 of the Data Act. For instance, personal data contained in a data set may only be made available if there is a legal basis for this in accordance with the GDPR. Furthermore, if using generated data could have a negative impact on the user, the data holder is not permitted to use it to learn about the user's assets, financial status, or production techniques. These provisions extend to medical devices, requiring their design to facilitate easy and direct user access to generated data. Users retain the freedom to utilize their data for lawful purposes, with third-party recipients processing it as agreed and deleting it when no longer necessary. However, users and third parties are restricted from utilizing the data to develop competing products or engaging in profiling without explicit consent. Any data sharing must be governed by a sharing agreement, safeguarding the interests of data holders and incorporating measures such as compensation, confidentiality obligations, and protection of trade secrets. Additionally, the Data Act mandates the provision of data to public sector bodies during public emergencies, ensuring vital information availability for addressing critical issues like cybersecurity incidents.
Unfair contractual terms pertaining to data access and usage should be void for SMEs, alongside the general idea of facilitating easy and barrier-free data access.
Any restrictions on liability for willful misconduct and gross negligence, as well as total exclusions from a warranty, should always be void.
Furthermore, the Data Act takes the stance that some particular provisions shall generally be invalid. This includes, for instance, irrational warranty exclusions or restrictions on data access and usage that materially harm the other contractual party's legitimate interests.
SMEs are also generally exempted from the obligation laid down in Articles 3 to 7.
Data Portability and Design Requirements
Moreover, customers will be able to move between cloud providers easily and eventually for free according to the Data Act. By taking these steps, vendor lock-in will be avoided while market competition and choice are encouraged. For example, any European business might take advantage of the many prospects in the EU cloud market by combining data services from several cloud providers ("multi-cloud"). When businesses and administrations transfer their data and apps to another cloud provider, the expenses will also be significantly reduced.
Data holders must ensure that customers can transfer their relevant data to another service provider that offers a comparable service (Art. 23 et seq). While the GDPR stipulates the right to data portability for personal data in Art. 20 para. 1 GDPR, the provisions of the Data Act cover all data that fall within its scope of application.
Transparency
Article 3 sets out to provide prerequisites for precontractual obligations, which provide for a high level of transparency towards users. This would, for example, require considerable contractual adjustments.
Prior to signing a purchase, rental or leasing contract for a connected product (e.g. wearable or medical device), the user must be informed of certain mandatory information.
These include:
the type and amount of data generated during the use of the connected product and whether this data is generated continuously and in real time;
whether the manufacturer/service provider plans to use the data themselves or will want to share the data with a third party and, if so, for what purposes;
the user's access to the data (e.g., through the product's settings or by contacting the data holder).
Public Sector Access in Emergencies
The COVID-19 pandemic is proving to be a useful lesson for legislators. Art. 14 to 22 of the Data Act regulate the right of public bodies to access data in emergencies. However, strict conditions must be met for this, such as the declaration of a public emergency and the impossibility of obtaining the data in a timely and comparable manner by other means (Art. 15).
For comparison, Chapter VIII sets requirements against unlawful international governmental access of non-personal data (Art. 32). According to this, providers of data processing services must take appropriate technical, organizational and legal measures to prevent unlawful governmental access to and transfer by third countries.
Dispute Resolution and Enforcement
EU Member States must appoint one or more capable supervisory authorities to guarantee the Data Act's implementation and enforcement. A data coordinator must be chosen as the main national point of contact if multiple authorities have been designated pursuant to Article 37(1), (2).
The Data Act's fines are set by the individual member states, who also consider the infringementer's yearly revenue from the previous EU fiscal year, among other things. These fines ought to be reasonable, effective, and deterrent. As per the rules of Article 40 (4), violations of the sharing provisions pertaining to personal data may result in administrative fines as stipulated in the GDPR, which may amount to a maximum of €20 million or four percent of the global annual sales.
Smart contracts
The creation of smart contracts (Art. 36) is one of the most disputed provisions of the Data Act. According to Art. 2 Nr. 39 a smart contract is "a computer program used for the automated execution of an agreement or part thereof, using a sequence of electronic data records and ensuring their integrity and the accuracy of their chronological ordering" is the general definition of a smart contract. The Data Act may potentially have an impact on already-existing smart contracts on public blockchains and makes no distinction between distributed ledger technology and digital contracts alone.
Smart contract providers need to make sure their products have "access control mechanisms" and "a very high degree of robustness." In order to "terminate the continued execution of transactions," smart contracts must also have a kill switch, which is a device that can either destroy the contract or suspend its execution.
Are there exceptions to the sharing obligation?
The right of access may be extensive, but it does have limits. If data holders have legitimate reasons not to disclose the data to users, they still have certain options. For example:
To prevent unfair practices, the parties should be allowed to freely negotiate in their contracts the specific terms for making data available, with a few (very relevant) exclusions;
Trade secrets must be adequately safeguarded by the conditions of the agreement between the data owner and the user or third party;
Data holders have the option to request payment from third parties (SMEs may only be eligible for reimbursement for the expenses and investment necessary to make the data available); and
Only using the data for purposes agreed upon with the user and imposing significant limits, users and third parties to whom the user has requested access to the data should handle the data. They are unable to use the data to create a product that rivals the one that the accessible data originated from, as previously mentioned. To make sure that the user or third party abides by the contractual conditions, etc., the data holder can use protection mechanisms (such as smart contracts).
How are IP rights, trade secrets and personal data handled?
Disclosure of trade secrets is permissible only when both the data holder and the user undertake necessary precautions to uphold confidentiality, especially concerning third parties. The Data Act outlines regulations aimed at striking a delicate balance between data accessibility and trade secret protection. However, concerns persist regarding the efficacy of these regulations in minimizing the risk of inadvertent disclosure post-data acquisition.
Data holders (or trade secret holders, if distinct from the data holder) must identify data safeguarded by trade secrets and collaboratively establish proportionate technical and organizational measures with users to preserve confidentiality. This may entail confidentiality agreements, stringent access protocols, or adherence to specific technical standards. Identifying appropriate measures to mitigate the risk of disclosure poses significant challenges.
In instances where agreement on requisite measures cannot be reached, or if users fail to implement them, or compromise the confidentiality of trade secrets, data holders reserve the right to withhold or suspend the sharing of trade secrets. Exceptionally, when the data holder faces a substantial risk of severe economic harm due to trade secret disclosure despite adopted measures, refusal of access may be warranted on a case-by-case basis. Such decisions must be well-founded and communicated to the competent authority, ensuring stringent oversight over refusals or suspensions of trade secret sharing.
What should affected companies do to prepare for the new requirements?
In general, companies should start reviewing their contracts and contractual framework conditions for compliance with the requirements of the Data Act at an early stage and revise them if necessary. In addition, data access and data portability requirements should be taken into account during product development when planning production cycles. Integrated products and associated services should ideally be developed in such a way that the user can directly access the data that is generated through their use and is easily accessible to the data owner.
Manufacturers of connected products should also take appropriate security measures to protect sensitive and personal data. Data protection teams should be involved to ensure compliance with the relevant data protection regulations. Products should be manufactured with data protection in mind and with the lowest possible risk to the fundamental rights of individuals. Pseudonymization, encryption and the use of technologies that allow algorithms to be applied to data in order to gain meaningful insights while processing only the necessary information are some examples of possible precautions. The obligation to pass on data to third parties authorized by the user significantly increases the requirements for appropriate IT security.
Timelines
In accordance with Article 41 of the Data Act, the Commission shall create and suggest non-binding model contractual conditions for data access and use by September 12, 2025.
For new contracts entered after September 12, 2025, the Article 13 Data Act's unfairness criteria for general terms and conditions is applicable. As long as the old contracts have an indefinite period or are set to expire at the earliest 10 years from January 11, 2024, they will also be subject to the unfairness test, which will be applied to contracts concluded on or before September 12, 2025, starting on September 12, 2027.
The Data Act sets to bring uniform regulations to the EU, but national authorities will oversee enforcing them. Each Member State will choose which authority—or authorities—to designate for this usage. The Data Act also leaves it up to Member States to determine the applicable sanctions, subject to the minimal conditions outlined in the legislation. Penalties must be 'effective, proportionate, and dissuasive', and Member States must notify the Commission of the substance of these penalties within 20 months of their implementation, i.e. by September 12, 2025.
For individual requirements, a slightly longer implementation duration of thirty-two months is applicable. However, by establishing policies and enacting laws pertaining to things like fair compensation for shared data, interoperability requirements, sample contract language, or standardized smart contract standards, the Commission will assist Member States in upholding these laws. For these reasons, businesses ought to implement a consolidated, well-coordinated EU-wide compliance strategy.