An introduction to the EU Data Act

The Data Act in a nutshell

Rights and obligations around the topic of personal data have been properly tackled and defined in the GDPR. However, this is not the case when it comes to non-personal data generated by IoT devices. In other words, who has the right to access and generate value from such data? The end user who has purchased the device? The manufacturer of the device? Or both?

With these questions remaining unanswered, this ambiguity has led to a de-facto ownership by the manufacturers, who generally had the say on how the data can be used and with whom it could be shared (subject to individual agreements with the buyers). The Data Act answered the above-mentioned questions and lay down clear rules for accessing and using such data. By doing so, it would ensure fairness in value generation and boost innovation by making more data available.

The Act covers:

• availability of data generated from products and related services for the users of those products and related services, in addition to rules on making data available to ‘data recipients’ by ‘data holders’;
• facilitating switching between data processing services;
• introducing safeguards against unlawful third-party access to non-personal data, and ensuring fair competition by protecting trade secrets of manufacturers;
• the development of interoperability standards for data;
• and sharing data with public sector bodies, the Commission, the EU Central Bank and Union bodies, where there is an exceptional need

The main stakeholders

Pursuant to Article 1, the Data Act applies to the following entities:

• manufacturers of connected products placed on the market in the Union and providers of related services, irrespective of the place of establishment of those manufacturers and providers;
• users in the Union of connected products or related services;
• data holders, irrespective of their place of establishment, that make data available to data recipients in the Union. Article 2 defines the ‘data holder’ as a natural or legal person that has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation adopted in accordance with Union law, to use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a related service;
• data recipients in the Union to whom data are made available;
• public sector bodies, the Commission, the European Central Bank and Union bodies that request data holders to make data available where there is an exceptional need for those data for the performance of a specific task carried out in the public interest and to the data holders that provide those data in response to such request;
• providers of data processing services, irrespective of their place of establishment, providing such services to customers in the Union;
• participants in data spaces and vendors of applications using smart contracts and persons whose trade, business or profession involves the deployment of smart contracts for others in the context of executing an agreement.

Let us take a hypothetical example to see what these roles could mean in a real-life situation. In our example, we have the following imaginary companies:

• Great-Turbines: a manufacturer of high-quality, connected wind turbines, which it sells to wind park developers whose data it stores on its secure servers.
• Wind-Ener: a wind park developer who purchases wind turbines from Great Turbines to build and operate their wind parks. It also receives some data from Great Turbines essential to the operation of the park under a specific bilateral agreement.
• Wind-Innov: a start-up that provides advanced analytics and diagnostics services for wind park operators like Wind-Ener, based on the data of their wind turbines.

Under the Data Act, Wind-Ener has the right to receive all data being generated by the turbines they purchase and share it with the third-party Wind-Innov. Upon request from Wind-Ener, Great-Turbines will have to provide Wind-Innov with that data, which in turn will be used for the specific agreed-upon purpose to deliver a service to Wind Ener.

In this example, Great-Turbines is a ‘manufacturer’ and ‘data holder’, Wind-Ener is a ‘user’ (and a ‘data recipient’ for the data it directly receives) and Wind-Innov is a third-party ‘data-recipient’.

What does this mean to me as a company?

The Data Act defines a comprehensive set of rights and obligations for each of the stakeholders/roles mentioned above. Let us take a closer look at some of the most interesting requirements and rights for manufacturers, users and third parties.

High-level requirements for manufacturers and co.

• Manufacturers of connected devices should design their connected products in a way that facilitates the sharing and usability of the corresponding data.
• Sellers, renting parties or lessors of a connected device (which could also be the manufacturer), prior to concluding a contract of purchase, rent or lease, must provide the user with comprehensive information on the data being generated by that device, for example, the type, format, estimated volume, storage location, how it can be accessed, etc.
• Providers of a related service prior to concluding a contract for the provision of a related service, shall provide the user with comprehensive information on the data that will be used for that service, for example, the nature, estimated volume and collection frequency of product data, the nature and volume of the data that will be generated by the related service itself, etc.

Key information for ‘data holders’

When and to whom do I have to provide data?

• Upon a simple electronic request, the data holder ensures that users have access to readily available data generated by their connected products, in addition to the relevant metadata, in the same level of quality as it is available to the data holder.
• Upon request by a user, or by a party acting on behalf of a user, the data holder shall make available readily available data, as well as the relevant metadata, to a third party, in the same level of quality as it is available to the data holder.

What about the associated costs?

• Users are not expected to be charged for getting access to the data generated by their devices, i.e., for them this will be free of charge.
• In the case of a request via a third party, and assuming a ‘business-to-business’ relationship, the data holder and the third party (data recipient) may agree on a financial compensation for the time and effort involved in making data available. This fee shall be reasonable and non-discriminatory, and it may include a margin (unless the third party is an SME, in which case the fee shall not exceed the costs required to provide access to the information).

What does that mean for my business-sensitive data?

• Trade secrets shall be safeguarded and shall be disclosed only where the data holder and the user take all necessary measures prior to the disclosure to maintain their confidentiality in particular regarding third parties. In exceptional circumstances (high likelihood of serious economic damage), the data holder may refuse to disclose trade secrets, even if necessary measures were ensured.

What else should I consider when dealing with/using such product data?

• A data holder shall only use any readily available data that is non-personal data on the basis of a contract with the user. A data holder shall not use such data to derive insights about the economic situation, assets and production methods of, or the use by, the user in any other manner that could undermine the commercial position of that user on the markets in which the user is active. The same goes for deriving insights about the third party receiving the data (unless permission is given).
• Data holders shall not make available non-personal product data to third parties for commercial or non-commercial purposes other than the fulfilment of their contract with the user. Where relevant, data holders shall contractually bind third parties not to further pass on data received from them.

Are there any exceptions?

• These obligations (and others mentioned in Article 2 of the Act) shall not apply to data generated through the use of connected products manufactured or designed or related services provided by a ‘microenterprise’ or a ‘small enterprise’, provided that that enterprise does not have a partner enterprise or a linked enterprise that is not considered as microenterprise or small enterprise.
• The same applies to products manufactured by (or a related service provided by) an enterprise that has qualified as ‘medium-sized enterprise’ for less than one year, and to connected products for one year after being placed on the market by a medium-sized enterprise.

What about ‘users’ and ‘third parties’?

Users and third parties are subject to a number of obligations, such as:

• The user and the third party receiving the data shall not use the data they obtain (or share it with another third party) to develop a connected product that competes with the one from which the data has originated.
• The user and the third party receiving the data shall not use coercive means or abuse gaps in the technical infrastructure of a data holder which is designed to protect the data in order to obtain access to data.
• The third party shall process the data made available only for the purpose and under the conditions agreed with the user. The third party should erase the data when they are no longer needed for the agreed purpose (unless otherwise agreed with the user in relation to non-personal data)
• Unless agreed with the user, the third party is not allowed to share the data with another third party.
• The third party shall not use the data it receives in a manner that has an adverse impact on the security of the connected product or related service.
• The third party shall not prevent the user that is a consumer, including on the basis of a contract, from making the data it receives available to other parties.

The Data Act supports the aims of the EU AI Act

It is no secret that some of the most challenging requirements regarding high-risk AI systems mentioned in the EU AI Act have to do with the underlying data. For example, Paragraph 3 of Article 10 states, among others, that the training, testing and validation of datasets need to be relevant, sufficiently representative and at a high quality (e.g., minimum errors, as complete as possible). While the feasibility and strictness of these requirements have been a source of debate and the exact formulation is yet to be finalised, companies need to be prepared for compliance. Putting the AI Act aside for a moment, having relevant, representative, and high-quality data is a de-facto requirement for a high-quality AI model, but obtaining such data is not easy or cheap, especially for (third-party) start-ups. This, however, could become easier thanks to the Data Act and the Data Governance Act, with the former forcing data holders to make more high-quality product data available for third parties, and the latter establishing proper rules and infrastructure to facilitate the exchange of data within the EU.

What next?

As you can see from the information provided in this blog post, the Data Act offers third-party service providers and start-ups the opportunity to come up with new business cases or improve on existing ones. Therefore, these companies should head to the drawing board and start thinking about ways they can take advantage of this opportunity. Manufacturers and data holders (usually the same entity) should start preparing for compliance with the requirements, and if needed, adjust their strategies and some of their business models (e.g., those involving selling product data to the users). Furthermore, it is essential that they have proper data management and governance processes and infrastructure in place to facilitate compliance.

A good first step could be to conduct an assessment to evaluate the relevance of the Data Act for your company and identify measures required to ensure compliance and align its business strategy.

You can find more exciting topics from the adesso world in our earlier blog posts.

Why not check out some of our other interesting blog posts?

• Spelling an end to Schrems II? The new Data Privacy Framework and its implications