Why?
A key objective of the Data Act is to create fairness in the data economy and empower users to reap value from the data they generate using the connected products that they own, rent or lease.
The Data Act enables users of connected products (e.g. connected cars, medical and fitness devices, industrial or agricultural machinery) and related services (i.e. anything that would make a connected product behave in a specific manner, such as an app to adjust the brightness of lights, or to regulate the temperature of a fridge) to access the data that they co-create by using the connected products/ related services.
The availability of such data will significantly impact the economy. For example, data generated by connected products and related services can be used to boost aftermarket and ancillary services as well as to create entirely new services, benefiting both businesses and consumers.
Examples of connected products: consumer products (e.g. connected cars, health monitoring devices, smart-home devices), other products (e.g. planes, robots, industrial machines).
Example of a related service: a user buys a washing machine and installs an application that allows them to measure the environmental impact of the washing cycle based on the data from the different sensors inside the machine and adjusts the cycle accordingly. This application would be considered a related service.
Examples of aftermarket and ancillary services: repair and maintenance services, data-based insurance.
Types of data in scope
Chapter II of the Data Act on business-to-business and business-to-consumer data sharing applies to all raw and pre-processed data generated from the use of a connected product or a related service that is readily available to the data holder (e.g. manufacturer of a connected product/ provider of a related service), in other words data that can be easily accessed without disproportionate effort, going beyond a simple operation. This applies to both personal and non-personal data, including relevant metadata.
Such data includes data collected from a single sensor or a connected group of sensors, such as temperature, pressure, flow rate, audio, pH value, liquid level, position, acceleration or speed.
Inferred or derived data and content (e.g. highly enriched data, audiovisual material) are out of scope. Furthermore, the Data Act is without prejudice to the laws on the protection of intellectual property rights.
For example, if a user watches a film on their connected TV, the film itself is not within scope but data on the brightness of the screen is within scope.
In practice
Chapter II of the Data Act allows users (i.e. any legal or natural person who owns, rents or leases a connected product) to access the data that they generate through their use of the connected product or related service. If the user wishes to share this data with another entity or individual (‘third party’), they can either do so directly or they can ask the data holder to share it with a third party of their choice (excluding gatekeepers under the Digital Markets Act). The data holder is typically the company that makes the connected product or that provides a related service. A data holder must have a contract with the user (e.g. sales contract, rental contract, related service contract, etc.) defining the rights regarding the access, use and sharing of the data that is generated by the connected product or related service. It is important to note that the data holder cannot use any non-personal data generated by the product without the user’s agreement.
By way of example, and bearing in mind that the relevant contract determines the exact roles:
-
A company operates a bulldozer: the data holder would typically be the bulldozer manufacturer, and the user would be the company that operates the bulldozer.
-
If someone buys a connected fridge and downloads an app that helps them to regulate the optimal temperature for the content of the fridge, there would potentially be two data holders, namely the entity that placed the fridge on the market and the entity offering the related service (the app), and only the one user (the owner of the fridge).
The Data Act incudes several mechanisms to make it easier for users to be able to make use of these provisions: data holders must provide the user with information on the type of data that they will generate when using the connected product or related service (including the volume, collection frequency, etc.); users should be able to request access to the data through a simple process, and; data holders must make the data available to users for free.
Limitations on the use of the data
So as not to deter businesses from investing in data-generating products, the data obtained cannot be used to develop a competing connected product. The Data Act does not prohibit competition in related or aftermarket services. Furthermore, there is no obligation under the Data Act for a data holder to share data with third parties based outside the EU.
The Data Act is fully compliant with data protection rules, notably the GDPR. Where the user is not the data subject whose data is being requested, personal data can only be made available if there is a valid legal basis (e.g. consent). This is an important consideration as the co-generated data often contains both personal and non-personal data, which may be difficult to separate.
It incentivises the development of connected products and services based on new flows of data, which is of particular value to smaller companies. In addition, micro and small companies, as manufacturers or providers of related services, are not subject to the same obligations as larger companies.
To protect trade secrets without undermining the goal of the Data Act to make more data available, the data holder and the user/ third party may agree on certain measures to preserve the confidentiality of the trade secrets. Where these measures are not respected, the data holder may withhold or suspend the data sharing. The data holder may only refuse to share data where it can demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade secrets.
The data holder and user may agree to limit data sharing if there is a risk that the security requirements of the connected product could be undermined, resulting in serious adverse effects to the health, safety or security of people. Such requirements must be laid down in EU or national law.
If the data holder suspends, withholds or refuses to share data on the grounds of trade secrets protection or security requirements, it must notify the national competent authority. Users may challenge such a decision, either in front of the competent court or tribunal of a Member State, via a complaint with the competent authority or upon agreement with the data holder in front of a dispute settlement body.