26 January 2024
On 11 January 2024, the EU Data Act (2023/2854) entered into force. This new regulation includes rules for accessing and using data generated by smart products, such as smart meters, industrial machinery, medical devices and connected cars.Such devices generate data on a large scale, but these data are typically held by the manufacturers of those products. The European Union finds this problematic, which is why it introduced the Data Act in an effort to give individuals and businesses more control over data generated by smart devices.
The Data Act applies to data generated by connected products and related services placed on the EU market. Connected products are products connected to the internet that generate or collect data concerning their use or environment. These products are also referred to as smart devices or the Internet of Things.
The Data Act also introduces the concept of data holders. These are parties that make smart devices available and that have access to the data collected by such devices.
Data holders have an obligation to make such data available to users, as well as to certain other parties. Users are the natural or legal persons that own, rent or lease a smart device. The data to be made available comprise not only the data generated by the smart device but also the metadata necessary to make that data comprehensible. This may cover personal data in the meaning of the GDPR, but it may also cover non-personal data.
Data sharing and access
The Data Act introduces an obligation to design smart devices in such a way that the data generated by the use of the smart device are, by default, easily and securely accessible to the user, free of charge. If those data are not directly accessible to the user, the manufacturer will be required to make the readily available data accessible to the user upon request, free of charge. Time will tell how readily available data is to be construed.
Users can also ask the manufacturer of the smart device to share the data generated by that device with a third party. For example, the driver of a connected car can ask the manufacturer to share the data generated by the driver's use of that car with a particular repair service. The third party receiving these data may then use them only for the purposes and under the conditions agreed with the user. The data holder may request reasonable compensation from the third party for sharing the data.
The Data Act also creates new transparency obligations, ensuring that users of smart devices receive clear prior information on how their data will be used. For example, manufacturers of smart devices will be required to provide information on the volume of data that the product will generate, whether the product is capable of generating data continuously and in real-time and how long that data will be retained.
B2B data sharing
The Data Act also contains rules on business-to-business (B2B) data sharing, including at a user's request. Those rules aim to ensure that business-to-business data sharing will take place under fair, reasonable and non-discriminatory terms and conditions and in a transparent manner. The Data Act therefore also lists the contractual terms that, if unilaterally imposed, are considered unfair in a B2B context. Such terms are not binding. The goal is to enable small and medium-sized enterprises (SMEs) to participate more actively in the data market.
Data holder protection
While the Data Act imposes far-reaching obligations on data holders, their interests have not been disregarded altogether. For example, the Data Act prohibits users and third parties from using the data they receive to develop competing products. In addition, data holders are empowered to make arrangements on data confidentiality and trade secrets and can agree technical and organisational measures to preserve that confidentiality. Users and data holders may restrict data access if this access could undermine the product's security requirements.
The obligations under the Data Act will take effect on 12 September 2025. The obligation to design smart devices in such a way that data generated by the use of that device are, by default, easily accessible to the user in a structured format will not take effect until 12 September 2026. For vehicle data, additional sector-specific rules are expected to be introduced soon (see also the letter (in Dutch) on this subject sent by the Minister of Infrastructure and Water Management on 21 November 2023).
The Data Act also imposes requirements on data processing services (e.g. cloud providers) to enable their customers to switch services more easily. We will provide a separate update on this topic.
Please do not hesitate to contact us if you would like more information on the Data Act's implications for your organisation.