The EU’s new data act will be applied starting from September 12, 2024. The act addresses data generated by connected devices and has been described as the personal data law of the Internet of Things (IoT). It covers a wide range of devices, from industrial machines onward. But what does the data act mean in practice, and who does it affect?
Scope of the Data Act
The data act pertains to connected devices, the data they produce, and the services related to them. This includes any situation where a device receives, produces, or collects data about its usage or environment, and this data can be accessed externally, either directly from the device, through a physical connection, or electronically. However, the act does not apply to devices primarily used for storing, processing, or transferring data on behalf of someone other than the user, such as servers. Additionally, the act also covers services related to devices and data falling under its scope.
Core Requirements of the Act
The act mandates that the data holder must make the data produced by a specific device and the metadata required to interpret and use this data available to the user of that device free of charge. This obligation applies specifically to data produced by the product in question, not data produced by similar devices of other users. The data holder is usually, but not always, the device manufacturer. The user is defined as a person or other entity that owns a connected device, has been granted usage rights to the device by contract, or receives related services.
If it is not feasible to keep the data available to the user, the data holder must provide the data upon the user’s request. The user can also request that the data be shared with a third party operating within the EU. The data holder may charge the third party for sharing the data and even profit from it, but the charges must be non-discriminatory and reasonable. However, if the third party is a small or medium-sized enterprise (SME) or a non-profit research organization, the compensation must not exceed the costs incurred. Data cannot be shared with gatekeepers as defined by the Digital Markets Act, even upon the user’s request, but third parties receiving the data can use the data processing services offered by gatekeepers. Conversely, data holders are not allowed to make data available to third parties except to fulfil a contract between the user and the data holder.
Exceptions to the Obligation to Provide Data
The obligation to keep data available to users or provide it upon request is not absolute. SMEs are exempt from this obligation and some other requirements under certain conditions. In specific situations, it is also possible to refuse to share data to protect trade secrets or if sharing would compromise product safety. However, data holders are expected to prioritize protecting trade secrets and product safety through other measures provided by the act. Furthermore, the use of the data provided is restricted; for instance, it cannot be used to develop competing products.
Other Obligations under the Data Act
The data act also imposes obligations on contracts between businesses for products and services covered by the act, as well as information that must be provided to the user before entering into a contract. Unreasonable, one-sided contractual terms related to data will not be binding on the party that did not draft the term. Additionally, the user must be informed about certain aspects, such as the production and availability of data, before making a contract for the purchase of a product or service.
In certain situations, data holders have an obligation to provide data to public sector entities. If necessary for performing statutory tasks in the public interest, public sector entities may be granted exceptional access to the data. In such cases, the data holder must generally provide the data without undue delay.
The act also sets requirements for the interoperability of data, data-sharing mechanisms, data services, and common European data spaces. Additionally, providers of data processing services must make it easy to switch between data processing services by removing barriers to switching.
Enforcement and Penalties for Non-Compliance
The act imposes severe penalties for non-compliance. Violating the obligations can result in administrative fines of up to 20 million EUR or 4% of the violator’s total global annual revenue from the previous financial year, whichever is higher.
The act will be applied starting from September 12, 2025. The obligation to design, manufacture, and offer products and services in a way that ensures data availability to users will apply to products and services placed on the market after September 12, 2026. The provisions concerning unreasonable contractual terms related to data availability and use between companies will apply from September 12, 2027, to contracts made on or after September 12, 2025, as well as to contracts made before September 12, 2025, that are in effect indefinitely or are set to expire 10 years or more after January 11, 2024.
Conclusion
The data act imposes significant new obligations. Device manufacturers must consider data sharing and management at all stages of a product’s lifecycle. Careful consideration must be given to what data is collected from products and how it is collected. Plans must also be made for how data will be shared and how to ensure this process is secure. This creates a need to review the data architecture associated with products, and security issues will become central. Although the data act introduces new requirements for manufacturers, it is foreseeable that those who act swiftly may gain a competitive advantage and enhance the quality of their products. The act also opens up new opportunities for leveraging data.
Read more about this topic from the following links:
Data Act
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202302854&qid=1714335802958
Digital Markets Act
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R1925