On 6 September 2024, the European Commission published a set of frequently asked questions (FAQs) on Regulation (EU) 2023/2854 on Harmonised Rules on Fair Access to and Use of Data (the Data Act). More detail can be found in previous AOS publications on the topic of Regulation (EU) 2023/2854.
The Data Act establishes horizontal rules for accessing and sharing data from internet of things (IoT) products and related services across the EU’s data market, aiming to ensure fairness in the allocation of the value of data among all actors in the data economy. It also includes measures to protect companies from unfair contractual terms relating to data sharing and facilitates switching between data processing services (such as cloud and edge computing) by introducing minimum requirements on interoperability and switching.
The FAQs clarify various key provisions of the Data Act. We summarise the key takeaways below.
Interaction with GDPR and other EU laws
The FAQs explain how the Data Act will interact with the General Data Protection Regulation (GDPR) and other EU legislation. In brief:
- The GDPR applies to any personal data processing covered by the Data Act. In some cases, the Data Act will specify and complement the GDPR (such as with the rules that expand the GDPR data portability right specifically for the IoT context to cover both personal and non-personal data, or by restricting reuse of data by third parties). However, in cases of conflict between the GDPR and the Data Act, the GDPR rules on the protection of personal data take precedence.
- Data protection supervisory authorities (designated under the GDPR) are also responsible for overseeing and monitoring the application of the Data Act and can utilise the tasks and powers provided for in the GDPR.
- The European Commission gives examples of how the supervisory authorities can assess whether a user/data subject has been allowed to port all personal data it requested, whether the data holder correctly qualified which data are considered personal data or whether there is a valid legal basis for a user that is not a data subject to request and port personal data.
- Data subjects should not be required to approach two different supervisory authorities in cases where data access rights apply under both the Data Act and the GDPR, or for any other issues related to the personal data protection in the context of the Data Act.
- The Data Act can be complemented by sector-specific legislation where necessary, but such legislation should be consistent with the principles of the Data Act. These principles apply to all matters related to access to data that are not specifically regulated in sectoral rules.
Data in scope
The FAQs address which data are covered by mandatory data-sharing obligations under Chapter II of the Data Act. For instance, the European Commission reiterates that these obligations only cover raw and pre-processed data that are readily available to a data holder as a result of the manufacturer’s technical design.
Reflecting on numerous discussions during the adoption of the Data Act, the European Commission focuses on the concepts of ‘product data’, ‘related service data’, ‘readily available data’, personal versus non-personal data, and trade secrets. It also gives examples of data that are excluded from the Data Act’s scope, such as:
- Purely descriptive data about a connected product’s use or environment (such as user manuals or packaging) - however, such data may be relevant in relation to pre-contractual transparency obligations under the Data Act;
- Data generated or collected before the Data Act comes into effect; and
- Highly enriched data (e.g., inferred or derived data or data that result from additional investments, such as through proprietary or complex algorithms) and content protected by IP rights (e.g., textual, audio, or audiovisual content).
Connected products and related services
The FAQs address what is considered to be a ‘connected product’, using mostly the examples from the Data Act itself (e.g., smart home appliances, medical devices, and smartphones). If a connected product (such as a vehicle) must use infrastructure to function, this does not entitle the user of the connected product to access data generated by the sensors embedded in that infrastructure (unless the user has ownership or contractual rights over those sensors).
In relation to the concepts of ‘placing on the market’ and ‘making available on the market’, the FAQs refer to The European Commission’s ‘Blue Guide’ on the implementation of EU product rules (2022) for further guidance, including on situations where a product is not considered to be placed on the market.
To be considered a related service, a digital service must satisfy two conditions:
- There must be a bidirectional exchange of data between the connected product and the service provider; and
- The service must affect the product’s functions, behaviour, or operation.
In this regard, although stating that most digital services relating to IoT will fall under the category of related services under the Data Act, the European Commission expects that determining the ‘functions’ of a connected product will be a difficult task, requiring evolving practice and court interpretations. Amongst possible pointers for such determination, the FAQs list the user expectations for a product, marketing about the product or service, contractual negotiations, the digital service replaceability, and its pre-installation on the connected product. Connectivity, power supply or aftermarket services (such as repair and maintenance) are not considered related services.
Users
The FAQs clarify that the Data Act only applies to users established in the EU and explains how to comply with the data access requirements when there are multiple users for the same connected product. The FAQs include an example of a rental car scenario, clarifying the applicability of the Data Act to the car manufacturer, the rental agency and the consumer renting a car, explaining how access to data generated by the car could be carried out lawfully.
The European Commission is also working on model contractual clauses for data sharing, expected to be adopted before September 2025. They will cover contracts between data holders and users, data holders and data recipients, and between users and data recipients. The FAQs further explain how data holders can verify whether a person requesting access or sharing is a legitimate user.
Data holders
The FAQs explain that determining who is the data holder will depend not on who manufactured the hardware or software, but on who controls access to readily available data. Manufacturers of connected products will be data holders in many cases, but they may also outsource this role to another entity. A company providing a related service linked to the connected product may also be a data holder. The FAQs include a flow chart explaining who can be a data holder, as well as clarifying this role under the Data Act.
According to the European Commission, a company cannot be a user and a data holder for the same data, but it can be a user and a data holder for different connected products or related services. There are also situations where a person can be a user without there being a data holder, such as with connected products where the data are stored directly on the device or transferred to the user’s computer, and the manufacturer has no access to the data.
Third parties
The FAQs emphasize that, as a general principle, a third party will be able to use the data for the purposes agreed with the user, and it will be usually in the context of providing a service to the user. An exhaustive list of prohibited actions for the third party is provided in the Data Act, including using data to develop a competing product and sharing the data with gatekeepers designated under the Digital Market Act. However, gatekeepers may rely on other mechanisms (e.g., voluntary data sharing arrangements) to obtain the IoT data.
The FAQs point out that third parties established in a third country cannot receive data on basis of data sharing obligation under the Data Act. Data holders have a legal obligation to share data with an EU-based entity or person at the request of an EU user. They are not obliged to grant a user request to share data with a non-EU entity.
Trade secrets
The FAQs emphasise that the Data Act does not alter existing applicable legal protections, such as those for trade secrets. However, when a data holder receives a request for data access, it must identify any trade secrets to be shared and agree with the user or third party on measures to preserve confidentiality before sharing the data. Failure to implement these safeguards by the user/third party allows the data holder to withhold or suspend the sharing of trade secrets. A data holder may also refuse to share trade secrets if it can demonstrate (with objective evidence) that serious economic damage is highly likely from disclosure, and must notify the competent authority of the relevant EU member state of this refusal.
Other topics covered
Additionally, the European Commission’s FAQs outline guidance on: FRAND licensing conditions, compensation and dispute resolution; data sharing with third parties, businesses and governments; switching between data processing services; interoperability; handling data in non-EU countries; and the enforcement mechanisms under the Data Act.
The European Commission is developing non-mandatory standard contractual clauses for cloud computing to cover such issues as switching & exit, term & termination, non-dispersion, non-amendment, security & business continuity, and liability. As with the model clauses for data sharing, the standard clauses for cloud computing are expected to be finalised before 12 September 2025.
The press release is available here and the FAQs here. The ‘Blue Guide’ on the Implementation of EU product rules 2022 is available here.
[View source.]
