On November 27, 2023, the Council of the European Union adopted the EU Data Act (Data Act), a new regulation providing harmonized rules on access to data, switching cloud providers and interoperability requirements across the European Union. The Data Act aims to lay the foundations of a data economy by changing the legal status of data generated or collected by connected devices and related services. This will require far-reaching modifications of existing business models (see our earlier blog post).
One of the central innovations of the Data Act to achieve these ambitious goals is the creation of access rights for users of connected products and related services to data generated by or stored in devices or held by providers of connected services. The Data Act applies in business-to-business (B2B) and business-to-consumer situations, irrespective of whether the data is personal data within the meaning of the General Data Protection Regulation (GDPR). Importantly, the Data Act is intended to complement the rights of access and data portability under the GDPR with more specific rules. Thus, the Data Act is without prejudice to the GDPR and the ePrivacy Directive 2002/58, including regarding the powers of supervisory authorities and the rights of data subjects.
The Data Act will enter into application in the second half of 2025 and will be relevant far beyond the EU’s borders. The Data Act will apply to manufacturers of connected products and providers of related services placed on the EU market irrespective of their place of establishment. However, the Data Act’s provisions on data sharing only apply to users located in the European Union.
The data access rights and obligations in the Data Act can be summarized as follows.
1. Manufacturers of connected products and providers of related services must design and manufacture/provide such products and services in a way that allows direct access to product data and related service data, including metadata.
- Access to data by design and by default. Connected products/related services must be designed and manufactured/provided in such a way that product and related service data is accessible by default. This includes the relevant metadata necessary to interpret and use the data (together, the Data). Access must be easy, secure, comprehensive, structured and provided in a commonly used and machine-readable format. Access by users must be free of charge.
- Direct access. When relevant and technically feasible, the Data must be directly accessible to the user, which means that no data access request is needed.
Associated transparency obligations of data holders
- Before entering into a contract for the purchase, rent or lease of a connected product, the seller, renter or lessor (which may be the manufacturer) must provide specific information to users in a clear and comprehensible format. Examples include the type and volume of Data that the product can generate; whether the product can generate Data continuously and in real time; whether it can store Data on-device or remotely and for how long; and how the user may access, retrieve or delete the Data.
- Similar information must be provided to users of services related to a connected product. Additional examples include who will use the Data and for what purpose, how users may request that the Data be shared with a third party, and how users may end the Data sharing or lodge a complaint alleging a violation of the Data Act.
2. If direct access is not possible, data holders must make the Data readily available to users. Users may also request that data holders make the Data available to a third party.
- Data access request. Where the Data cannot be directly accessed by users, the data holder (usually the provider of a connected service) must make the Data readily available to the user upon request, without undue delay. Where relevant and technically feasible, the Data must be of the same quality as is available to the data holder, continuously and in real time.
- Third parties. Upon request by a user, or by a party acting on behalf of a user, the data holder must make the Data available to a third party in the same manner as described above. While access must be free of charge for the user, this would not necessarily be the case for the third party.
Key requirements for data holders when handling data access requests
- Do not make things complicated. Data holders cannot make users’ choices or rights unduly difficult. Typically, data holders cannot offer choices in a non-neutral manner or subvert or impair users’ autonomy, decision-making or choices through the structure, design, function or mode of operation of a user interface.
- Do not ask for unnecessary information. Data holders may ask the persons requesting access to Data to provide the necessary information to confirm that they are users or third parties acting on users’ behalf. Data holders cannot keep any information on users’ access to the Data requested beyond what is necessary for the sound execution of the access request and for the security and maintenance of the Data infrastructure.
B2B contractual provisions governing data access conditions
- Contract. Where, in B2B relationships, a data holder is required to make the Data available to a third party (data recipient), the modalities for doing so must be determined in a contract between them. Such a contract must be based on fair, reasonable, nondiscriminatory and transparent terms.
- Do not discriminate. Data holders cannot discriminate between comparable categories of data recipients. If a data recipient believes that it has been discriminated against, it is up to the data holder to demonstrate that this was not the case.
- Reasonable compensation. The data holder and the data recipient may agree that access to Data will be subject to compensation. Unless the data recipient is a small or medium-sized enterprise or nonprofit organization, the compensation may include a margin, but it must remain reasonable. The European Commission will publish guidelines on the calculation of the compensation and EU law, or EU countries’ laws may provide more specific rules. In any event, data recipients must be provided with sufficiently detailed information on the calculation of the compensation.
- Examples of relevant factors to calculate the compensation include the costs incurred for making the Data available and the investment in the collection and production of the Data. The compensation may also depend on the volume, format and nature of the Data.
- Unfair terms. The Data Act prohibits contractual terms concerning the access to and use of Data or the liability and remedies for the breach or the termination of Data-related obligations where such terms have been unilaterally imposed and are unfair.
A contractual term is unfair if it grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing. Typically, a contractual term is unfair if its object or effect is to exclude or limit the liability of the party that unilaterally imposed the term for intentional acts or gross negligence or if it gives that party the exclusive right to determine whether the Data supplied is in conformity with the contract.
The Data Act includes a list of terms that are presumed to be unfair. Examples include terms that allow the party that unilaterally imposed them to access and use Data of the other contracting party in a way that is significantly detrimental to the legitimate interests of that party and terms that prevent that party from terminating the agreement within a reasonable time period.
The contracting party that supplied the contractual term bears the burden of proving that that term has not been unilaterally imposed.
3. Data access and use may be restricted under certain conditions, including for security purposes and for protecting trade secrets.
Data holders may only restrict access to the Data by users under certain narrow conditions
- Security. Users and data holders may agree on restricting or prohibiting the access, use or further sharing of Data where this could undermine security requirements of the product set by the law of the European Union or of an EU country and providing access would result in serious adverse effects on the health, safety or security of human beings. Data holders must notify the competent authority of any refusal to share Data.
- Trade secrets. Trade secrets must only be disclosed if the data holder and the user take all necessary measures prior to the disclosure to preserve their confidentiality, especially regarding third parties. To that end, the Data Act establishes rules designed to ensure the delicate balance between data access and the protection of trade secrets. These rules, however, remain a source of anxiety given that they aim to find a way of providing access to Data and that, once the user has obtained such Data, the risk of disclosure still exists.
- Agreement-based rules. The data holder (or the trade secret holder when it is not the data holder) must identify the Data protected by trade secrets and agree with the user proportionate technical and organizational measures to preserve their confidentiality (e.g., confidentiality agreements, strict access protocols or technical standards). It will be challenging to identify appropriate measures to limit the risk of disclosure as much as possible.
- Suspension of trade secret sharing. If there is no agreement on the necessary measures, the user fails to implement them or if the user undermines the confidentiality of the trade secrets, the data holder may withhold or suspend the sharing of trade secrets.
- Refusal of trade secret sharing. In exceptional circumstances, when the data holder is highly likely to suffer serious economic damage from the disclosure of trade secrets despite the measures adopted, the data holder may refuse on a case-by-case basis the request for access. Any refusal or suspension decision must be substantiated and notified to the competent authority. Thus, refusals of trade secret sharing are permitted in very limited cases and closely monitored by authorities.
Data holders may also restrict access to the Data by third parties in situations where the user requests that the Data is made available to a third party
- Not on the market. The users’ right to have a data holder share the Data with a third party does not apply to readily available Data in the context of testing of other new products, substances or processes that are not yet placed on the market, unless use by a third party is contractually permitted.
- No Data sharing with gatekeepers. The users’ right to have a data holder share the Data with a third party does not apply to the largest digital platforms offering core platform services in Europe, the so-called gatekeepers under the Digital Markets Act. Third parties cannot make the Data they receive from data holders available to gatekeepers. The Data Act approach is surprising, since it limits users’ right to choose how to make use of their Data. The Data Act approach is also a restriction to gatekeepers’ freedom to compete, and it is unclear whether such a restriction is justified and proportionate, especially in circumstances where data holders are not prohibited from directly and voluntarily granting gatekeepers access to Data.
- Trade secrets. See above.
Data holders are subject to restrictions regarding the Data they have in their possession
- Only use Data if you have a contract with the user. Data holders may only use readily available nonpersonal Data on the basis of a contract with a user.
- Do not use Data to derive insights. Data holders can only use readily available nonpersonal Data on the basis of a contractual agreement with users. Data holders cannot use such Data to derive insights about the economic situation, assets and production methods of or the use by users that could undermine users’ commercial position in the markets in which they are active. The same applies to third parties unless they have given permission to such use and have the technical ability to easily withdraw that permission at any time.
- Data sharing with third parties. Data holders cannot make available nonpersonal product Data generated by a product to third parties for purposes other than the fulfillment of their contract with users. Where relevant, data holders should contractually bind third parties not to further share Data received from them.
Users are subject to restrictions regarding their own use of the Data obtained from a data holder
- Do not use Data to derive insights. Users cannot use the Data obtained pursuant to a data access request to derive insights about the manufacturer or the data holder.
- Unfair competition. Users cannot use the Data obtained pursuant to the Data Act to develop a connected product that competes with the connected product from which the Data originate, nor share the Data with another third party with that intent.
Third parties that receive the Data following a request by the user to a data holder are subject to restrictions regarding the use of that Data
- No profiling. Third parties cannot use the Data they receive from data holders for profiling purposes, unless this is necessary to provide the service requested by the user. Profiling consists of any form of automated processing of personal data evaluating users’ personal aspects (e.g., to analyze or predict aspects concerning work performance or economic situations) and producing legal effects on them or similarly significantly affecting them.
- No sharing with another third party. Third parties cannot make the Data they receive available to another third party, unless contractually agreed with the user and provided that the other party takes all measures to protect trade secrets (see above).
- Security. Third parties cannot use the Data they receive in a manner that adversely impacts the security of the product or related service.
- Unfair competition and deriving insights. See above.
4. The GDPR takes precedence where Data governed by the Data Act is “personal data.”
The Data Act does not affect rights and obligations under the GDPR and does not create any new legal basis for processing personal data. This means that the access rights described above require data holders to check whether personal data is involved and whether there is a legal basis for making available such personal data (e.g., if the requestor requests personal data of several users).
This means that data holders must identify which of the Data qualifies as personal data. Erring on the side of caution by treating data with uncertain status as personal data will cease to be an option.
Overall, aligning compliance with the GDPR and with the Data Act will be challenging given data protection authorities’ restrictive interpretation of the GDPR and the principle of data minimization, which requires that no more personal data than necessary is processed. Businesses will therefore need to define a well-thought-out policy and consider appropriate options, especially data anonymization, which may be a complex, time-consuming and resource-intensive process.
For more information on this or other digital matters, please contact one of the authors. The authors would like to thank David Llorens Fernández for his assistance in preparing this alert.