Providers and users of connected products in the EU, or services related to such products, take note: The EU Data Act is now in force. The clock on the transition period started ticking on January 11, 2023, and you need to be prepared. The Data Act is a Regulation; this means that it’s now law in all EU countries, and country-specific amendments aren’t permitted.
As the European Commission’s press release points out, “[t]he new rules define the rights to access and use data generated in the EU across all economic sectors and will make it easier to share data, in particular industrial data.” It also stresses that the Act will not only create fairness when it comes to data access and creating value from data but will also “stimulate a competitive and innovative data market by unlocking industrial data, and by providing legal clarity as regards the use of data.”
What It Means
If all this sounds a bit cryptic, here’s some clarity around what it means:
- The Data Act gives users of connected devices the right to access and reuse the data that’s generated through their use of the devices or associated services. “Devices” includes everything from a connected toothbrush, fridge, or car to an industrial robot, railway engine, or wind turbine. This also means that “user” comprises individual consumers as well as companies or other entities.
- Users also have the right to pass their data to third parties. And as we’ve already been asked whether it really does include cars, the December 2023 press release announcing the adoption of the Data Act by the Council of the European Union specifically gave the example of a car owner sharing vehicle data with a mechanic.
- The Act goes beyond data access and sharing: It gives users rights over their data. For example, users will have a say in how their data is used and on what commercial terms. The portability right means that individuals and businesses can transfer their connected-device-generated data between services, and providers will need to support those transfers.
- Interoperability is a key plank of the Act, which specifically states that “[a]n ambitious and innovation-inspiring regulatory approach to interoperability is needed to overcome vendor lock-in,” referencing ISO/IEC 19941:2017 (a standard for interoperability between cloud computing services) as a starting point.
- The Act references safeguards intended to ensure that data access doesn’t interfere with the secure functioning of a connected product and that IP rights and commercially confidential data are protected.
In a nutshell, there’s a lot to digest here. And as is always the case with new legislation, there are gray areas; in this case, those gray areas may have an unusually large number of shades due to the Act’s wide remit, covering consumer devices as well as industrial machinery. A lot of the gray may only go away as we begin to see cases being brought: Enforcement officials, lawyers, and the courts will work out how sweeping clauses in the Act should actually be interpreted.
What To Do Next
If you haven’t already started, here’s a to-do list:
- Ensure that you’ve got a handle on your data. For example, do you have the answers to the following (and more) questions? Do you know what data’s being captured, by whom, when, where, and why? In what format? Where is this data stored? Who has access? Who decides who has access? Who’s permitted to do what with the data? Do you document data access and use? Are your data and process flows documented?
- Assess what’s involved if you have to respond to a data access request.
- Talk to your legal counsel (internal and/or external) to help you understand what the Data Act means for your company.
- With your lawyers, review existing data-sharing agreements in case they put you in violation of the Data Act. Assess whether you currently offer services that may become commercially unviable as a consequence of the data-sharing requirement.
- Consider what risks could arise from the right to share data with third parties. Industrial firms are already concerned that data and metadata could fall into the wrong hands and lead to security risks or exposure of IP and trade secrets.
- Think about opportunities, as well: Is there data you would like to use because it enables you to improve a product or service or to innovate? Check whether the Data Act gives you access rights to that data.
- Bring your ecosystem partners to the table.
Stay tuned for more insights in the coming weeks, and please get in touch if you have any questions.