EU aims at governing innovation and protecting individuals and small businesses in a European data-driven society. European Union is a leader in legislation for a data-driven society.
The EU Data Act deals with data sharing, interoperability standards, and cloud switching.
EU Data Act will shape the way we deal with data, especially industrial data and data generated from interconnected devices, with a huge impact on industries, professionals and consumers.
Herein you will find some keypoints of this new law which is strategic and represents an opportunity of growth.
EU DATA ACT: what is it?
The EU Data Act is the last cornerstone of the EU Commission’ s Strategy of 2020 aimed at making the EU a leader in a data-driven society.
The Data Act proposed by the European Commission, on 23 February 2022 is a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (hereinafter, “Data Act”). The Data Act contains new general rules directly applicable in the 27 EU member States, for access, sharing, portability, and use of all data, including industrial and non-personal data. So, it goes beyond the IOT products and the cloud sector.
The Data Act clarifies especially who can create value from non-personal data, defined as the “the new oil”, value that goes mostly lost and unused (80%) or solely controlled by one business party.
The EU Data Act is part of the Commission’s regulatory initiatives for the data economy, with the Digital Markets Act (Regulation EU 2022/1925), the Data Governance Act (Regulation 2022/868), the Digital Services Act (Regulation EU 2022/2065) and the AI Act (ongoing proceedings in European Parliament and Council).
Even if there is some overlap with other pieces of legislation, such as the GDPR (which prevails in relation to personal data and mixed set of data), and some criticism concerning the protection of trade secrets, the EU DATA Act has its main focus and certainly the largest degree of intended regulatory impact on the IoT products and markets. The other sectors are involved too, since
the EU Data Act is an horizontal legislation having general application. However, the Commission made clear that some sectors will comply with more specific rules (for example, the automotive sector).
European Data Act 2023: all the news
The Data Act introduces five key principles:
- Each user – being a business or a consumer – has a statutory right to access and use data generated by IoT products and to share such data with third parties.
- European small and medium enterprises are protected against unfair commercial contracts and practices on data sharing imposed to them by other parties;
- The users have statutory rights which protect them in case of switching between cloud service providers;
- In some exceptional cases and in the public interest, the European governments can impose companies to share their data with them;
- Some safeguards will prevent an unlawful access in international contexts to non-personal data held in the Union.
Data sharing obligations
The Data Act ensures that a wider range of stakeholders gain control over their data and that more data are available for innovative use.
As an example, if a factory robot breaks down, only the manufacturer may access the data and repair it. The user is not in the position to extract all the data it needs or to entrust others of the repair. The Data Act aims at correcting these commercial and contract unbalances.
The data act states clearly that
“The data represent the digitalisation of user actions and events and should accordingly be accessible to the user” (recital 14a).
Therefore the Data Act gives a new legal protection to the B2B user on the data it generates by using a product or a service.
Before, a legal protection was granted only to the natural person and only in relation to his/her personal data. The Data Act goes beyond that and gives a statutory right on non-personal data that either companies or individuals may generate.
An example will help to clarify this aspect.
When we buy a ‘traditional’ product, we acquire all parts of that product and we can make any use of it. However, when we buy a connected product (e.g. a smart home appliance) generating data after sale, it is often not clear who can do what with the data.
In the case of a smart industrial machinery, only the manufacturer can really access, collect and share all the data generated by the user and often the user has no right to obtain more data from the manufacturer or collect them in a different way.
The Data Act gives individuals and businesses more control over their data through a reinforced data portability right, copying or transferring data easily from across different services, where the data are generated through smart objects, machines and devices. For example, a machinery owner could choose to share data generated by their use with its consultant, in order to have derivative data and increase its productivity. Car owners could choose to share data generated by their use with their insurance company. Such data, aggregated from multiple users, could also help to develop or improve other digital services, e.g. regarding traffic, or areas at high risk of accidents.
The ultimate goal of the EU legislator is to empower EU SMEs and create new data markets.
Thanks to the EU Data Act, will be easier to transfer data to and between service providers and this will encourage more actors, including SMEs, to participate in the data economy.
Contracts for the use of data
Fist of all, the Data Act states that both data holders and data users can access data generated by a IOT device or an interconnected machine.
Moreover, all B2B and B2C relations, especially concerning IOT products, are subject to fair contracts. Data holders and data users must conclude a fair contract for the use of data.
The Data Act leaves the party free to formulate and negotiate their contracts, posing certain limits:
It contains a list of unfair commercial terms and clauses.
Unfair clauses concerning data sharing
A clause will be considered unfair if:
- It grossly deviates from good commercial practice in data access and use and/or is contrary to good faith;
- It excludes or limits the liability of a party for intentional acts or gross negligence; or excludes the contractual remedies against the defaulting party;
- grants the data holder the exclusive right to determine if the data supplied is in conformity with the contract or not.
A clause will be presumed unfair if, inter alia:
– it prevents the user to make use of the data or not allow the use, capture, access or control of such data or exploit the value of such data in a proportionate manner;
– it includes an unreasonable short notice, except where there are serious reasons to do so.
Even if Data Act does not rule on monetarization, it leaves open the possibility of monetarization of personal and non-personal data, to the benefit of the user ( Art. 4(6) and Art. 6(2)f). At the same time, the data holder has the right to a limited monetary compensation for enabling the data access to a third party which is authorized by the user.
Duty not to spy and not to undermine the commercial position of the user
Very importantly, the Data Act states that all data holders are under a duty not to misuse any data generated by the use of the product or related service. It is forbidden for the data holders, “to derive insights about the economic situation, assets and production methods of or the use by the user that could undermine the commercial position of the user in the markets in which the user is active”. (par. 4(6)).
Which are the next steps?
The Data Act must now be adopted by the Council and the European Parliament.
Once approved, there is only a twelve month period prior to the direct application of the Data Act.
What does EU Data Act means for your company?
If your company is a IOT manufacturer, you will have to comply with the new mandatory obligations of the EU Data Act. As an example, by design, the machine should give the user control on the data generated by its use. As a manufacturer, your company should verify if its product is compliant and amend its contracts, not only to obey to the law but also to gain a competitive advantage on the market and attract more customers.
On the other hand, if your company wants to gain value from data or enter into new markets, it should start thinking about the possibilities offered by this new legislation, such as the new sharing and portability rights in the data generated by the interconnected machines or devices. Moreover company associations in Europe should inform their associates and develop their own model rules on data sharing, for their benefit.
Our suggestion is to always rely on experts in Internet law and GDPR!
Immagine di rawpixel.com su Freepik