EU Data Act: Action required for Connected Products, Related Services and Cloud Computing
You would like to hear from us personally about the new obligations under the Data Act? Then register for our webinar: Registration
On 27 November 2023, the EU Council adopted the Data Act, which was the final requirement after the the text had been adopted by the European Parliament on 9 November 2023. Following the formal adoption by the Council, the new regulation will be published in the EU’s official journal in the coming weeks and will enter into force 20 days after this publication.
The Data Act - an EU regulation and as such directly applicable in all EU member states - provides for harmonized rules for "fair access to and use of data". Unlike the GDPR it is not limited to personal data. The aim is to make this data commercially usable.
It is clear already that the Act will go well beyond regulating the „Internet of Things“ (IoT). It relates in particular to "connected products" and cloud services.
Below we provide an initial overview.
Data Sharing: Far-reaching obligations are imposed on data holders, in particular provision and access obligations in relation to user data.
Data from connected products or related services may have to be shared with the user or a third party (data recipient). This is intended to strengthen the rights of users in relation to the data holder. It is also intended to encourage new players to invest in the data economy.
Connected products and related services must be designed in accordance with the requirements of the Data Act ("access by design"). Moreover, the Act requires data holders to make data from connected products or related services accessible free of charge and, where applicable, continuously in realtime.
To date, many connected products and related services have not been designed with this in mind, which is why the Data Act and its obligations must be considered from the very beginning of product development in future.
Vice versa, data holders are no longer allowed to freely share non-personal data with other players - for advertising purposes, for instance. In this respect, the right to share data is generally restricted to the extent necessary to fulfil the user contract. Any further sharing of non-personal data may in future require a data licence agreement. This is also likely to affect existing data records.
With a few exceptions , small and certain medium-sized enterprises are exempt from the obligation to share data (less than 50 employees or EUR 10 million annual turnover).
UNFAIR CONTRACTUAL CLAUSES: The provisions on unfair contractual terms (Chapter IV) are meant to prevent the abuse of contractual imbalances. The law introduces a ban on unilaterally imposed unfair terms in B2B contracts and is based on the law on general terms and conditions. In addition to a general clause, the Data Act also contains (non-exhaustive) examples of unfair terms. These include, for instance, provisions that limit liability for the quality of the data provided. Furthermore, exclusive rights of use to data that are imposed unilaterally can be problematic. To support this, the European Commission is to publish model contract clauses that companies can use use for orientation.
DATA FOR THE PUBLIC SECTOR: In emergencies, such as natural catastrophes, public sector bodies must be provided with data that is required to deal with the emergency.
REGULATING DATA PROCESSING SERVICES, ESPECIALLY CLOUD SERVICES: The Data Act is intended to facilitate switching between similar "data processing services" (Chapter VI). The generic term "data processing services" includes, inter alia, Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). These provisions are intended to break up the EU cloud market and facilitate the portability of data between cloud providers. The regulations are very detailed and primarily cover technical and organisational measures, but also contractual details. For instance, a maximum limit for cancellation periods is provided for. Furthermore, interfaces must be created for data transfer when exporting data between different cloud service providers. In addition to these very detailed requirements in individual cases, however, there is also a seemingly endless ban on obstacles to switching ("In particular, providers of data processing services may not impose any pre-commercial, commercial, technical, contractual or organizational obstacles and must remove such obstacles"). Exceptions apply to "custom-built“ data processing services.
INTERNATIONAL DATA TRANSFER AND INTEROPERABILITY: International data transfer is also specifically regulated to prevent unlawful access to non-personal data by foreign state authorities (Chapter VII). However, the requirements are not identical to the provisions of the GDPR on data transfers to third countries. Additionally, regulations on interoperability are provided for (Chapter VIII).
Late Changes to Definitions
The law-making process for the Act started in early 2022. There were still significant changes in the legislative process, even in provisions such as the definitions of "connected product" and "related services". These are, however, fundamental to the area of application of the Act, specifically for determining who is considered a "data holder" and is thus affected by numerous obligations. The European Commission’s initial draft still excluded devices such as PCs, Smartphones, and game consoles. In the text which has been adopted now, they are no longer excluded.
The definition of the term "connected product" now reads as follows:
‘connected product’ means an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user;
‘related service’ means a digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the connected product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected product;
Trade Secrets still little protected
The obligation to share data may even extend to trade secrets, although there have also been some changes in the course of the legislative process. It is striking to see that the protection of trade secrets appears to be weaker than under the GDPR. In principle, the protection of trade secrets comprises a multi-level mechanism: the relevant data must first be identified as a trade secret by the data holder or trade secret holder. The parties involved in the data transfer must then agree on contractual, technical and organizational measures to ensure the confidentiality of the trade secrets to be transferred. Model contractual terms will also be available for this purpose in future. Once protective measures have been agreed, trade secrets must also be disclosed. It remains unclear how a data holder should enforce these protective measures in practice vis-à-vis the recipients of the data, i.e. typically their own users or authorized third parties. Basically, the disclosure of trade secrets can only be suspended if no agreement can be reached on the protective measures to be taken or if these are insufficiently implemented by the recipient of the data. However, the latter will often be accompanied by the compromising of trade secrets. Any decision to suspend the transfer of data must be justified by the data holder and reported to the competent authority.
The data holder may also refuse to disclose trade secrets ex ante in individual cases under exceptional circumstances if he can prove that the disclosure of the trade secret is very likely to cause him serious harm - in this case, too, the data holder must inform not only the user of the refusal, but also the competent national authority. The threshold for the right to refuse ("highly likely to suffer serious economic damage") has been somewhat weakened as of late, but is still very high. This is regrettable from the perspective of the data holder or trade secret holder, as this ex ante right could in many cases be the most effective way of preventing the disclosure of trade secrets from the outset.
What about the GDPR?
Unlike the GDPR, the Data Act applies to both non-personal data and personal data. The GDPR primarily serves to protect natural persons and creates a legal basis for the processing of personal data. The Data Act, in contrast, primarily aims to realize the free movement of data. The Data Act does not affect the GDPR, i.e. in cases where a connected product or a related service is used and personal data is also generated, both laws apply in parallel.
In particular, the Data Act is not intended to reduce the protection offered by the GDPR for personal data and therefore cannot serve as a legal basis for data processing under the GDPR. In practice, this will probably cause more difficulties than it seems at first glance, especially if a connected product or a related service collects personal and non-personal data - in this case, the latter may have to be passed on, but the former may not (as far as persons other than the user are concerned) or not easily: In any case, the question then arises as to whether a legal basis within the meaning of the GDPR would allow a transfer. This may create difficult situations for data holders in the future. They must now decide more conclusively than before which data is actually personal data: Disclosure may not be mandatory for this data, but it is for data without a personal reference. This is not made any easier by the fact that data from connected products will often have a "relative" personal reference - and the question of relative personal reference is currently before the ECJ.
There may also be discussions on the question of whether owners of trade secrets can rely on the fact that the GDPR appears to weigh their interests more heavily than the Data Act.
Following the adoption by the Council and the publication in the official journal, the Data Act will be directly applicable in all EU member states after a transitional period of 20 months, without the need for member state implementation of the regulations. The so-called "access by design" obligation, i.e. the requirement to design (new) connected products and related services, only applies after a further 12 months. Apart from this "access by design" obligation, however, the Data Act not only affects new connected products and related services, but also - at least in principle - those already on the market. This means that owners of existing data records or existing data silos could potentially also be subject to the new rules, in particular the data provision obligations and the restrictions on data use (such as the requirement of a data licence agreement). For such potential data holders in particular, the period of 20 months could be quite short to adequately prepare for the obligations of the Data Act.
Dr Andreas Lober