Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The Data Act Proposal aims to provide fairness to data access and proposes new rules on who can use and access data generated in the EU across all economic sectors. It creates the obligation for manufacturers and designers to share data with their users and other businesses, defines and forbids unfair terms in data sharing agreements, creates the obligation for companies to share data with public sector bodies in cases of emergency and regulates the right of users to switch between cloud data-processing services.
In this first post of Data Act series we will address the business to consumer and business to business obligation to make data accessible that the Data Act Proposal will create. It is important to understand what is the data covered under this obligation for data accessibility, the extent and restrictions to the sharing, how this works if there is personal data involved and what rights data holders have to avoid abuse.
The Data Act Proposal (available here) is a fundamental necessary step towards the digital transformation journey of the EU Member States. Together with the data Governance Act (available here), both regulations establish the framework of a standardised set of European rules on fair access and use of data.
The volume of data generated in the EU is constantly growing. In 2018, 33 zettabytes of data were generated and by 2025, the European Commission expects that this volume of data will reach 175 zettabytes. At present, 80% of this industrial data is never used. With the implementation of the Data Act the EU aims to make more data available for reuse, while addressing the legal, economic and technical issues that hinder the use of this data currently.
One of the goals of the Data Act Proposal is to facilitate the access to and the use of data (both personal and non-personal) that consumers and businesses generate through the usage of connected devices, such as Internet of Things products (IoT), and their related services. The access to this data will allow them to use it for their own desired purposes, as well as share it with third parties. This fosters incentives to invest in ways of generating value through data. Currently, users are unable to obtain data necessary to produce metrics, make use of providers of repair and other services, or even to sell it or obtain other profits, and businesses are unable to launch innovative, more efficient and convenient services.
The European Commission gives some examples, as to how this access to data and its use could look like:
In addition, the list of cases where products collect data form its users is endless: from virtual assistants, health devices, industrial equipment, vehicles, home equipment, consumer goods, telephone networks, television cable networks, satellite-based networks and near-field communication networks… The Data Act is transversal to all business sectors in the EU economy.
The Data Act Proposal contains several different obligations and provisions that are very relevant for the business of data in the EU. In this first part of the Data Act series we will focus on this obligation to make data accessible.
Which services or products are covered under this obligation to make data accessible?
Users can request the data that is generated or collected, by means of their components, in relation to their performance, use or environment (e.g. IoT devices). The examples could be health wearable devices, industrial machinery, etc. This right also encompasses products or services that are ancillary or connected with a service in a way that without it the service could not perform its functions. For instance, this could be the case of a smart charger that is providing data to the manufacturer apart from the “main” product that was acquired by the user.
However, products that are primarily designed to display or play content, or to record and transmit content, are not under the scope of the Data Act. For example, personal computers, servers, tablets and smart phones, cameras, webcams, sound recording systems and text scanners are not covered by this obligation to make data accessible.
Which data needs to be made accessible?
The obligation to make data accessible includes data
(i) generated as a by-product of the user’s action (such as diagnostics data);
(ii) without any action by the user, for instance data concerning the environment (such as when the product is in ‘standby mode’),
(iii) and even data recorded during periods when the product is switched off (e.g. should this happen with smart home devices).
However, only data in the form and format generated by the product is in the scope of this right, so data resulting from any software process that calculates derivative data is not subject to the obligation to make data accessible. The same happens with data produced that is unrelated to the use of a product (this could be the case of data collected to improve the connection of the device).
Who can request it and who is bound by the obligation?
Under this obligation to make data accessible, any user (individual or company) is entitled to get access to the data generated by the use of products or related services by them or to make it accessible to any third party.
This access can be requested to the manufacturer; or designer of a product or related service that generates data; or the relevant rightsholder of the service (broadly, the data holder).
Please note that there are some exceptions where the data holder is a SME or when the user is a very large online platform.
How shall the information need to be provided?
When sharing the data with the user, the data holder shall make available the data generated by the use of a product or related service to a third party, promptly, for free, of the same quality as is available to the data holder and, where applicable, continuously and in real-time and through electronic means.
For which purposes can the information be used by the user of the third party recipient?
The user should be free to use the data for any lawful purpose. Users should be able to access data generated by digital products or services they have already purchased or contracted, enabling them to benefit from such data. Accordingly, both manufacturers/businesses and consumers/individuals will gain control over data generated by such digital products or services.
This includes providing the data the user has received exercising the right under the Data Act to a third party offering an aftermarket service that may be in competition with a service provided by the data holder, or to instruct the data holder to do so.
However, the user / third party cannot use the data to develop a product that competes with the product from which the accessed data originates. In cases where the recipient is not the user but a third party, this third party cannot use the data for profiling or make the data it receives available to another third party (unless necessary to provide the service requested by the user).
Design and transparency obligations for manufacturers / designers
In order for the obligation to make data accessible to be effective, there are two important obligations that manufacturers shall meet:
(a) the nature and volume of the data likely to be generated by the use of the product or related service;
(b) whether the data is likely to be generated continuously and in real-time;
(c) how the user may access those data: make available the preferred method for sharing the data and if needed provide a guide on how to navigate the chosen system.
(d) whether the manufacturer / service provider intends to use the data itself or allow a third party to use the data and, if so, the purposes for which those data will be used;
(e) whether the seller, renter or lessor is the data holder and, if not, the identity of the data holder.
If the user is a data subject, data holders should be obliged to provide them access to their data and to make the data available to third parties of the user’s choice. The Data Act Proposal complements the portability right under the General Data Protection Regulation (GDPR) to the extent that it covers (i) not only personal data, but also non-personal data; (ii) data that is actively provided and passively observed data; and (iii) any data regardless of the legal basis of processing by which personal data was collected and processed.
Where the user of a device or service is not a data subject but a company, the company would be considered a controller. In this case there are three parties involved:
(i) The data subject (physical person whose data are being processed);
(ii) The user that wants to access the data (or that instructs the data holder to make the data accessible to a third party recipient);
(iii) The data holder (the manufacturer or designer of the product).
In these cases, before requesting the personal data generated by the use of a product or related service, it is required for the requesting party (i.e. the user) to have a legal basis for processing the data under the GDPR. This could be the consent of the data subject or holding a legitimate interest. The requesting party should ensure that the data subject is appropriately informed of the specified, explicit and legitimate purposes for processing this data, and how the data subject may effectively exercise its rights.
Where the data holder and the user are joint controllers within the meaning of Article 26 of GDPR, they are required to determine, in a transparent manner by means of an arrangement between them, their respective responsibilities for compliance with that Regulation.
In addition, access to any data stored and accessed from terminal equipment is subject to the E-privacy Directive and requires the consent of the subscriber or user within the meaning of that Directive.
Even though the access right is broad, it is not unlimited. Data holders still have some room for maneuver if they have lawful reasons not to share the data with the users, for instance:
(i) the parties should remain free to negotiate the precise conditions for making data available in their contracts with some (very relevant) exceptions to avoid unfair practices (we will address this in more detail in the second publication of this Data Act series);
(ii) trade secrets shall be properly protected in the contractual terms between the data holder and the user / third party;
(iii) data holders can ask third party recipients for compensation (in case of SMEs, compensation shall be limited to the costs incurred and investment required for making the data available); and
(iv) users and third parties to whom data has been made available upon request of the user should only process the data for the purposes agreed with the user and have important restrictions. As explained above, they cannot use the data to develop a product that competes with the product from which the accessed data originates. The data holder can apply protection measures (e.g. smart contracts) to ensure that the user / third party complies with the contractual terms, etc.
In the next post we will address the restrictions on the obligation to make data accessible agreements between data holders and users / third parties.
The Data Act Proposal contains several restrictions for the use of the data generated by the product or service, in at least two senses:
(i) The data holder shall only use any non-personal data generated by the use of a product or related service on the basis of a contractual agreement with the user;
(ii) The data holder shall not use data generated by the use of the product to derive insights about the economic situation, assets and production methods by the user / third party that could undermine the commercial position of the user in the markets in which the user / third party is active.
Authored by Gonzalo F. Gallego, Juan Ramón Robles, Sofía Ambit and Joanna Rozanska.