Users receive access to device data
The EU Data Act has the potential to be ground-breaking. Until now, usage data from IoT devices has mostly only been available to manufacturers or their group companies (in the EU Data Act: data holders). The EU Data Act aims to change this.
In the future, users will have free access to the data generated in their IoT device (connected product) through individual use. The EU Data Act covers a wide range of devices - from smart home products to cars and production machines.
The data is by default to be provided directly on the device or be easily accessible free of charge from the data holder. The semantic information (metadata) required to utilise the data must also be provided.
This obligation to disclose also covers data that is processed by the software on the affected device or in an associated app.
What are the opportunities?
With the EU Data Act, the EU wants to leverage the treasure trove of data from IoT devices. Data can be exchanged and analysed. This is to ensure that third parties can provide services based on IoT data on an equal footing with manufacturers. For example, the data should help to optimise processes in industry, transport, and agriculture. At the same time, the data to be provided is ideal training data for artificial intelligence.
Manufacturers have to do a lot
For product manufacturers, the approval of the EU Data Act gives rise to various requirements for action:
- In the future, products must enable "data access by default", i.e., they must be designed in such a way that the legally required data access is already enabled on the device.
- Users must be provided with information on "WHETHER" and "HOW" to access the data. Documentation must therefore be created and made available.
- The manufacturers are not by default allowed to use the data for their purposes. To make use of the data holders they require the contractual authorisation of the users. Corresponding contractual terms (usually in general terms and conditions) need to be implemented and must be balanced.
- If data cannot be accessed directly on the device, it must be retrievable at the manufacturer. The user's individual authorisation to receive data must be validated.
- Not all components within a product originate from the manufacturer itself. The manufacturers must therefore require their suppliers to fulfil data access rights and documentation. The contracts within the supply chain need to be adapted accordingly.
- The data protection requirements, in particular the GDPR, must also be complied with for IoT data.
- The protection of trade secrets must remain ensured. Manufacturers must therefore check to what extent their IoT data contains trade secrets. To protect them, non-disclosure agreements and technical and organisational measures must be taken. Where manufacturers refuse to disclose data due to protection of trade secrets, the supervisory authority needs to be notified. Appropriate documentation is required for this.
By when the eu data act needs to be implemented?
The EU Data Act has a transitional period of 20 months after publication in the EU Official Journal. Such publication is expected before the end of 2023, meaning that the regulation will have to be observed from the second half of 2025.
The obligation to provide data access "by design" only applies to new products and with an additional transition period of a further year, i.e., until the second half of 2026.
In view of the usual product cycles, manufacturers do not have much time to prepare.
What are the consequences of non-compliance?
The EU Data Act requires member states to impose fines for breaches of the obligations. It remains to be seen how high such fines will be. However, the risk of civil lawsuits is likely to be more relevant if users - especially in the B2B environment - want to gain access to valuable data.
Our offer to clients
We can support clients in implementing the EU Data Act in their company. For manufacturers, the first step is to determine the specific impact on products and to identify legally compliant implementations in workshops.
If clients wish to use collected data, we can work with them to identify the new possibilities of the EU Data Act and how they can use and share data.
For more information please contact:
MATTHIAS NIEBUHR
Lawyer | Specialised Lawyer for IT Law
matthias.niebuhr@bdolegal.de
Member of the EU Commission's expert group on B2B data exchange agreements under the EU Data Act.