Share This Article
The European Commission has published FAQs on the Data Act, one of the pillars of the European Data Strategy with several impacts on Internet of Things (IoT) devices and any connected technology.
Although non-binding, the FAQs provide important clarifications on several aspects of the legislation.
The Data Act focuses on connected products or services. It provides for cases where there’s an obligation to make available and/or share data (personal and non-personal) generated by the products or services. It also provides for additional protections in data sharing and cloud computing contracts, the development of interoperability standards for data access, use and transfer, and measures to facilitate switching between different operators.
Relationship between the Data Act and the GDPR
The FAQs begin with an analysis of the relationship between the Data Act and Regulation (EU) 2016/679 (the GDPR). The EU Commission confirms that where an activity carried out under the Data Act also qualifies as processing under the GDPR, the competent data protection authorities will be responsible for overseeing the application of the Data Act, to avoid the need for the data subject to contact two separate authorities. However, it will still be possible for countries to designate an ad hoc authority to monitor compliance with the other provisions of the Data Act. The EU Commission also emphasized that in the event of a conflict between the provisions of the Data Act and the GDPR, the latter will prevail.
A hotly debated issue is the scope of the right to data portability under the Data Act, and how it differs from the corresponding right under the GDPR. This aspect is quite relevant, as the exercise of the portability right could lead to the disclosure of trade secrets to competitors. On this point, the FAQs explain that the Data Act builds on the GDPR’s Article 20 data portability right, which allows data subjects to transfer their personal data only on certain legal bases (consent or contract) and where technically feasible. In contrast, the Data Act extends portability rights to IoT users, including both personal and non-personal data, and applies to both data subjects and businesses. It allows data to be accessed and transferred regardless of the legal basis, often in real time. This makes it easier for data subjects to transfer personal data between entities, such as those providing repair or maintenance services. At the same time, it makes such a right more relevant for companies that need to adequately protect their trade secrets.
Access to and use of data in the context of the Internet of Things under the Data Act
Access to data generated by a connected product or service is at the heart of the Data Act. In the FAQ, the Commission clarifies several points:
- The notion of connected product: the Data Act applies to all connected products and connected services, including devices such as smartphones and TVs, whose exclusion from the list in recital 14 had raised doubts. The only exceptions are services whose sole purpose is to transmit data (e.g. servers or routers).
- Data to which there’s a right of access: The FAQs clarify that, in relation to “readily available data”, only data generated after the entry into force of the Data Act will be subject to this obligation. The Data Act also covers data generated by the connected device when it’s located outside the EU.
- Beneficiaries of the right of access: The definition of users includes persons residing in the EU with a “stable right” to the product, which is not limited to data subjects. It excludes those who use the product or service on the basis of non-contractual relationships. If there is more than one user, it must be ensured that each user can access only the data of his interest. And, at the user’s request, the data can be disclosed to third parties (recipients), except for operators who qualify as “gatekeepers” under the Digital Markets Act. However, if the recipient isn’t established in the EU, the request cannot be complied with.
- Who must comply with the obligation: The FAQs also emphasize that this person is not necessarily the producer of the goods or the provider of the service, who may contractually assign this role to a third party. The FAQs also note the incompatibility of the two roles of “data user” and “data controller”.
- Modalities of access: Access to the data can be “direct” or “indirect”, depending on whether the user can directly access the data without the intervention of the controller. The EU Commission strengthens the discretion on how to implement the right of access by excluding the obligation to ensure direct access “at any cost”.
- Limits to the right of access: In the case of the need to protect trade secrets, access can’t be denied (unless significant economic harm could result from disclosure), but the controller can take measures to protect them, including confidentiality agreements with the user. Instead, access may be denied if there are security concerns.
- Use of data: The data collected may be used by the
- by the controller for any purpose, provided that the use has been agreed with the user;
- by the user; and
- by the recipient for contractually agreed purposes, excluding the development of competing related products.
Other relevant aspects of the FAQs on the Data Act
The EU Commission raised the following additional issues
- Protective measures: certain measures, such as data encryption, are expected to be put in place to protect non-personal data.
- Remuneration: In relation to the “non-discriminatory” remuneration that recipients must pay to the controller, the FAQs clarify that no maximum or minimum amount will be set, but that reasonableness will be determined on a case-by-case basis by assessing the equality of recipients.
- Business-to-Government Data Sharing: The FAQs clarify that the facts to be taken into account in determining the grounds of “public emergency” that legitimize the exchange of data between private and public entities will be determined by national law. It also establishes the nature of the “last resort” sharing, which will only be possible if the public authority cannot obtain the data in any other way.
- Business-to-business data sharing and cloud computing contracts: The FAQs confirm that work is underway to adopt standard contract templates and clauses to protect SMEs and users of cloud computing services from unfair contract terms.
- Switching between computing services (e.g. SaaS): With regard to measures to reduce the costs of switching between different providers, the FAQs state that the costs should not exceed the – unavoidable – costs incurred by the computing services in switching.
What companies shall do now?
The Data Act will become applicable on September 12, 2025 and it is an EU Regulation. As such, there will not be implementing measures by EU Member States, even though the Act leaves some room for aspects that shall be determined at the local level. In the view of the applicability date of the Data Act, businesses shall adopt measures to make sure on the one hand they are fully compliant with the Act and on the other hand they minimize the potential negative impact of the Act on their business.
Feel free to contact us at DLA Piper to discuss the matter.ย On a similar topic, you may find the following article interesting: “When the Internet of Things meets the blockchain“.