What is the Data Act in and to whom does it apply?
The Data Act is a key pillar of the European Union's data strategy with the overarching goal of promoting the digital transition in the European Union. This EU regulation aims to ensure fair access to and use of data. The Data Act has a broad scope of application and is relevant to manufacturers and users of physical Internet of Things (IoT) products, providers of related services, business data holders and recipients, providers of data processing services (cloud and edge service providers) and national and European public institutions. As it is a European regulation, the rules from the Data Act have direct effect in the Netherlands without having to be implemented in national legislation.
What dates are we talking about exactly?
The Data Act uses a broad definition of data. 'Data' means any digital representation of activities, facts or information, including images and sound. This can include both personal and non-personal data. Thus, when it comes to the data sharing obligation under the Data Act, it involves data collected or generated by IoT products.
What are IoT products?
The Data Act defines IoT products as products that can be connected to the Internet to then exchange data with other products (or systems). In this case, it is the IoT products themselves, but also the related service. The related service is the service necessary for the functionality of the IoT product. IoT products are often referred to as smart products. Examples include a smart doorbell, robotic vacuum cleaner, washing machines, medical equipment, agricultural machinery and other industrial machinery.
What does the Data Act regulate?
- The Data Act (also known as the Data Act) is a new European law that aims to create a fair and competitive data market for businesses and consumers. It seeks to facilitate the sharing and reuse of data (data).
- It places an obligation on manufacturers of IoT products and providers of related services to make data accessible to users and third parties.
- The Act contains new rules that will make it easier for cloud service customers to switch providers.
- Under the regulation, unfair terms relating to the access and use of data between companies are prohibited.
- It also provides that in some situations, government agencies must make data available by data holders free of charge when there is an exceptional need to use the data for a specific public interest task.
- The Data Act provides interoperability standards for participants in data spaces that offer data or data services to other participants.
- Finally, data processing service providers must take appropriate safeguards to prevent international government access and access by governments of so-called third countries if such transfer or access violates European Union rules.
Sharing data with third parties
In many cases, data from IoT products is currently collected exclusively by the manufacturer. This gives the manufacturer a competitive advantage as it makes the user dependent on the manufacturer and unable to turn to other parties for repair, for example. The Data Act contains specific measures to allow users of products to access the data collected by the manufacturer. This data must be provided in a simple, secure, structured and cost-free manner so that it can then be shared with a third party that provides aftermarket (repair) services, for example.
This third party is also bound by rules and should include the data:
- use only for the purposes agreed upon with the user and delete the data when it is no longer needed;
- not be made available to an organization that qualifies as a gatekeeper under the Digital Services Act (mostly large online platforms); and
- Not to use in a way that adversely affects the security of the product or service connected to the Internet.
Please note that micro and small enterprises qualified as third parties are in principle not subject to the aforementioned obligations.
Unfair contractual terms
The Data Act provides that contractual terms imposed on micro, small or medium-sized enterprises are not binding if they are unilaterally imposed and deviate from good business practice. Specifically, these are contractual terms regarding access to and use of data or liability and remedies open for a breach or termination of data-related obligations.
A contractual provision is unfair, among other things, when it contains:
- liability is limited unilaterally in cases of intentional or deliberate recklessness;
- the party to whom the clause is unilaterally imposed is excluded from remedies available to it in the event of non-performance of contractual obligations; and
- the party imposing the clause acquires the exclusive right to determine whether the information provided is in line with the agreement.
Switching to another data processing service
Furthermore, the Act contains rules that make it easier for customers of data processing services (cloud services for short) to switch to another provider. Cloud service providers should therefore not create pre-commercial, commercial, technical, contractual and organizational barriers to users. The Data Act seeks to address these issues by making it contractually easier to switch service providers or transfer data and records. In doing so, it is important that full support and service continuity remain in place during the transition.
