Data Act pills

Who?

The Data Act lays down obligations for:

• manufacturers of IoT devices;
• sellers/rentors/lessors of IoT devices;
• providers of "related service(s)";
• data holders.

Certain exceptions apply for micro, small and medium enterprises.

Data holder: a natural or legal person that has the right or obligation to use and make data available. The manufacturer, seller/rentor/lessor, provider of a "related service" and the data holder are placed different obligations. They might be the same person or they may not. In the latter case, an analysis on the specific obligations placed on each of them is needed.

The Data Act grants new rights to users.

User: a natural or legal person that owns an IoT device or that has the right to temporarily use the IoT device, or that receives certain services via the IoT device. The rights described below are thus not only applicable B2C but also B2B. 

What?

Which products/services

Connected products: i.e. IoT devices collecting and generating data concerning their use or environment and that are able to communicate such data (either via electronic means or via a physical connection/on-device access).

Related services: i.e. digital services whose absence would prevent the connected products from performing one or more of its functions (this includes services connected to the product at the time of purchase or subsequently connected to a connected product by the manufacturer or by a third party to add to, update or adapt its functions).

Which data

Both non-personal and personal data, including the relevant meta data. However, GDPR rules and national data protection rules remain fully applicable and, in case of conflict, they prevail over the Data Act. In practice, this means that the Data Act is mainly relevant for non-personal data.

Which obligations

Users will have free of charge access to data of connected products and related services and will be able to freely use such data as well as to ask the data holder to make them available to third parties.

Manufacturers must design the devices so as to grant users access to data by default. Access should be ensured directly to user, where relevant or technically feasible. In any case, access should be easy, secure, free of charge, in a comprehensive, structured, commonly used and machine-readable format. Also the relevant metadata necessary to interpret and use data must be made available. Where data cannot be directly accessed by the user from the connected product or related service, it is up to the data holders to make readily available such data.

The data holder cannot rely on the fact that certain data are trade secrets to prevent users access to data. However, access can be refused in certain circumstances, for instance where the user does not agree with the data holder on the necessary measures to preserve confidentiality of trade secrets or fails to implement them. In exceptional circumstances, where the data holder who is a trade secret holder is able to demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade secrets, despite the technical and organisational measures taken by the user, that data holder may refuse on a case-by-case basis a request for access to the specific data in question.

Furthermore, the sellers/rentors/lessors of IoT devices and the provider of related services must provide users with certain information. 

For instance, among other things:

• the sellers/rentors/lessor must provide information on how to access and erase data, the type, format and estimated volume of product data which the connected product is capable of generating, whether the device generates data continuously and in real-time, where data are stored (i.e. on the device or on a remote server); 
• the providers of related service must provide information on the nature, estimated volume and collection frequency of data that the prospective data holder is expected to obtain and, where relevant, the arrangements for the user to access or retrieve such data, including the data holder’s data storage arrangements and the duration of retention; additionally  the providers of related service inform the users on the existence of possible trade secrets and on the identity of the relevant trade secrets holder.
   

In a B2B context, an enterprise should refrain from including in the agreement unilateral unfair terms aiming at limiting access to and use of data for other enterprises. Any unilaterally imposed unfair term would not be legally binding to the user. Other pieces of law already cover these aspects in the B2C context.

Why?

Why contracts are so important

Sellers/rentors/lessors, providers of related services and data holders should carefully draft the agreements related to data (we refer both to the upstream agreements, e.g. with manufacturers, and to the downstream agreements, e.g. with users): amongst the other reasons, appropriately drafting agreements is necessary to correctly identify the roles of the subjects involved; it is required to meet the transparency requirements towards users; it is strategic, as it is the only legal way to maintain some control over the data (i.e. by providing in the agreement that the data holder will use data for its own purposes).

Why a Data Act

The Data Act is aimed at enhancing the data economy and foster a competitive data market in the European Union, by making data (in particular industrial data) more accessible and usable, encouraging data-driven innovation (e.g. the development of new competing related services) and increasing data availability. For instance, access and portability rights provided under the GDPR are facilitated and, in practice, extended also to non-personal data.

Where?

The Data Act applies to manufacturers of connected products placed on the market in the European Union and providers of related services as well as to data holders that make data available to recipients in the European Union, irrespective of the place of establishment of those manufacturers, providers and data holders. All users in the European Union benefit from the rights under the Data Act.

When?

The Data Act will be applicable from 12 September 2025.

The obligation for manufacturers to design and manufacture products so as to grant users access to data by default is applicable from 12 September 2026.

Unfair terms provisions on data in the B2B context shall apply to contracts concluded after 12 September 2025. As for contracts concluded before 12 September 2025, the unfair terms provisions on data in the B2B context are subject to the ban provided by the Data Act only if they are either of indefinite duration or due to expire at least 10 years from 11 January 2024 (i.e. after 11 January 2034).
 

The information in this page does not constitute a legal advice. It is not complete and only takes into account certain provisions of the Data Act.