The EU Data Act (EDA), which sets out new data sharing rules that will apply in respect of connected products, came into force on 11 January 2024. While its provisions will not be applicable for a while yet, businesses are likely to need the intervening period to scope out, and plan for, the impact that the EDA will have on their product designs, commercially sensitive information, terms and conditions, costs and GDPR compliance. This briefing takes a closer look at these areas of key concern to data holders.
1 Recap of the EDA's data sharing obligations
The EDA creates rights for users of connected products, whether they are individuals or corporate entities, to gain access to data (personal and non-personal data) that they generate from the use of the product or related services. Related services are those services the absence of which would prevent a connected product from performing one or more of its functions, or which are subsequently connected to the product to add to or adapt its functionality.
Where technically possible, data should be accessible directly by the user e.g. from on-device data storage or from a remote server. Where direct access is not possible, data must be made available without undue delay, easily, securely, in a commonly used and machine-readable format, and, where relevant and technically feasible, of the same quality as is available to the data holder, continuously and in real-time. There are transparency obligations imposed on data holders: data holders must provide clear and comprehensive information on the data that will be generated, including the nature and volume of the data, how this data will be used, means of access and the right to lodge a complaint with a competent authority.
The data sharing obligations do not end there. The EDA also obliges data holders to share data with public sector bodies in the case of emergency. Perhaps of greatest concern to data holders, is the obligation also to share data (at the user's request) with third parties, which could include the data holders' competitors.
Similar to GDPR's "privacy by design" concept, manufacturers of connected products need to design their products and related services so that they support all of these data sharing obligations (i.e. direct access, where possible).
There are some limited protections for data holders, including for trade secrets (more on which, see section 4 below). The possible anti-competitive use of these data access provisions is also addressed to a degree. "Gatekeepers" under the EU Digital Markets Act – the very largest online platforms (e.g. social networks, online marketplaces and search engines) – are ineligible to receive data for example.
Any business that sells connected devices in the EU, where the data recipients are also in the EU, will need to consider the implications of the EDA – the location of the data holder, within or outside the EU, is not relevant. There are however some carve-outs for data holders that are SMEs.
2 What timetable do data holders need to meet?
The application of the EDA is staggered and the timeline below shows when the various obligations begin to apply.
3 What products and data are out of scope?
Data holders may wish to undertake a scoping exercise, if they have not done so already, to work out what can legitimately be de-scoped from their data sharing obligations. The scope of the sharing obligations is undoubtedly very broad and, for example, the "related service" concept forces data holders to think beyond the confines of a particular device, to identify extensions to its functionality that exist elsewhere that capture data about the use of the device, perhaps an app or other smart product, such as a TV or smart plug. There are nevertheless carve-outs to products and data which data holders may look to explore to limit what it will share:
- The data sharing obligations only apply to raw data and
pre-processed data in respect of connected devices –
pre-processed data is data that's enriched by metadata to
provide basic context and time stamp to make it usable.
Importantly, data that is derived from the raw data and which is
the outcome of additional analysis and investment are not subject
to the data sharing obligations under the EDA.
- The original draft of the EDA mentioned content-rich products
such as PCs, smartphones, cameras and webcams specifically as
falling outside the scope of the EDA – this is no longer the
case in the final version and these products remain within scope,
but the EDA still does not apply to data when the user records,
transmits or plays content (textual, audio or AV content) nor to
the content itself.
- If the design of the product does not foresee data to be stored
or transmitted outside the component in which the data is
generated, then there's no obligation to make it retrievable
and share it.
- Prototypes, as well as products the primary function of which is storing, processing, or transmitting data on behalf of any party other than the user (e.g. servers, cloud infrastructure), are excluded from scope.
4 Are there any other restrictions to protect data holders?
Safety exception. It will also be possible under the EDA to agree contractual restrictions to restrict or prevent access where the data holder can show that the sharing of data can jeopardise personal safety – for example, where sharing creates a vulnerability from a cyber perspective that creates a safety risk. To rely on this carve-out, data holders would need to notify the competent authority (i.e. the designated authority in the relevant Member State) and there's then a process for complaint and redress if the user disagrees.
Trade secrets. Initially, the draft legislation did not contemplate that raw data could comprise trade secrets and overlooked the fact that, once aggregated, those datasets could be analysed and reverse engineered to provide useful intelligence about how the product or service operates. Following lobbying by OEMs, the legislators introduced provisions to protect trade secrets, but the protection of trade secrets is still not straightforward under the EDA.
The starting position is that data comprising trade secrets should be shared but that trade secrets should be protected using terms and conditions with data recipients and/or technical measures. (The common idiom, "you can't put a genie back in the bottle" may spring to mind here!). A data holder can then withhold data or suspend data if a data recipient does not agree to the relevant terms and conditions or measures, fails to implement them or otherwise acts in a way to compromise the confidentiality of the information. In order to avoid sharing data altogether, however, a data holder would have to demonstrate on a case-by-case basis that it is "highly likely to suffer serious economic damage" as a result of sharing the data. This is a high threshold and would require the data holder to substantiate their decision in writing to the user without undue delay and to notify the competent authority. There is then potentially a complaint and dispute resolution process to follow.
There is also some comfort for data holders in that the EDA prohibits data recipients from using data to produce competing products. However, the same restriction does not apply in relation to competing services. The EDA also prohibits the use of data to "derive insights about the economic situation, assets and production methods of the manufacturer or, where applicable, the data holder".
5 What about terms and conditions?
Data holders should also consider how their terms and conditions will need to change and which of their terms and conditions will be impacted.
One key concern will be to ensure that data holders can use generated data as they intend: their terms and conditions are the route to achieving this. Data controllers are well acquainted with the constraints that the GDPR places around their use of personal data but, so far, they have been free to use, as they wish, non-personal data generated by their customers' use of their connected products or related services. That situation is about to change and the EDA will place limitations on data holders' use of non-personal data too: data holders will only be able to use data on the basis of a contractual agreement with the user – so it is going to be important for data holders to ensure that their terms and conditions are sufficiently clear about the purposes for which they will use data and with whom they are entitled to share data.
Terms and conditions will also need to comply with transparency requirements (similar to the information provision requirements under the GDPR, which gave rise to privacy policies).
Finally, data holders will need to assess the fairness of their terms. Contracts with consumers will be subject to consumer protection laws but the EDA will also require all business-to-business data sharing contracts to be on terms that are fair, reasonable and non-discriminatory (FRAND) and will impose a reverse burden of proof on data holders to prove that terms are non-discriminatory. Moreover, unnegotiated contracts with SMEs will be unenforceable to the extent that they contain abusive terms from a data sharing perspective – the EDA sets out three blacklisted clauses, as well as types of clauses which are presumed unfair, which data holders should watch out for. The European Commission is required to publish model terms to demonstrate what FRAND terms for data sharing look like.
6 Are the costs involved in sharing data recoverable?
Data holders will also want to understand the extent to which they can recover costs for data sharing, as these costs could be significant, and to plan for this. They will not be entitled to recover any costs from users. However, there is an opportunity to recover some costs from third party recipients. While they cannot charge for data per se, they can recover compensation from third parties which are not SMEs, to include both the costs of the technical steps to make data available and the investment that has been sunk into collecting and producing the data – which can include a reasonable margin. For third party recipients that are SMEs, only costs, no margin, and no sunk investment, can be recovered. Compensation will need to be reasonable and non-discriminatory (and data holders will need to be sufficiently clear about how it has been calculated).
7 How does the EDA fit in with the GDPR?
It's important for data holders to give careful thought early on to how their data sharing obligations fit with their GDPR compliance obligations. The EDA is clear that it does not limit rights under the GDPR and that the GDPR prevails over the EDA if there is a conflict.
The EDA is also clear that a legal basis for sharing personal data is still required - a legal basis under Article 6 of the GDPR and an additional legal basis under Article 9 if special category data are involved e.g. where health data are collected on a fitness app. Where the user is the data subject, this analysis is fairly straightforward but becomes more complicated where the user is a company, or where the data recipient is not the user.
Moreover, the EDA is not a licence to store personal data that is not needed and the GDPR's minimisation and privacy by design principles must still be observed. Taking a "lean" data approach (which would be helpful to limit the data sharing and cost burdens outlined above) would be consistent with the minimisation principle, but compliance with this principle could also involve employing anonymisation, pseudonymisation or other privacy enhancing techniques when sharing data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
