Update Data Protection No. 158
Data Act (Update): EU Parliament adopts new data law, what steps do companies need to implement now?
Back in June of this year, the EU Parliament and EU Council agreed on a joint position on the draft of the new EU regulation on harmonized rules for fair access to and use of data ("Data Act") (we reported). On November 9, 2023, the draft was formally adopted by a large majority in the EU Parliament. The adopted text of the draft is available here. Following approval by the EU Council, it is now likely to enter into force soon, albeit with an implementation deadline of 2025.
Key contents of the Data Act
The aim of the Data Act is to set requirements for the use and value creation of data by granting more rights to users of networked products or connected services and strengthening competition in digital markets, in particular by supporting small and medium-sized enterprises.
The Data Act defines the conditions for the right of access to user data generated by networked products and connected services. The draft regulation also contains provisions for cases in which public bodies can gain access to such data. The Data Act also provides safeguards against unlawful use by third parties, the disclosure of trade secrets and the misuse of contractual clauses by providers of connected products. The access of governments from international countries and third countries to non-personal data stored in the EU is subject to restrictions. In addition, the Data Act sets interoperability standards for providers of cloud and other data processing services in order to make it easier to switch providers. Non-compliance is subject to penalties imposed and enforced by EU countries, with fines of up to EUR 20 million or 4 % of annual global turnover.
The majority of the new provisions apply to so-called "data controllers", usually manufacturers of connected products (e. g. smart TVs) and providers of connected services (e. g. cloud-based smart TV platforms). The Data Act will be relevant beyond the borders of the EU. In this respect, it also affects foreign manufacturers of connected products and providers of connected services who sell their products in the EU.
Important implementation steps
Companies should prepare for the implementation of the new measures in good time, even if the legal requirements of the Data Act do not have to be finally implemented until 2025. The following steps should be emphasized:
- Product design: Networked products or connected services must be designed and provided in such a way that user data (including metadata) can be made available easily and quickly either by data access or, if necessary, by electronic transmission.
- Data transfer to third parties: At the request of a user, the manufacturer of networked products or connected services must also pass on the above user data to a third party (for example, to a competitor company in the event of a product change).
- Data exchange with public authorities: Manufacturers must pass on user data to public institutions in exceptional cases, for example in emergency situations such as forest fires or floods, if the user data is required for effective hazard prevention.
- Information obligations: Before concluding a contract for the purchase, rental or leasing of a connected product or use of a connected service, the manufacturer must provide the user with certain information in a clear and comprehensible format.
- Unfair contract terms: The draft regulation prohibits unfair contract terms in order to prevent the abuse of contractual imbalances in B2B relationships.
- Interoperability: When changing cloud or data service providers, the new Data Act sets out interoperability specifications to ensure the technical transfer of the necessary user data.
In terms of data protection law, the new Data Act applies alongside the GDPR. However, while the GDPR only regulates the handling of personal data, the Data Act also applies to non-personal data. There are overlaps in particular with regard to the right of access and the right to receive a copy of data (Art. 15 GDPR) and the right to data portability (Art. 20 GDPR). The principle applies that the GDPR takes precedence for personal data.
The Data Act offers small and medium-sized companies the opportunity to access user data from large (international) manufacturers of networked products and connected services, but only after being commissioned by the respective user. This possibility is interesting for car repair shops, for example, which can request important IoT data from large car manufacturers on behalf of their customers.
Manufacturers of such networked products or connected services, on the other hand, are faced with extensive technical and organizational conversion measures, as they must soon be able to provide their users' product data and connected service data simply, securely, free of charge and in a comprehensive, structured, common and machine-readable format – at best fully automatically and using interfaces.