On September 6, the EU released a FAQ on the Data Act (hereinafter referred to as "the FAQ"), clarifying the relationship between the Data Act, the General Data Protection Regulation (GDPR), and other EU regulations. It also addresses issues related to IoT data access and usage, as well as data sharing between businesses.
The Data Act is a significant new regulation in EU digital governance. Unlike the GDPR, which focuses on data subject rights and data processing, the Data Act primarily focuses on data access and sharing. It establishes specific rules for businesses and individuals to access, obtain, and share data, aiming to promote data circulation, boost the data market, and enhance the use of data as a resource in the EU's economy and society.
This article will provide a comprehensive overview of the Data Act, based on the FAQ, and offer insights for companies looking to navigate compliance with the Act.
Effectiveness and Scope of the Data Act
1. Timeline
The Data Act was published in the Official Journal of the European Union on December 22, 2023, took effect on January 11, 2024, and will be enforced starting September 12, 2025.
2. Scope
The Data Act applies to:
- Manufacturers selling connected products (IoT) in the EU market and providers offering related services, regardless of whether they are based in the EU.
- Users in the EU who utilize the aforementioned products or services.
- Data holders providing data to EU-based recipients, whether or not the data holders are located in the EU.
- Public authorities requiring data access for public interest purposes.
- Providers of data processing services to EU customers, irrespective of their location.
- Entities involved in data spaces, applications deploying smart contracts, and individuals involved in deploying smart contracts for others in the course of executing agreements.
"Connected products" refers to IoT devices that collect, generate, or communicate data about their usage or environment. "Related services" are digital services connected to these products, necessary for their functionality, or services provided after the sale to enhance or update the product.
3. Relationship with GDPR
While both the Data Act and GDPR regulate data-related activities, they focus on different types of data. GDPR primarily addresses personal data, while the Data Act covers both personal and non-personal data. In cases where the two laws conflict, GDPR provisions concerning personal data protection take precedence. The Data Act complements GDPR by adding specific provisions, such as user rights in IoT contexts.
Data Sharing in IoT Contexts
Chapter 2 of the Data Act grants users the right to access data generated from their use of IoT products or services and mandates that data holders share this data with third parties upon request. However, this provision does not apply to data from IoT products made by small and medium-sized enterprises (SMEs), provided they meet certain conditions.
1. Disclosure to Users
Before selling or leasing a connected product, sellers must inform users about the type, format, and volume of data the product generates, whether it can produce real-time data, and how users can access, extract, or delete this data.
2. User Access Rights
Manufacturers must ensure that users can access their data directly, securely, and free of charge if technically feasible. If direct access is not possible, data holders must provide access upon request in a comprehensive, structured, machine-readable format.
3. Sharing with Third Parties
Users can request data holders to share their data with a third party of their choice. Data holders must provide the same quality of data in a structured, machine-readable format. Third parties receiving this data must use it solely for the agreed purposes and respect data subject rights.
4. Data Scope and Limitations
The FAQ clarifies that users have the right to access and share historical data, commercial secrets (with appropriate safeguards), and data relevant to multiple users of a product. Data holders can refuse access in certain cases, such as when sharing data would pose significant security risks.
Business-to-Business Data Sharing
Chapters 3 and 4 of the Data Act regulate business-to-business (B2B) data sharing. Voluntary data sharing must be based on fair, reasonable, and non-discriminatory terms. When legally mandated, data holders can charge reasonable compensation for sharing data, considering the costs incurred.
Switching Data Processing Services
The Data Act facilitates switching between data processing services, such as cloud or edge services. Service providers must clearly outline users' rights and offer accessible information on how to switch. By 2027, providers must eliminate switching fees entirely.
Preventing Third-Country Government Access
The Data Act mandates that data processing service providers take all reasonable measures to prevent unauthorized access to non-personal data by third-country governments. Such access will only be recognized if based on valid international agreements with the EU.
Compliance Recommendations
To comply with the Data Act, companies must:
- Respect data subject rights and prioritize personal data protection under GDPR.
- Ensure mechanisms are in place to respond to user requests for data access and sharing.
- Engage in fair and reasonable data sharing practices, ensuring transparency and cooperation with other businesses.
- Implement appropriate security measures to safeguard data during transmission and sharing activities.
