Data Act – Key points to consider

Arttu Ruukki
Blogs
February 22, 2024

The Data Act came into force on 11 January 2024 and will apply in most respects from 12 September 2025. From that date, "ownership" of the data generated by connected devices (e.g. IoT devices) and associated digital services will shift from the providers of the devices and services to their users. The Data Act will impose significant additional obligations on companies that manufacture and provide connected devices and their services. These obligations may force a rethink of entire business and revenue models.

What is data regulation all about?

The Data Act, together with the Data Governance Act, form the backbone of the EU's data strategy. The objectives and ambitions behind the Data Act are noble: It aims to promote fair access to and use of data by creating a harmonised set of rules that allow data to be re-used and remove barriers to the development of the European data economy. It focuses on unlocking the potential of innovation and the data-driven economy by removing technical, financial and trust barriers, while respecting European values and promoting fair data sharing between different actors. The Data Act will contribute to Europe's green and digital transitions by providing a clear framework for data access and use. So how will these objectives be achieved in practice?

Different angles of data regulation

The Data Act contains several interlinked themes, with the common denominator being access to data and the ground rules for its use. These themes are approached from different angles. Most importantly, the Act defines a set of harmonised rules on making available to the user the data generated as a result of the use of a connected product or related service and on making data available to third parties at the request of the user. As a corollary, it also addresses the issue of making data available to public sector bodies for exceptional needs. In addition to these rules on users' rights to product and service data, the Data Act addresses the conditions for re-use of data, the permissible content of unilateral contractual clauses on the transfer of data, the standardisation of data sharing mechanisms and services, the transfer of data outside Europe and facilitating the switching of cloud service provider.

Who within an organisation is responsible for complying with the Data Act?

The new regulation has wide-ranging implications for business and compliance is not just a matter of conducting a paper exercise on the legal department's desk. A few observations on this:

In product development, the Data Act needs to be considered from the very beginning of the design of devices and services - what data to collect, how to access it and how to handle it. These choices determine the extent to which previously completely proprietary data needs to be made available not only to the user, but also (at the user's request) to competitors. On the other hand devices and related services brought to market from autumn 2026 onwards need to, from the outset, be designed in such a way that the data they produce is easily, securely, free of charge and, if technically possible, directly accessible to the user, for example via the device's user interface.

In terms of data management (IT), data must be classified and "siloed" so that it can be made available, if necessary, at the request of an individual user concerning that particular user. At the same time, however, data protection rules must be taken into account, as the Data Act does not in any way override the General Data Protection Regulation (GDPR).

Sales must be aware of what to communicate to customers when marketing devices and services, and how to agree with customers on data disclosure, access rights and restrictions on its use.

In terms of procurement, contractual requirements, e.g. related to procuring smart components for your own device offering, should be aligned with your own obligations of making data available to the user. White-label products are also a challenge to tackle, where access to data collected by devices and related services must be agreed separately, for example with a Chinese supplier. From the point of view of the user, the responsibility for providing access to data lies with the company marketing the product or service in the EU internal market.

Product support and customer service will certainly be confronted with data-related requests and requirements from users - the content of which surely at times going beyond the actual obligations. Clear processes and guidelines need to be established for these requests.

And, of course, the Data Act will need to be taken up with particular attention by corporate legal departments. Protecting trade secrets related to data, drafting contractual terms for making data available, supporting the organisation in complying with the requirements of the Data Act and other general orchestration around compliance with the Act will surely keep lawyers busy.

How to prepare for the obligations of the Data Act?

The stress and rush of GDPR coming into force is fresh in the minds of many organisations. The scale of the impact of the Data Act could well be compared to that of the GDPR. If there are any lessons to be learned from the preparation process for GDPR that culminated in spring 2018, it’s that it will pay off to start early. You can do so right away by familiarising yourself with the Data Act, for example on the European Commission's website.

Once a basic understanding of the content starts to take shape, figure out at least the following points, where applicable:

  • What data related to the products and/or services offered by your company are covered by the data sharing obligations?

  • How is the data subject to the sharing obligation currently managed, how is it classified, how can it be shared in practice?

  • What trade secrets are contained in, or can be derived or inferred from, the data subject to the sharing obligation, if any?

  • How does the information subject to the sharing obligation relate to personal data - is it separable, stored separately, shareable separately?

  • Is it necessary to collect all data currently collected and stored by products and/or services in the future?

  • How is the sharing-by-design obligation implemented in product development and its processes, how is it integrated into the RnD process?

  • If data sharing cannot be done directly through the device and/or service, how can sharing be organised and managed?

  • If devices manufactured by someone else are sold, where is their data located and how is it ensured that it can be made available to users or third parties at the user's request?

  • Is it possible to build services for a product manufactured by another operator on the basis of the product data opened up by the data regulation?

Fondia's experts at your side

Help in figuring out the business implications of the Data Act is available from Fondia's AI and Data Economy expert group or through contacting fondia@fondia.com.

This article launches a series of articles on the Data Act. In future parts we will address specific issues of the Data Act from different perspectives and always from a practical point of view.

Other related articles