New EU Rules for Data Access and Sharing: What You Need to Know

On February 23, 2022, the European Commission published its proposal for a Regulation on Harmonized Rules on Fair Access to and Use of Data (“Data Act”), which focuses on data generated by Internet of Things (“IoT”) devices. The aim of the Data Act are to create a single market for data in which data is more accessible and can be shared without legal obstacles among European businesses and the public sector. The proposal recognizes that IoT device manufacturers often design products in a way that does not allow users (consumers and businesses) to take full advantage of the digital data they create when using IoT devices.

What “Data” Is Covered? The Data Act broadly applies to any data obtained, generated or collected by “products”. Products means tangible, movable items that collect or generate data concerning their use or environment and that are able to communicate data via a publicly available electronic communications service. Examples include IoT devices such as connected cars, virtual assistants, connected medical devices, smart TVs and smart thermostats.

Who Is Subject To The Proposal? The Data Act applies to any business that places its products or services on the EU market or makes its data available to recipients in the EU. This includes manufacturers of products and suppliers of related services, data holders, data processing service providers (e.g. cloud services), public sector bodies in the EU and EU institutions.

Accessibility And Transparency. There will be a requirement for the design of products and services to be in a way that makes the data easily accessible to the users by default. Users must be provided with certain listed transparency information before making a purchase of products, including what data will be accessible, how users can access and share this data and for what purposes the data will be used or shared.

Data Portability. Enhancement of the GDPR’s data portability right by granting users of products a right to request that data holders make all data generated by products available to third parties of their choice. Access to the relevant data allows service providers to compete on an equal footing with comparable services offered by manufacturers, and to offer lower prices to users.

Data Sharing Agreements With SMEs. SMEs are frequently not in a position to negotiate fair data sharing agreements with stronger market players. The Data Act introduces protections regarding unfair contract clauses included in data sharing agreements with more powerful market players. Any clauses that do not pass a “fairness test” will not be binding.

Switching Cloud Services. Cloud service providers will be required to remove obstacles which restrict customers from concluding new contracts with different providers, porting its data, applications and other digital assets to another provider, and maintaining functional equivalence of the service after they have switched to another provider.

Non-Personal Data International Data Transfers Rules. With the stated goal of enhancing trust in EU cloud services and other data processing services, the Data Act proposes new restrictions applicable to international transfers of non-personal data held in the EU (similar to the requirements set forth by the GDPR and the Schrems).

Exclusion For Database Rights. The Data Act provides that the sui generis database right set forth by the EU Database Directive does not apply to databases containing data obtained from or generated by the use of a connected device. This exclusion is aimed at preventing holders of data from claiming exclusivity over data generated by connected products.

Enforcement. Non-compliance with certain obligations could be fined with administrative fines or financial penalties of EUR 20 million or 4% of annual global revenue, whichever is higher.

Next Steps. Once the Data Act becomes law, there will be a period of time for businesses to adapt their practices to be compliant with the new provisions (currently indicated to be 12 months). Businesses should assess the effects that the new requirements will have on their business practices and contracts, and be prepared to implement processes to facilitate compliance.