1. Background and relevance for your organisation
The Data Act aims to “ensure fair value distribution from data to actors in the data economy and promote access and use”. The purpose of the Data Act is to make the European Union a leader in the global data market and fuel innovation within the EU. The Data Act seeks to achieve those objectives through its broad scope and harmonised rules across the EU. In other words, the European Union wants to gain a more important position in relation to data, the so-called new gold.
For your organisation, a clear action plan for implementing the provisions of the Data Act is very important. After all, the Data Act applies to both public and private actors who market connected products or related services, act as data holders or data recipients, or provide data processing services. In other words, the Data Act will have significant implications for the way your organisation collects, uses and commercialises data. The Data Act will have an important role to play given the growing digitalisation of our economy.
2. Case study: manufacturer of connected products
Suppose your organisation manufactures and markets a machine in the EU with digital functionalities that allow the user to monitor the use of the machine via a mobile application. Your machine would then fall within the scope of the Data Act’s definition of “connected product”: “an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user“.
If so, several provisions of the Data Act apply to your organisation, of which we list some relevant elements below:
- Accessibility: you should ensure that the data generated in the context of the machine are easily, securely and directly accessible (as far as appropriate and relevant) to the user of the machine;
- Information obligation: manufacturers of connected products have a far-reaching pre-contractual information obligation that applies to the user;
- Portability: as the manufacturer of a connected product, you must share the data generated therefrom with a third party without delay and free of charge, at the request of a user of the connected product;
- Unfair terms: you should also reassess your general terms and conditions. Indeed, the Data Act provides a list of unfair contractual terms. In doing so, the Data Act uses an open standard of unfair terms, on the one hand, and also sets out some specific unfair and one-sided practices that are not binding;
- Making data available to public authorities: in cases of exceptional need, your organisation should make data available to them at the request of a public authority, EU institution, agency or body. Examples of cases of exceptional need include a general emergency, preventing a general emergency or to support recovery from a general emergency or when a lack of available data prevents the performance of a specific task of public interest;
- International transfers of non-personal data: the Data Act introduces a protection regime for non-personal data reminiscent of Chapter V of the General Data Protection Regulation (better known as the “GDPR“)and inspired by the famous “Schrems II” judgment of the European Court of Justice. That personal data regime has already caused quite a stir over the past few years and will undoubtedly have a significant impact on the interpretation of the Data Act.
Your organisation would do well to strictly comply with your obligations under the Data Regulation. After all, an enforcement mechanism based on that of the GDPR is provided for. Given the wide range of sanctions provided for in the GDPR, both individuals and supervisory authorities have a wide arsenal of options to challenge non-compliance with the Data Regulation.
From this practical example, we learn that the Data Act can have a profound impact on your organisation’s activities. However, not only the Data Act needs to be taken into account. Several EU legislative initiatives within the framework of the EU Digital Strategy, such as the Digital Services Regulation (for more info, see our newsletter via the following hyperlink: https://monardlaw.be/en/stories/informed/digitaledienstenverordening/), the Digital Markets Regulation, the Data Governance Regulation and the proposed AI Regulation. Other legal instruments also interact with the Data Act. For instance, there is obviously a tension between the Data Act and the GDPR, which will undoubtedly be the subject of much debate in the future. Also, the rules regarding intellectual property and trade secrets have an important connection with the provisions of the Data Act.
It is clear that your organisation should timely assess the impact of the Data Act on your operations take the necessary precautions to be compliant with those rules.
Monard Law’s privacy and data protection team is happy to assist you with all your questions regarding the Data Act and other questions related to innovative technologies, the EU digital strategy and privacy and data protection.