On February 23, 2022, the EU Commission published a Proposal for a Regulation on harmonized rules on the access to and use of data as part of its strategy for making the EU a leader in the data-driven society. The “Data Act” addresses the access, use and porting of “industrial data” generated in the EU by connected objects and related services.  The Act further ensures this data will be shared, stored and processed in accordance with EU rules, including when the dataset contains personal data.

Scope

The proposed Regulation applies specifically to data from the usage of connected objects and related services (e.g., software). Data means any digital representation of acts, facts or information including in an audio, visual or audio-visual format. While the Regulation applies to data derived from usage and events, it does not apply to information derived or inferred from this data.

Connected devices (i.e., IoT) include vehicles, home equipment, consumer goods, medical and health devices, and agricultural or industrial machinery (i.e., IoT) that generate performance, usage or environmental data. Products designed primarily to display, play, record, or transmit content such as personal computers, servers, tablets, smart phones, cameras, webcams, sound recording systems, and text scanners are not covered by the Act.

The Regulation applies to (a) manufacturers of products and suppliers of related services placed on the market in the Union (b) users of such products or services; (b) data holders that make data available to data recipients in the Union; (c) data recipients in the Union to whom data are made available; (d) public sector bodies and Union institutions, agencies or bodies that request data holders to make data available where there is an exceptional need for the performance of a task carried out in the public interest and the data holders that provide those data in response to such request; and (e) providers of data processing services offering such services to customers in the Union.

Relevant Provisions

  • Manufacturers and designers must provide consumers and businesses with access to and use of data derived from utilization of connected devices they own, rent or lease as well as related services. This is data that is traditionally captured and held by the manufacturer or designer and the device owner’s right to the data is often unclear. Under the Act, the device owner will be able to use the data for after-market purposes. For example, a car owner might share usage data with their insurance company, or a business owner might use data from a connected manufacturing device to perform its own maintenance in lieu of using the manufacturer’s services. In support of these measures, manufacturers and designers must disclose what data is accessible and design products and services so the data is easily accessible by default.
  • Data sharing agreements between parties must avoid contractual terms that place SMEs at a disadvantage. The Act includes a test to assess the fairness of the contractual terms. The EU Commission plans to develop and publish non-binding model contract terms to help achieve this goal.
  • Cloud service providers must adopt portability measures that permit consumers and businesses to move data and applications to another provider without incurring and costs. The Act also mandates implementation of safeguards to protect data held in cloud infrastructures in the EU.
  • Customers shall have the right to transfer data from one data processor to another, free of commercial, technical, contractual or organizational obstacles.
  • Businesses shall provide certain data to public sector bodies in exceptional situations (e.g., public emergencies), under key conditions.
  • Cloud service providers will be subject to certain restrictions on international data sharing or access.
  • The content of certain databases resulting from data generated or obtained by connected devices will be protected.

Next Steps

The proposed Regulation is designed to stimulate competition and create opportunities for data-driven innovation as part of the EU’s data strategy. In doing so, it complements the Data Governance Act, which facilitates data sharing across sectors and Members states. As the EU continues to strengthen its data strategy, U.S. businesses will want to monitor this space and consider preliminary steps towards potential compliance. The Regulation will apply to U.S. manufacturers and service providers who place connected objects and related services in the EU market. Compliance will necessitate appropriate policies, procedures, and mechanisms to meet the Regulation’s transparency, access, data minimization and safeguards mandates. At a minimum, this will involve designing and manufacturing products and services that incorporate user access mechanisms and protections by design and default.