The Regulation on harmonised rules on fair access to and use of data (the “Data Act”) entered into force on 11 January 2024 and will apply from 12 September 2025. The Data Act, in short, imposes rights and obligations on (i) manufacturers of products connected to the Internet of Things and related services (“IoT products”), (ii) parties that process data (also non-personal data) generated by IoT products and their users, and (ii) providers of “data processing services”, such as cloud service providers.
Purpose of the Data Act
More en more data is being generated by humans and machines. This data has a huge value and to unlock the potential of data-driven innovation, the European legislator found it crucial to provide more opportunities for the reuse of data, to allocate rights and obligation in relation to the data and to remove barriers to the development of the European data economy in a way that everyone benefits from these opportunities.
Data generated by IoT products
The Data Act focusses on all data (personal data and non-personal data) generated by IoT products. Such products may include vehicles, home equipment and consumer goods, medical and health devices or agricultural and industrial machinery. Products that are primarily designed to display or play content, or to record and transmit content, amongst others for the use by an online service, such as personal computers, smart phones and webcams are not covered by the Data Act.
Main obligations
At a verry high level, key aspects of the Data Act include:
- User rights: The Data Act includes transparency requirements in relation to the data and requirements in relation to the (free of charge) access and portability of data to the user or third parties.
- B2B Data sharing: The Data Act includes requirements and restrictions regarding sharing of data in a business to business context and the (fairness of) contracting terms to be entered into between data holders and data recipients. This also includes provisions in relation to (i) the compensation that may be agreed for making data available (e.g non-discriminatory and reasonable and informed); (ii) dispute settlement, (iii) security, (iv) addressing deceptive practice or unauthorized use or disclosure of data.
- Data sharing with public bodies: The Data Act includes requirements and restrictions regarding sharing of data with public bodies and certain EU institutions in cases of “exceptional need”.
- Cloud switching and interoperability: the Data Act includes a range of provisions which aim to facilitate switching between data processing services (such as cloud services), including information obligations and rules regarding termination periods, exit charges, assistance, and transition periods.
- Data Transfers: The Data Act provides safeguards in relation to international governmental access to and transfers of non-personal data to third countries.
- Smart contracts: To further support effective data sharing, the Data Act aims for de development of smart contract for standardization of data sharing.
Impact on business model
The Data Act forces companies that offer IoT products to re-think their data business model. For example, with respect to charging users for accessing their data or transfer their data to a third party. Also, it might not be possible anymore to share or use data generated by IoT products for the purposes the company wishes. It is recommended to assess your business model and take all necessary measures to ensure you are ready to comply with the Data Act in September 2025.
