14 Questions about the EU Data Act

August 27th, 2024 | Posted by Claude-Etienne Armingaud in Artificial Intelligence | Blockchain | Europe | IT | Legislation
  1. My company is not established in the EU. Should I really worry about the EU Data Act applying to my company?
  2. What are the operational impacts of the EU Data Act on my products‘ interface?
  3. My products are already on the market, can I still provide them as I am today?
  4. What data is in the EU Data Act scope?
  5. Does the EU Data Act provide for a harmonized framework for blockchain-based smart contracts?
  6. Who can request the sharing of data?
  7. How should data be made available?
  8. Are there any limitations on how the data can be shared?
  9. Can I invoke intellectual property right to forego the data sharing?
  10. Should the data be made available to public entities as well?
  11. Will I need to update my contracts as well?
  12. Will the data be required to stay in the European Union?
  13. When will all this become an operational reality for me?
  14. What are the EU Data Act penalties?

1. My company is not established in the EU. Should I really worry about the EU Data Act applying to my company?

The Regulation no. 2023/2854 of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (EU Data Act) imposes data-sharing obligations on manufacturers of Connected Products and providers of Related Services (which expressly include Virtual Assistants), placed on the market in the European Union (EU). It will also apply to providers of data processing services offered to both B2B and B2C customers in the EU.

While there are some exceptions for micro, small, and medium-sized enterprises, most companies involved in the Internet of Things (IoT, such as smart consumer devices, connected cars or industrial machinery, smart fridges and other home appliances, and their related services) engaging on the EU market will need to comply with the EU Data Act, regardless of their establishment on that territory.

2. What are the operational impacts of the EU Data Act on my products‘ interface?

The immediate operational impact of the EU Data Act will stem from the new requirements to make all personal and non-personal data generated through the use of IoT devices available and portable for their users, whether corporate or individual/consumer customers.

The aim is to allow these users to easily switch between cloud service providers, as well as regulating smart contracts.

This will require impacted stakeholders to design (or retrofit, which may prove cumbersome) their products to make such data readily available, including some datasets which they have previously considered as being “proprietary.”

Manufacturer of Connected Products and providers of Related Services will thus need to design (or retrofit, which may prove cumbersome) their offering in such a way that the data collected or generated through use is in a commonly used and machine-readable format and, “where relevant and technically feasible,” directly accessible to the User (i.e., within the Connected Product or Related Service itself, without any specific request from the User to the provider).

This notion of “relevant and technically feasible” remains unclear and may lead to disputes as at least the “relevance” is expected to take into account the users’ subjective interests, which may be difficult for the manufacturer or the provider to effectively assess. On the other hand, while the “technical feasibility” may appear more straightforward, it still remains broad, as no limitations in terms of proportionality apply.

3. My products are already on the market, can I still provide them as I am today?

You may. Most of the undertakings of the EU Data Act will become enforceable by 12 September 2025 (see below for the timeline). However, considering the efforts which will be necessary to ensure the compliance by this date of existing or future products or services, the EU Data Act should become a priority over the next 18 months.

4. What data is in the EU Data Act scope?

As a horizontal regulation, the EU Data Act is industry and sector agnostic and relates to both personal and non-personal data generated with the Connected Products and Related Services.

This will notably include:

  • Data collected through the Connected Products or during the provision of the Relates Service;
  • Raw data generated by the Connected Product or the Related Services;
  • Any associated metadata which may be necessary to interpret the above.

However, this will not include:

  • Any information inferred from the above-mentioned raw data – a stakeholder performing futher analysis on the raw data will not be required to share the outcome of these additional operations;
  • Data that the Connected Products generate when a user records, transmits, displays or plays content, as well as the content itself;
  • Data which may not be retrievable by anyone due to the Connected Product design itself.

5. Does the EU Data Act provide for a harmonized framework for blockchain-based smart contracts?

Yes. The EU Data Act mandates some undertakings pertaining to smart contracts but it has been broadly defined as any “computer program used for the automated execution of an agreement or part thereof, using a sequence of electronic data records and ensuring their integrity and the accuracy of their chronological ordering” (Art. 2 (39) EU Data Act).

It does not matter if the underlying object is merely a set of instructions within a network of connected devices, or an “actual” smart contract nested on a distributed ledger technologiess.

The main requirements for the EU Data Act’s smart contracts include the inclusion of

  • access control mechanisms;
  • a very high degree of robustness; and
  • a kill switch to terminate the continued execution of transactions (either through a temporary suspension or a complete deletion of the underlying object.

Such requirements may conflict with the oft-immutable nature of DeFi’s smart contracts.

6. Who can request the sharing of data?

As a regulation designed to protect the users of Connected Products and Related Services, the EU Data Act places users at its center. Consequently, users are entitled to request access to their data, i.e.

  • A natural person; or
  • A legal entity in case of:
    • a corporate user; or
    • a third party designated by the user, further to a contract between the two.

7. How should data be made available?

Where technically possible, data should be accessible directly (and in real time) by the user.

However, where this would not be possible, and upon request from the user or its designated agent, the manufacturer must make the relevant data available:

  • without undue delay;
  • free of charge;
  • easily;
  • securely;
  • in a structured, commonly used and machine-readable format; and
  • where applicable, of the same quality.

Data recipients cannot prevent consumers from making the data subsequently available to other parties.

8. Are there any limitations on how the data can be shared?

Yes.

  • If the data is protected by trade secrets, the data holder and the recipient will need to contractually agree on the necessary measures required to preserve the confidentiality of the data.
    • The data sharing may be withheld or suspensed when the confidentiality of trade secrets may be undermined, such as when the parties do not agree on the necessary measures, if the user fails to implement the necessary measures or otherwise undermines the confidentiality of the trade secrets. In such cases, the data holder will need to notify the national competent authority.
    • The data holder may also elect to forego the data sharing where it would be “highly likely” to suffer “serious economic damage” from the disclosure. The threshold for such serious economic damage has not been substantiated and it is expected that this refusal should only be invoked in exceptional circumstances. Here again, the data holder will need to notify the national competent authority.
  • The recipient will not be able to use the data to produce a product or provide a service that competes with the original Connected Product or Relate Service;
  • Users are prohibited from hacking the product or service to gain access to the data;
  • Third parties must only use the data for the purpose agreed with the relevant User. This again highlights the relevance for companies offering Connected Products or Related Services to have in place precise and sufficient contract language with their customers;
  • Users are only entitled to data collected by the original data holder. In case of subsequent transfers, the secondary data holder will not be required to provide the original data holder’s dataset.

9. Can I invoke intellectual property right to forego the data sharing?

The EU Data Act is “without prejudice to Union and national legal acts providing for the protection of intellectual property rights.”

At the same time, Art. 43 EU Data Act explicitly excludes the application of Art. 7 of the Database Directive (Directive 96/9/EC) and the sui generis protection of database right to data obtained from or generated by a Connected Product or Related Service. Data Holders will therefore not be able to brandish the rights granted to database producers to limit the extraction of the data but will remain able to invoke any copyright to the database itself (if applicable) or its content, as the case may be.

The European Union and its Member States are obligated to protect trade secrets pursuant to Article 39 of the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS).

The EU Data Act attempts to find a balance in this respect. It provides that trade secrets are—only—exempt from the User’s right of access in exceptional cases, namely, if the trade secrets cannot be sufficiently protected by measures contractually agreed with the user. Otherwise, the data holder must therefore predominantly rely on contractual confidentiality obligations when sharing data.

It remains uncertain whether such generic references will be sufficient to provide for a proper alignment between the different regulations or whether this will cause additional hurdles in applying the EU Data Act.

10. Should the data be made available to public entities as well?

Private companies can be required to make data available to public-sector bodies, the European Commission, the European Central Bank, and EU bodies if there is an “exceptional need.”

This does not only apply to data collected or generated by Connected Products or Related Services, but to any private-sector data. Such “exceptional need” can, in particular, apply in emergency cases that require access to the relevant data by governmental authorities. In contrast to the civil law relationships covered by the other chapters of the EU Data Act, this chapter has a strict public law and public security background and thus requires taking into account different interests and interpretations.

11. Will I need to update my contracts as well?

The EU Data Act comprehensively regulates contracts between companies regarding access to and use of the data, notably between Data Holders and entities appointed by Users as recipients under the EU Data Act.

The EU Data Act introduces a general fairness obligation for contractual terms concerning access to and the use of data as well as liability and remedies for the breach or termination of data-related obligations.

The direct and immediate sanction for such breach will be for the contractual terms to be nonbinding where they are (1) unilaterally imposed on the other party and (2) “unfair,” i.e., if it grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing.

To provide at least a basic level of legal certainty in this regard, the EU Data Act lists the following as:

  • Unfair by nature:
    • Excluding or limiting the liability of the party that unilaterally imposed the term for intentional acts or gross negligence;
    • Excluding the remedies available to the party upon whom the term has been unilaterally imposed in the case of nonperformance of contractual obligations, or the liability of the party that unilaterally imposed the term in the case of a breach of those obligations; and
    • Giving the party that unilaterally imposed the term the exclusive right to determine whether the data supplied is in conformity with the contract or to interpret any contractual term.
  • Presumed as unfair, depending on the circumstances:
    • Inappropriately limiting remedies in the case of nonperformance of contractual obligations or liability in the case of a breach of those obligations, or extend the liability of the enterprise upon whom the term has been unilaterally imposed;
    • Allowing the party that unilaterally imposed the term to access and use the data of the other contracting party in a manner that is significantly detrimental to the legitimate interests of the other contracting party, in particular when such data contains commercially sensitive data or is protected by trade secrets or by intellectual property rights;
    • Preventing the party upon whom the term has been unilaterally imposed from using the data provided or generated by that party during the period of the contract, or to limit the use of such data to the extent that that party is not entitled to use, capture, access, or control such data or exploit the value of such data in an adequate manner;
    • Preventing the party upon whom the term has been unilaterally imposed from terminating the agreement within a reasonable period;
    • Preventing the party upon whom the term has been unilaterally imposed from obtaining a copy of the data provided or generated by that party during the period of the contract or within a reasonable period after the termination thereof;
    • Enabling the party that unilaterally imposed the term to terminate the contract at unreasonably short notice, taking into consideration any reasonable possibility of the other contracting party to switch to an alternative and comparable service and the financial detriment caused by such termination, except where there are serious grounds for so doing; and
    • Enabling the party that unilaterally imposed the term to substantially change the price specified in the contract or any other substantive condition related to the nature, format, quality, or quantity of the data to be shared, where no valid reason and no right of the other party to terminate the contract in the case of such a change is specified in the contract.

12. Will the data be required to stay in the European Union?

The EU Data Act limits access and transfers ordered by foreign courts, tribunals, or administrative authorities. Specifically, such orders or subpoenas shall only justify the transfer of nonpersonal data if a respective bilateral assistance agreement is in place between the requesting country and the country where the data resides or the legal regime in the country requesting the data meets certain constitutional standards (namely principle of proportionality and access to courts to contest authority requests).

Service providers hosting data in the EU must take appropriate means to protect the data against any access by foreign governmental authorities if such access would be in conflict with EU laws (though it remains questionable how such means towards governmental authorities should look like, as these are often not open to arguments relating to compliance with foreign country laws).

As the scope of this chapter is expressly limited to nonpersonal data, any overlaps with respective provisions under GDPR are avoided, although governmental access requests regarding personal data are, despite Chapter V of the GDPR, still subject to legal uncertainties and discussions with foreign authorities are the rule. Some clarifications in this regard would thus have been helpful also for personal data.

13. When will all this become an operational reality for me?

The EU Data Act has been published and officially entered into force on 11 January 2024. Affected stakeholders will now need to implement a tiered rollout of its requirements:

The provisions of the EU Data Act will begin to apply 20 months from the date of entry into force, meaning affected businesses will need to be ready to comply with the Act by 12 September 2025.

  • By 12 September 2025: General application of the EU Data Act, notably the prohibition of unfair or abusive contractual terms for new contracts.
  • By 12 September 2026: Design requirements related to Connected Products placed on the market in the EU
  • By 12 September 2027: Prohibition of unfair or abusive contractual terms for contracts executed on or before before 12 September 2025.

14. What are the EU Data Act penalties?

This is currently the biggest unknown for the EU Data Act. Indeed, the EU Data Act itself only provides that the penalties should be “effective, proportionate, and dissuasive” and, as is becoming a norm in the EU, taking into account various factors, such as the annual turnover of the preceding financial year However, the quantum of the fines will ultimately be decided by each EU Member State, which may lead to discrepancies in the EU Data Act enforcement.

To Go Further:

  1. Frequently Asked Questions on the CJEU judgment “Schrems II” – C-311/18 This document aims at presenting answers to some frequently asked questions received by supervisory authorities (“SAs”) and will be developed...
  2. European Parliament Adopts Negotiating Mandate on European Union’s Artificial Intelligence Act; Trilogues Begin On 14 June 2023, the European Parliament (Parliament) plenary voted on its position on the Artificial Intelligence Act (AI Act),...
  3. Quo Vadis, Data Domine? The EU Data Act and the EU data landscape Six years after the European Regulation 2016/679 on the protection of personal data (“GDPR”) came into force, the European Union...
  4. EU AI Act [FULL TEXT] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on...

You can follow any responses to this entry through the RSS 2.0 Responses are currently closed, but you can trackback.