Overview – The Strategy of the European Union for a “Society Empowered by Data”
The efficient processing and sharing of data whether in a B2C, B2B, or G2B context are important factors for the success of the digital transformation of the private and public sectors around the world. The expansion of Internet-of-Things (IoT) technologies that converge the physical and digital worlds, including devices and solutions such as smart home appliances, out-of-clinic health-monitoring devices, smart manufacturing with connected machinery and robots, energy and security management systems for buildings, or supply-chain management solutions, will play a decisive role in creating the future data economy.
The Commission of the European Union has acknowledged the potential that data-driven innovations, such as IoT solutions, create for the EU single market, and has outlined the EU’s ambition to “become a leading role model for a society empowered by data to make better decisions in business and the public sector” in its European strategy for data published in February 2020. As part of this strategy, in February 2022, the Commission published its proposal for a Data Act, which is the second main proposal following the Data Governance Act (DGA). Like the DGA, the draft Data Act is meant to complement the existing legal framework for the EU data economy, including the General Data Protection Regulation (GDPR) on personal data, the ePrivacy Directive, which regulates data stored in and accessed from terminal devices, the Free Flow of Non-Personal Data Regulation, which ensures that non-personal data can be stored, processed, and transferred anywhere within the EU and introduced self-regulatory codes of conduct for cloud switching, and the Open Data Directive.
While the Open Data Directive and the DGA aim to facilitate the re-use of publicly available data as well as certain categories of protected data held by public sector bodies, such as state, regional, or local authorities and agencies governed by public law, the Data Act aims to build a framework for sharing data generated by connected devices and related services.
The proposed Data Act has been heavily debated and discussed in the EU, including the Commission, the Council of the EU, which represents the governments of the EU Member States, and the European Parliament. As result, its scope and requirements are likely to change. The Presidency of the Council of the EU has already published a first compromise text and, on November 3, 2022, a second compromise text suggesting some material changes (the compromise text). We expect the final version of the Data Act to be adopted in the second half of 2023 and enter into force in late 2024. As it is designed as a regulation, the Data Act will be directly applicable in all EU Member States, without any transposition into national law, once it has been adopted.
Products and Services in the Scope of the Data Act
The Data Act expressly applies to:
Manufacturers of IoT products and providers of IoT services that are marketed or provided on the EU market,
Providers of data processing services, including cloud and edge services, to customers in the EU, and
Other owners of data, or data holders, that make data generated by the use of IoT products or IoT services available to data recipients in the EU.
Like other EU data legislation, including the GDPR, the Data Act does not merely apply to EU-based companies but takes an extraterritorial approach: The location of the provider of data services is not relevant; what matters is whether the supply of the connected product or IoT service has an EU nexus. If a U.S., UK, or other non-EU company manufactures or markets connected devices or digital services relating to applicable devices in any EU country, makes data it owns available to EU recipients for their use, or provides cloud services to EU customers, then the EU Data Act will apply to it, and such companies must ensure that they comply with the relevant Data Act requirements.
Connected Products and Related Services
The draft Data Act defines a connected “product” as a “tangible, movable item, including where incorporated in an immovable item, that obtains, generates or collects data concerning its use or environment, and that is able to communicate data via a publicly available electronic communications service and whose primary function is not the storing and processing of data.” This definition includes any physical B2B and B2C IoT device that:
Uses sensors and/or actuators to collect and process data on its performance, use, or environmental conditions, or
Is connected with any computing systems by communications networks, such as the Internet, LANs, 5G mobile networks, and NFC.
Under the draft proposal, end user devices primarily designed to play, display, record, or transmit content, such as smart TVs and speakers, cameras, webcams, sound recording systems, and text scanners, or to process and store data as set out in the compromise text, such as personal computers, servers, tablets, and smartphones, are outside the scope of the Data Act.
In addition to such physical IoT products, “related services”—which are defined as “digital service[s], including software, which [are or] is incorporated in or inter-connected with a product in such a way that [their] absence would prevent the product from performing one of its functions”—are within the scope of the Data Act, whether such services are provided by the manufacturer of the IoT product or by a third-party developer using available interfaces.
In practice, it may be difficult for a company to determine whether its product that collects and transmits usage data over communications networks, or its software application that processes usage data received from a connected product, is within the scope of the Data Act.
For example, smart security cameras allowing users to record and store videos either locally on the camera or in a connected cloud account would not be included in the scope of the draft Data Act, even though the cameras collect data in their environment, including human movement. On the other hand, the compromise text points out that smart watches should be in scope because they “have a strong element of collection of data on human body indicators or movements.” The same can be also true for smartphones, depending on the apps the user downloads: some users may use their smartphones only for communication and recording and displaying video, photo, and audio content; other users may download fitness apps to track data on their various movements.
With regard to third-party developers’ digital services that are not embedded in but only interconnected with a device through an interface provided for the supply of various optional enhanced services by third-party developers, it is questionable whether such services when provided only after purchase upon the user’s request are in scope as the device was sold without such external enhancing features and would not lose its original functionality when the user terminates them. The draft Data Act suggests that it depends on whether such services “are normally provided for products of the same type and the user could reasonably expect them to be provided given the nature of the product” and whether sales information and advertising are published by the seller or the manufacturer of the product. These vague and ambiguous criteria do not create legal certainty on the scope.
The definitions need to be reconsidered and refined to avoid significant legal uncertainty. The compromise text limits the “related service” definition to services that are already interconnected with the IoT device at the time of its purchase, rental, or lease. It could be also considered to exclude ‘general purpose data processing devices’, such as smart phones, that are used to host various apps that collect and transmit data for various purposes.
Micro and small companies with less than 50 employees and an annual revenue or a balance sheet total not exceeding EUR 10 million are exempt from some obligations. At least within the EU, this may privilege a large number of companies.
All types of cloud computing services, including IaaS, PaaS, and SaaS, will be subject to the Data Act, which defines a “data processing service” as “a digital service other than an online content service as defined in Article 2(5) of Regulation (EU) 2017/1128, provided to a customer, which enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources of a centralized, distributed or highly distributed nature.”
Personal and Non-Personal Data
Data is defined as “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording.” This very broad definition includes both personal and non-personal data. Personal data collected and processed by IoT products and related services is governed by the existing rules of the GDPR that will remain unaffected by the Data Act. However, the Data Act will enhance data holders’ obligations and the data subjects’ rights with regard to such personal data. Such data would also include any data the user intentionally records using the IoT product or service, any diagnostic data, and any data collected in “standby” or “switched-off” mode. The compromise text clarifies that raw data, prepared (cleaned and processed) data, and metadata are within the scope of this definition.
Key Obligations of IoT Providers
Under the draft Data Act, manufacturers and providers of IoT products and services, as well as their users, will be subject to several obligations that aim to ensure access, sharing, and portability of data regarding the use these products and services.
Easy Access to Data
First of all, manufacturers and developers will be obligated to design IoT products and services in a way that allows users to directly, easily, and securely access the data generated by the use of these products and services. The first compromise text clarifies that the obligation is limited to the data of the respective data holder, which may be the manufacturer or provider of the IoT products or services or a third party, such as the seller or lessor of the IoT device. If such usage data cannot be directly accessed, the user may request that the data holder make that data available in a common, structured, and machine-readable format without undue delay and, where applicable, in real time. The data holder must not charge a fee for such access or supply of data.
The data holder is also obligated to disclose its trade secrets that may be included in such usage data, provided that all specific necessary measures are taken to preserve their confidentiality, for example, by way of non-disclosure agreements. It is doubtful that this ensures an efficient protection of trade secrets relating to a certain product in practice when such confidential information must be disclosed to all product users. It seems more feasible to exempt the disclosure of trade secrets from these data access obligations.
Access to any personal data requires a valid legal basis under Art. 6 GDPR or Art. 9 GDPR, such as the individual’s consent, necessity for performing a contract, or legitimate interest. This puts the full burden and liability risk to decide whether the GDPR requirements are fulfilled, on the data holder. In addition, this point raises questions of whether a data holder may refuse to share mixed data sets for GDPR compliance if personal and non-personal data are not separated and cannot be separated with commercially reasonable efforts, for example, by taking into account that the data will be shared free of charge. Finally, the Data Act seems to shift the de facto control of non-personal data generated by the use of an IoT product or service from the data holder to the user of such device and service. It stipulates that the data holder may use any such non-personal usage data only in accordance with the terms of the contract with the user. In addition, it excludes the use of such data for gaining insights about the economic situation, assets, and production methods.
Pre-Contractual Disclosure Obligations
There are also “pre-contractual disclosure requirements” to be met prior to the sale, rental, or lease of an IoT product or service to a user, including specific disclosure of information on the type and volume of data collected, how access to the data is granted, and the identity of the data holder, which, for example, may be the seller of the product or service or its manufacturer, developer, or provider.
Sharing of Data
Under the conditions outlined above, the user may also request that the data holder make available usage data to a third party designated by the user. Large online platform providers that qualify as gatekeepers under the Digital Markets Act are not eligible to be third parties in this respect. Neither the user nor third parties may use provided usage data to develop competing IoT products or services. While the third party may not make such data available to another third party, unless this is required to provide the service as agreed with the user, in practice, it may be difficult for the data holder to restrict or even monitor the use of its data once it is made available to others.
Terms and Conditions of Data Sharing
The draft Data Act significantly impacts the freedom of data holders to determine their contract terms for data sharing:
In cases where a data holder is required to share data with a third party (the “data recipient”), either under the Data Act or under other EU laws, the draft Data Act stipulates extensive rules for the terms and conditions under which the data must be shared, including that such terms and any fees must be fair and reasonable, and use non-discriminatory terms in a transparent manner. In case data must be made available to SMEs, requested fees must not exceed the costs directly related to making the data available.
The Data Act also aims to protect SMEs that have contracts with larger data holders by establishing a set of specific contract terms for data access and use that are considered unfair and invalid if the terms are unilaterally imposed by the data holder, i.e. are not negotiated between the parties. With regard to B2C contracts, such unfair contract terms rules are already in place under EU consumer protection laws.
Under the current draft Data Act, it is unclear whether the rules that impact the contractual freedom of businesses will also apply to B2B data sharing contracts for which the contracting parties have validly chosen a non-EU law as governing law in accordance with the EU conflicts of law provisions.
Switching Between Cloud Services
Providers of data processing services, including cloud and edge services, face a broad catalogue of requirements obligating them to facilitate customers switching to other providers of similar services as a key condition for a more competitive market.
The proposed requirements apply to the transition of customers from cloud to an on-premises environment too. Providers are, for example, required not to impose any technical or contractual restrictions that would prevent the customer from:
Terminating its current services contract upon no more than 30 days’ prior notice, or up to 2 months under the compromise text,
Porting its data, and metadata, as specified in the compromise text, to another cloud service or on-premises system, or
Maintaining functional equivalence of the service in the new provider’s IT environment.
After a proposed transition period of three years, cloud providers may no longer charge their customers any fees for the switching process and will be forced to recalculate their general services fees to cover costs incurred from customers switching to other providers. Finally, providers are required to include in their cloud services contract numerous standard contract clauses specified in the Data Act to facilitate switching.
To improve interoperability and portability, the Data Act authorizes the Commission to request that EU standardization organizations develop European standards for specific cloud services, and obligate providers to ensure compatibility with these standards and existing open interoperability specifications.
Stay European ‒ Restricting International Flows of Non-Personal Data
The Data Act complements the GDPR and imposes material restrictions on the international transfer of non-personal data. The main driver behind these requirements is the EU’s growing concerns about access by foreign governmental authorities to sensitive, protected, or other confidential data that may compromise the security, defense, and commercial interests of EU Member States and companies, or the fundamental rights of individuals. Cloud providers must take all reasonable technical, legal, and organizational measures to avoid international transfers or governmental access to non-personal data held in the EU that would be in conflict with EU or national law. In addition, third countries’ data access requests, for example, by foreign court judgments or administrative orders, will only be recognized or enforceable if based on an international agreement or if the legal system affords legal protections similar to the requirements in the Data Act.
Enforcement of the Data Act
Like the GDPR, the Data Act will be enforced by individual EU Member States, which will appoint competent national authorities for this task. Member States will also have to establish a framework of effective, proportionate, and dissuasive fines for violations of the Data Act. However, the Data Act does not propose GDPR-style, revenue-based fines.
Will the UK’s Regulatory Framework Follow Suit?
Following the UK’s departure from the EU in 2020, businesses with operations that straddle both the EU and UK are faced with the additional hurdle of a diverging legal landscape that presents difficulties with cross-border compliance.
The UK government has shown no active intention to incorporate the Data Act into the UK’s own data-related regulatory framework. In fact, the UK currently plans to “update and simplify” its existing data protection regime, which is presently based on the EU GDPR, by introducing its own bill on data sharing: the UK Data Protection and Digital Information Bill, also known as the Data Reform Bill (the “Bill”). In its current form, the Bill regulates access to “business data,” which includes information that:
Relates to the “supply or provision of goods, services and digital content”; or
Is “about goods, services and digital content supplied.”
Substantively, the Bill enables the UK secretary of state and H.M. Treasury to issue regulations that would require data holders to make customer data and business data available to customers or third parties via “smart data schemes.” Notably, the Data Act regulates data generated from “product usage” by an end user, and it’s not immediately clear if this sort of data falls within the present definition of “business data” under the Bill. Furthermore, the “smart data schemes” under the Bill only seem to cover transfers of in-scope data to a customer or third-party businesses at the customer’s request; there does not seem to be any intention to facilitate commercial innovation via data sharing between companies that isn’t customer-initiated.
That being said, the Bill is in the very early stages of the legislative process and could look very different if and when it comes into force. It remains uncertain whether any changes will be made specifically to the non-personal data sharing sections of the Bill, and whether such changes will align with or diverge from the Data Act.
While implementing the data access and sharing requirements of the Data Act will impose initial and ongoing efforts and costs on larger IoT companies and will most likely cause loss of de facto exclusive control over non-personal data by manufacturers of connected devices and by related service providers, access to such data will likely foster new data-driven business models and developments, in particular for emerging companies in the EU that are privileged by the SME exception. Concerns that, under the current proposal, trade secrets of the providers are not sufficiently protected against unauthorized use, should be addressed by the EU legislature. Customers of cloud services and also large, innovative, and cost-efficient cloud providers, and competitive new providers, will likely profit from easier switching conditions in the cloud services space. The restrictions of international transfers of data may significantly impact the current data flows of international cloud services and may impact business opportunities in the EU for non-EU IoT and cloud services companies, such as companies from the U.S. and the UK, including their EU subsidiaries. To limit the impact, in any case, these restrictions should not exceed what has been implemented for personal data transfers under the GDPR in accordance with the guidance of the European Data Protection Board. A less intrusive approach would be to limit the restrictions to certain categories of sensitive data or to certain organizations, such as governmental agencies and operators of critical infrastructures, where such additional protection may indeed be required to protect the public interest, and spare all other private industry sectors.
About the Authors
Kristina Ehle is partner at Morrison Foerster, Sana Ashcroft is associate at Morrison Foerster. Morrison Foerster transforms complexity into advantage. With our collective intelligence, we shape powerful legal strategies that move your business forward while living our shared values. We solve your most critical multidimensional challenges in a way that provides clarity around the risk you are facing and gives you confidence in your chosen path. We pair diversity of perspective with a strategic consultative approach to craft the tailored st
Featured image: ©mixmagic