Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data (“Data Act”) came into force on 11 January 2024 and represents an important step towards realising the European data strategy. The stated goal of the new Regulation is to remove barriers to accessing data, while creating incentives for investing in data generation.
Background
In less than two years after the Commission presented an initial draft (article of 9 March 2022), the Data Act has now come into force following numerous – and sometimes substantial – amendments during the legislative process, most recently in the trilogue negotiations. Although the majority of the provisions of the Data Act will apply from 12 September 2025 or 12 September 2026 (product design obligations), respectively, some already require action now.
A core element of the Data Act is to grant users (or third parties designated by them) access across all sectors to data generated by their connected products (Internet of Things or IoT products) and related services. Data holders will only be able to use and exploit non-personal data generated by IoT products on the basis of a contractual agreement with the user. This gives users control over data generated by IoT products, even if it is not intended to create “data ownership”. Personal data may still (only) be used to the extent permitted by the General Data Protection Regulation (GDPR), so a certain degree of complex overlap between the Data Act and the GDPR seems inevitable.
Other areas covered by the Data Act include in particular:
Data holders’ rights to use data
Product design obligations for manufacturers of IoT products
Unfairness test for general terms and conditions in B2B data use contracts
Rights for public sector bodies to access data in situations of exceptional need
Provisions to facilitate switching between data processing services
Safeguards for international access to and transfer of non-personal data
Requirements for the interoperability of data spaces and data services
The Data Act covers both personal and non-personal data, but makes it clear that the level of protection created by existing data protection regulations, in particular the GDPR, should not be lowered. Other specialised legal provisions – with the exception of database law – are also unaffected.
Users’ right to access data generated by IoT products
According to Article 4(1), the user of an IoT product is entitled to demand that the data holder make “readily available” data accessible to it without undue delay, of the same quality as is available to the data holder, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real time.
The Data Act provides definitions for most terms, including “user”, “data holder”, “connected product” (here also IoT product) and “product data”. However, some of these definitions are not entirely clear.
A connected product is an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data (e.g. via on-device access or a Wi-Fi connection) (Article 2 (5) Data Act). This includes, for example, fitness trackers, smartwatches, connected vehicles, driver assistance and navigation systems, video game consoles, smartphones and connected kitchen and household appliances. It does not cover products and modules that do not permit the transfer of data and items whose main function is to store third-party data (this excludes servers in particular).
Product data are data generated by the use of a connected product that the manufacturer designed to be retrievable (Article 2 (15) Data Act). However, users are only entitled to access “readily available data” (Article 2 (17) Data Act), i.e. data that the data holder can obtain without disproportionate effort going beyond a simple operation. This includes not only raw data, but also pre-processed data (e.g. physical quantities such as temperature, oil pressure, speed, position) and metadata. By contrast, information inferred or derived from such data is no longer regarded as product data and therefore does not fall under the right of access. Such information includes the results of processing such data, for example using proprietary algorithms obtained by making additional investments (e.g. the interpretation of speed data). In some cases, it will be difficult to draw the line between data that are covered by the Act and data that are not.
According to the somewhat misleading definition, a data holder is any person who has the right or obligation to use and make available data (Article 2 (13) Data Act). The definition can only be understood to mean that the data holder is the person who has actual control over the data and is in a position to grant the access under the Data Act. This was clarified by the amendments proposed during the legislative process, but these were unfortunately not included in the final text.
Finally, a user is any person who owns a connected product or to whom temporary rights to use that connected product have been contractually transferred (Article 2, point (12) Data Act). Users can therefore be owners, co-owners or renters, for example. Persons who only use a product for a time (e.g. family members) are not deemed to be users, however.
The data should be made available to the user free of charge. However, it is unclear whether the data holder must transmit the data or whether it is sufficient for the data to be made accessible to the user on the data holder’s own server (in this direction, cf. recital 22). Also, the Data Act does not define the term “make available”.
Unlike in the case of the data holder (see below), the Data Act imposes almost no restrictions on the user’s right to use of the data to be made available. The data may therefore essentially be used for all legal purposes, except for the development of competing products.
Data holders’ rights of use
Data holders’ rights of use will be restricted under the Data Act to the extent that they will only be able to use non-personal data on the basis of a contract with the user (Article 4(13) Data Act). However, there is nothing to stop data holders from making the use of a product dependent on the user having been granted a right of use. That said, it will probably no longer be possible to grant exclusive rights of use, at least not in general terms and conditions.
In the case of personal data, however, nothing will change – data holders may only use such data in compliance with data protection regulations (in particular the GDPR).
Third parties’ rights to access and use data
The Data Act does not grant third parties who are not users a direct right to access a data holder’s data. At the request of a user, however, the data holder must make the data available to any third party – which may also include a competitor of the data holder, but excludes any gatekeepers within the meaning of the Digital Markets Act (Article 5(1) Data Act).
Third parties may nevertheless demand access to the data on behalf of a user. Such third parties may be providers of a service (e.g. a garage that approaches a vehicle manufacturer about data on behalf of a driver) or data intermediaries that demand access to data on behalf of a large number of users.
Whereas data is made available free of charge directly to a user, the transmission of data from a data holder to a third party is not free of charge. The data holder must make the data available to the data recipient under FRAND terms and conditions (“Fair, Reasonable and Non-Discriminatory”). The data holder can therefore demand reasonable remuneration from the data recipient, the amount of which is calculated on the basis of the costs incurred in making the data available, the investment costs and a reasonable margin (Article 9(1) Data Act).
The scope of the data recipient’s rights of use depends on the contractual agreement with the user. The data recipient must erase the data when they are no longer necessary for the purpose agreed with the user (Article 6(1) Data Act). If the data recipient is a microenterprise, a small or medium-sized enterprise (“SME”) or a not-for-profit research organisation, the remuneration may not include a margin. The Commission will adopt guidelines on the calculation of reasonable remuneration.
Following the “compliance by design” approach, the Data Act requires manufacturers of IoT products and providers of related services to design and manufacture/provide their products and services in such a way that the obligations to make data available laid down by law can be fulfilled (Article 3(1) Data Act).
Unfairness test for general terms and conditions in data use contracts
Another important aspect of the Data Act is the introduction of an unfairness test for general terms and conditions in B2B relations for “unilaterally imposed” provisions relating to data access and data use. Contrary to what was still envisaged by the Commission’s draft, the rules on unfair contractual terms not only applies to clauses unilaterally imposed on an SME, but also to the field of B2B in general. A clause is to be regarded as “unilaterally imposed” if it is introduced by one of the contracting parties and its content cannot be influenced by the other contracting party despite attempts to negotiate it. In this case, the burden of proof is on the party imposing the clause (Article 13(5), sentence 2 Data Act).
Some of the prohibited clauses listed in Article 13 Data Act are already covered by German law on general terms and conditions, which means that companies need not expect major changes. However, the data-related provisions may be of considerable importance for existing and future contracts in a data context.
According to the catch-all provision in Article 13(3) Data Act, a standard term can be considered unfair if its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing. In addition, Article 13 Data Act distinguishes between “black” and “grey” clauses (even though the German translation of the Data Act does not make such a distinction, and will therefore presumably have to be amended):
The “black clauses” listed in Article 13(4) Data Act are always considered to be unfair (shall be unfair). These include, in particular, clauses that give the user the right to determine whether the data supplied are in conformity with the contract.
The “grey clauses” listed in Article 13(5) Data Act are presumed to be unfair. For instance, these include clauses (i) that allow the user to access and use the data of the other contracting party in a manner that significantly impairs the legitimate interests of the other contracting party – for example, in the case of commercially sensitive data or if data are protected as trade secrets or intellectual property, (ii) that prevent the contracting party from making use of the data provided by that party in an adequate manner, or (iii) that prevent the contracting party from obtaining a copy of the data provided or generated by that party during the term of the contract or within a reasonable period after the termination thereof.
However, a clause is to be regarded as unilaterally imposed only if it is introduced by one of the contracting parties and its content cannot be influenced by the other contracting party despite attempts to negotiate it. In this case, the burden of proof is on the party imposing the clause (Article 13(5), sentence 2 Data Act).
Before 12 September 2025, the Commission will develop and recommend non-binding model contractual terms on data access and use (Article 41 Data Act).
The unfairness test for general terms and conditions under Article 13 Data Act applies to new contracts that are concluded after 12 September 2025. The unfairness test will also apply to old contracts (i.e. contracts concluded on or before 12 September 2025) from 12 September 2027, provided that these contracts provide for an indefinite term or are due to expire 10 years from 11 January 2024 at the earliest.
This means that companies need to comply with the requirements of the unfairness test for general terms and conditions now when concluding new contracts with an indefinite term or with a term of more than 10 years.
Dealing with trade secrets
The protection of trade secrets was hotly debated during the legislative process. The Data Act does not answer the question of when data actually constitutes trade secrets. However, there is no denying the risk that a large amount of aggregated data can, for example, be used to determine how a device works or to uncover other trade secrets. However, according to the Data Act, the mere classification of data as trade secrets does not exclude the obligation to grant rights to access and use data. The Regulation takes the approach of ensuring protection through technical and organisational measures (TOMs) that must be agreed.
According to Article 4(6) Data Act, trade secrets therefore only have to be disclosed to users and data recipients if all necessary measures have been taken beforehand to preserve their confidentiality. This includes technical and organisational measures, especially non-disclosure agreements or in situ access to the data. If data recipients or other third parties do not comply with the agreed measures, they must, at the request of the data holder or trade secret holder, (i) erase the data, (ii) withdraw from the market goods produced on the basis of the data, and/or (iii) where this is appropriate in light of the interests of the data holder or user, inform the user of the unauthorised disclosure and pay compensation to the injured party (Article 11(2) Data Act) . The same obligations apply to a user who alters or removes the technical protection measures or does not maintain the technical and organisational measures agreed with the data holder or trade secrets holder.
The data holder can only refuse to grant access to data in exceptional circumstances, namely if it is able to demonstrate that, despite compliance with the TOMs by the user or third party, serious economic damage is highly likely to result from the disclosure of trade secrets. The data holder must duly substantiate its refusal in writing without undue delay on the basis of objective elements and notify the competent national authority. Such elements include, in particular, the lack of protection of trade secrets in third countries, the nature and level of confidentiality of the data requested, the uniqueness and novelty of the product as well as a negative impact on cybersecurity. The requirements for refusing access are therefore very high, which means that they are very difficult to fulfil in practice. The Data Act thus attaches more importance to the right of disclosure than to the protection of trade secrets.
Conclusion
It remains to be seen to what extent the Data Act will actually unlock the potential of the data generated in the EU. Foreign product manufacturers are following the developments relating to the new Data Act with both interest and concern. Should the Regulation achieve its intended effects, it can certainly serve as a blueprint for future legislation in countries outside of Europe.
For IoT companies, however, the Data Act will require considerable effort when it comes to compliance and execution. Simply identifying product data that, from 12 September 2025, must be disclosed to users and data recipients on request will pose a challenge for many businesses. And companies already have to keep an eye on the contract design requirements outlined above as well as – given the long development cycles – the product design obligations contained in the Data Act.