The most important requirements to be met by manufacturers, data holders and data contracts
With the recently adopted Data Act, the EU is continuing to implement its data and digital strategy and, in addition to data access rights for users of IoT products, is introducing requirements for data contracts, the switching of cloud services as well as interoperability requirements. All non-personal data affected in connection with the use of an IoT product are covered.
Data holders: Grant of data access
The regulatory focus of the Data Act is user access to the product data of an IoT product. Product data include both data that are generated deliberately – for example, through user input – and data that are generated indirectly through user actions or even during user inactivity. The data must be made available to a third party at the user’s request. The handling of personal data poses a particular challenge: The seamless transition between the Data Act and the GDPR is likely to lead to considerable legal uncertainty in practice with regard to the distinction between personal and non-personal data, which is not always clear, and the different requirements under the two legal acts.
To-do
Check the technical options for the grant of data access and the separation of processed personal and non-personal data in accordance with data protection law.
Manufacturers: Accessibility by design
The requirements of the Data Act begin with the manufacture of IoT products: Products must be designed and manufactured in such a way that product data can be made available, by default, easily, securely, free of charge and in a comprehensive, structured, commonly used and machine-readable format. Non-compliance with these requirements can lead to more than just regulatory measures: In the foreseeable future, operators and data holders will only purchase products that enable them to implement their own obligations under the Data Act. If the product manufacturer is also the data holder, these requirements must also be taken into account.
To-do
Check and, if necessary, introduce a technical option for providing product data in a structured, commonly used and machine-readable format.
Data contracts and GTC: Fair terms
The Data Act also stipulates contractual requirements for the use and transfer of data in the B2B sector: For example, the transfer of data must generally take place on FRAND terms, i.e. on fair, reasonable and non-discriminatory terms. In addition, no unfair contractual terms may be used. A contractual term is unfair if it is of such a nature that its use grossly deviates from good commercial practice in data access and use. This includes, for example, terms that grant the party that unilaterally imposed the term the exclusive right to determine whether the data supplied are in conformity with the contract.
To-do
Drafting, reviewing, adjusting or amending contracts and general terms and conditions for the provision and use of data in accordance with the requirements of the Data Act.
Conclusion
The Data Act is another cornerstone in the new European digital law and, alongside the GDPR, brings numerous requirements to be met by manufacturers, operators and data contracts in relation to non-personal product data. Even though most of the requirements will not take effect until the end of 2025/2026, initial precautions must already be taken now with regard to product development cycles.
back