New rules allowing businesses and consumers to access data generated by connected devices are at the heart of the Data Act proposal. These rules substantially expand on existing ideas – first laid down in Article 20 of the GDPR – that data subjects should have a right to access data that they have generated. Chapter II of the Data Act expands the right to data portability beyond personal data to cover all data generated by connected devices and related services, including data created in business to business settings. If adopted in its proposed form, the Data Act would introduce a general access right to data generated by devices ranging from personal virtual assistants to industrial appliances and everything in between. The mechanism proposed by the Commission has the potential to unleash vast amounts of data that so far has been largely under the control of the manufacturers of devices and the providers of services.
Chapter II of the proposed Data Act (‘Business to Business and Business to Consumer data sharing) creates a new access right for users of “products” and “related services” to the data generated by these devices and services, which are owned or leased, by consumers and businesses. According to the proposal, it is intended to
“facilitate the access to and use of data by consumers and businesses, while preserving incentives to invest in ways of generating value through data” (explanatory memorandum, page 3).
It requires manufacturers to design such products and services in a way that the data is easily accessible and to be transparent on what data is being generated, if and how the data will be used by the manufacturer, and how users can access them. The provisions preserve the possibility for manufacturers to access and use data from products or related services that they offer when contractually agreed with the user. In addition, there is an obligation on data holders (manufacturers of third parties) to make such data available to third parties upon request by the users.
Article 3 implements an obligation of manufacturers and service providers “to make data generated by the use of products or related services accessible.” It requires that products must be designed and services must be provided in such a manner that “data generated by their use are, by default, easily, securely and, where relevant and appropriate, directly accessible to the user.” It further requires that “before concluding a contract for the purchase, rent or lease of a product or a related service,” users are provided with information on the nature and volume of the data generated by the device or service, if the manufacturer or service provider intended to use such data (or allow a third party to use it) and how the user can access the data or request to share it with a third party.
Article 4 establishes the “right of users to access and use data generated by the use of products or related services.” Upon request by users, data holders (manufacturers of devices and providers of services or entities holding the data on their behalf) must make available to the user the data generated by the use of a product or related service “without undue delay, free of charge and, where applicable, continuously and in real-time”. In the case of personal data, this obligation only applies where there is a valid legal basis under Article 6(1) of the GDPR. Article 4 also introduces safeguard measures against abuse of data by data holders who can only use the data “on the basis of a contractual agreement with the user”; and who must not use the data to “derive insights about the economic situation, assets and production methods of or the use” to undermine the commercial position of the user.
The article includes an exception from this obligation for trade secrets, which “shall only be disclosed provided that all specific necessary measures are taken to preserve the confidentiality of trade secrets, in particular with respect to third parties.” In addition, “the user shall not use the data obtained […] to develop a product that competes with the product from which the data originate”
Article 5 expands this right to include the right to share data with third parties. Upon request of the user, or a third party authorized by the user, the data holder needs to make data available to a third party “without undue delay, free of charge to the user, of the same quality as is available to the data holder and, where applicable, continuously and in real-time.” However, such data cannot be shared with undertakings designated as gatekeepers pursuant to the upcoming Digital Markets Act, which are also banned from soliciting or incentivizing users to request making data available to them.
Article 6 introduces a number of safeguards related to the use of data transferred to third parties. Data Holders can request compensation from third parties for making data available to them as long as it is reasonable and non-discriminatory. Third parties may only use the data only for the purposes and under the conditions agreed with the user, and shall delete the data when they are no longer necessary. They are also explicitly banned from using the data for the profiling of natural persons, to making data (including derived data) available to another third party unless this is necessary for the provision of the service agreed upon with the user, making the data available to gatekeepers, develop competing services or products, prevent the user from further sharing the data or to use dark patterns to coerce, deceive or manipulate the user.
Finally, article 7 excludes data generated by the use of products manufactured or related services provided by micro and small enterprises that are not economically dependent on another enterprise from obligations established in this chapter.
Chapter III (‘Obligations for Data Holders legally obliged to make data available’) contains a number of additional rules that are relevant when data is shared with third parties. Among other provisions, it requires that data holders must share the data under fair, reasonable, and non-discriminatory terms and in a transparent manner and that any compensation for making data available to third parties shall be reasonable and non-discriminatory.
The measures introduced in this chapter are flanked by Article 35 (Chapter X), which clarifies that the Sui Generis Database Right introduced by the 1996 Database directive does not apply to databases containing data obtained from or generated by the use of a product or a related service.
We welcome the fact that the Commission has decided to address the issues around access to data generated by connected devices in the form of non-exclusive access rights and not via the creation of additional exclusive ownership rights. Recital 6 explicitly states that:
In order to realise the important economic benefits of data as a non-rival good for the economy and society, a general approach to assigning access and usage rights on data is preferable to awarding exclusive rights of access and use.
This is in line with the general approach that we have proposed in our policy brief on the issue. The overall mechanism proposed by the Commission in this chapter is sound and will likely have a significant impact on the data economy in the EU. In line with the approach taken in the DGA, the proposed rules apply both to personal and non-personal data. This means that chapter II will both strengthen the data portability right established in Article 20 of the GDPR and introduce a similar mechanism for non-personal data generated in industrial contexts. The Commission seems to have learned from the difficulties of exercising the data portability right, and, as a result, the provisions in the Data Act are much more descriptive when it comes to the mechanics of data sharing, but stop short of requiring access via APIs.
Requiring manufacturers and service providers to design their services and products so that the data they generate is easily accessible, places substantial (transitional) constraints on them. This is, however, justified by the objective of mitigating power imbalances that stem from the ability to exclusively control user-generated data. The Commission rightly places the objective of a high-level of consumer protection and creates a more level of economic playing field above the concerns related to the preservation of data extractive business models. As the Commission notes in the explanatory memorandum,
“owner[s] may benefit from a better user experience and a wider range of, for example, repair and maintenance services.” (explanatory memorandum page 13).
Seen in this light, the proposed provisions would also be an important step towards a more general right to repair — and thus have the ability to further sustainability efforts.
However, these high-flying ambitions can be substantially undermined by two elements of the proposal. First, the exception granted to trade secrets, which — given that trade secrets can be unilaterally declared — is ripe for abuse, especially when it comes to relations between individual consumers and commercial entities. The other is the exclusion of micro and small enterprises (less than 50 employees and annual turnover and/or balance of less than €10M) from all of the obligations under the chapter. While it may make sense to include them from the more onerous requirements to share data with third parties, the obligations related to direct data access by users in Articles 3 and 4 should also apply.
One other aspect of the proposal that merits a critical evaluation is the fact that data that is accessed under the Chapter II rules cannot be used — by the user or a third party authorized by the user — to develop competing products. This limitation is likely to severely limit the usefulness of these provisions as a counterbalance to vendor lock-in through the development of competing products and services.
Finally, while the fact that the Sui Generis Database Right cannot be invoked on databases containing the data governed by these rules is welcome, the fact that this needs to be expressly stated is another illustration of the problematic nature of this ill-fated right in the data economy.