By Anuradha Gandhi and Rachita Thakur
The European Union has enforced its new Data Act (hereinafter referred to as the “Act”) on January 11, 2024 with the stated goal of unlocking the EU’s economy, the Data Act imposes a set of wide-ranging data sharing, product design and contractual obligations on providers of Internet of Things (IoT). The Act puts in place new rules for a fair and innovative data economy and which define the rights to access and use data generated in the EU across all economic sectors and will make it easier to share data, in particular industrial data.
Why is the New Data Act?
The rapid growth of connected devices, the use of connected object of the Internet of Things (IoT) in the EU markets has led to increasing generation of huge amount of data. The new rules enable users of connected products to access data generated by these devices and to share with third parties.
What does the Act provide for?
1. Data access and sharing – The Act lays down rules for B2B and B2C data access and sharing thereby obligating manufacturers to design products and services in such a manner that the generated data is directly accessible to users and to provide information to users on generated data, its accessibility and users’ rights.[1]
a. Connected Products – The scope of affected products here is broad. Connected Products include all devices and equipment which collect data concerning their use of environment and which then can communicate such data through an electronic communications services, a physical connection or on-device access. For B2B, connected product would include, braking systems, elevators, factory machines capable of collecting data or smart solar panels while for B2C these can include home appliances such as smart fridges, smart speakers and cleaning robots, fitness trackers, medical devices, and modern cars.
b. Connected Services- These are digital services which are incorporated or inter-connected with the product at the time of purchase or subsequently connected to the product by a manufacturer or a third-party, which are essential for the product to perform its primary function. Examples of the same include, voice assistants, music streaming services which connect to a smart speaker, lifestyle advice applications, etc.
c. Public sector bodies will be able to access and use data held by private sector to help respond to public emergencies such as floods, wildfires, or while implementing a legal mandate where the data is required but is not readily available through other means.
2. Gatekeepers – The Act aims to protect European businesses from unfair contractual terms in data sharing contracts, so that small businesses can take part more actively in the data market.
3. Cloud switching – The Act introduces a number of contractual, commercial and technical requirements to facilitate the transfer of data from one provider to another. It allows customers to switch seamlessly between different cloud providers.
4. Interoperability – The Act introduces measures to promote the development of interoperability standards for data-sharing and for data processing services.
What does this mean for businesses and citizens?
1. Lower prices for repair of smart devices. Third parties can have access to data of smart devices on request by users for repair purposes. Earlier, only the manufacturers could access such data.
2. Unlocking new opportunities to use services relying on access to data. Until now the each machine’s data was locked by its manufacturer. However, with the Data Act, data from machines of different manufacturers can be gathered and used for potential benefits.
3. Better access of data. Parties such as manufacturers and companies can synchronize and provide enhanced services through collaborative use of data.
The Act also obligates the member states to lay down rules on penalties for infringements of Data Act and the EU supervisory authorities may impose administrative fines as provided in the EU GDPR for certain infringements of the Act.
The General Data Protection Regulations (GDPR) applies to personal data only however, the Act has a broader scope and applies to both personal and non-personal data. The Act will have wide range of implications across industries and enterprises given how industries work on data. Though complicated, the Act mandates compliance for all in twenty (20) months from the date of enforcement, that is, September 11, 2025.