A team from Freshfields Bruckhaus Deringer outline the ambit of the impending EU Data Act which aims to free up access and sharing of data.
As part of the EU Strategy for Data, the Data Act is intended to be a landmark piece of legislation, creating a horizontal framework for the access and sharing of data. It will apply to a wide range of businesses across all sectors, such as tech, health, automotive, energy or agricultural. It will bring about a paradigm shift enabling users (and third parties) access to data generated by the use of products and related services.
Obligation to inform users and obligation to give access to data
When a business is offering users certain types of products or related services, before concluding a contract for the purchase, rent or lease of such product or related service, at least the following information shall be provided by the business offering the product or the related service to the user, in a clear and comprehensible format:
(a) the nature and volume of the data likely to be generated by the use of the product or related service;
(b) whether the data is likely to be generated continuously and in real-time;
(c) how the user may access those data;
(d) whether the manufacturer supplying the product or the service provider providing the related service intends to use the data itself or allow a third party to use the data and, if so, the purposes for which those data will be used;
(e) whether the manufacturer supplying the product or the service provider providing the related service itself is the data holder (i.e. the one having the right or the ability, through the control of the technical design of the products or related service, to make certain data available) and, if not, the identity of the data holder;
(f) the means of communication which enable the user to contact the data holder quickly and communicate with that data holder efficiently;
(g) how the user may request that the data are shared with a third-party; and
(h) the user's right to lodge a complaint alleging a violation of the Data Act with the competent authority.
The users (irrespective of whether consumers or not) will have the right to request access to any data generated by the use of these products from the "data holder" (which must not necessarily be the business obliged to provide the above information).
Products and related services shall be designed and manufactured, and related services to be provided, in such a manner that data generated by their use are, by default, easily, securely and, where relevant and appropriate, directly accessible to the user.
Where data cannot be directly accessed by the user from the product, the data holder shall made available to the user the data generated by its use of a product or related service without undue delay, free of charge and, where applicable, continuously and in real-time. This shall be done on the basis of a simple request through electronic means where technically feasible.
Should the user request so, the data holder shall make available the data generated by the use of a product or related service to a third party, without undue delay, free of charge to the user, of the same quality as is available to the data holder and, where applicable, continuously and in real-time.
These information, data sharing and data access obligations, however, only apply for a particular set of "products" and "related services".
A "product" is defined by the Data Act proposal as "a tangible, moving item, including where incorporated in an immovable item, that obtains, generates or collects, data concerning its use or environment, and that is able to communicate data via a publicly available electronic communications service and whose primary function is not the storing and processing of data".
Recital 14 of the Data Act proposal emphasises that not only consumer goods such as vehicles or home equipment, but also medical and health devices or agricultural and industrial machinery would in principle be covered by the Data Act.
Yet, products whose primary function is "the storing and processing of data" are out of scope. Recital 15 to the Data Act proposal clarifies that items which are "primarily designed to display or play content, or to record and transmit content, amongst others for the use by an online service" should not be covered by the Data Act (as they "require human input to produce various forms of content, such as text documents, sound files, video files, games and digital maps" and are thus in contrast to products which "obtain, generate or collect, by means of their components, data concerning their performance, use or environment"). Examples of such products being exempt from the Data Act's scope (as provided in the Commission proposal) include personal computers, servers, tablets, smart phones, webcams, sound recording systems or text scanners.
As clear as this may sound, drawing the dividing line between products outside of this explicit set of examples might be difficult in practice.
The comparison between smart phones and smart watches is a good example. To a certain extent, both collect data by means of their components such as sensors. In fact, both of them have motion sensors to measure the user's steps, position sensors to detect the user's physical location or ambient sensors to detect information about the user's surroundings (temperature, light, etc). Both are also designed to display or play content (play music over an app, display messages, display information such as weather), or to record and transmit content (for example a smartphone can record pictures, a smartwatch can record the sleep pattern).
Considering the similarities and following the Commission's reasoning as set out in the recital, there are good arguments that a smart watch should also not fall within the scope of the Act.
In course of the legislative process, the Council presidency has already addressed this uncertainty and argues to include smart watches in the "products" definition as they have "a strong element of collection of data on human body indicators or movements and should thus be considered covered by the definition of product".
It remains to be seen which line of argumentation will prevail at the end of the legislative process. Yet, this example shows that the currently proposed definition of relevant products is not that "clear-cut" and that further guidance from the EU legislator would indeed be helpful.
Relevant "related services"
The Data Act defines "related service" as a "digital service, including software, which is incorporated in or interconnected with a product in such a way that its absence would prevent the product from performing one of its functions."
Let's take a connected fridge as an example. Such a fridge can contain cameras to track the content of the fridge or sensors scanning the RIFD tag or barcode on grocery items to create an automatic inventory. The user can be offered additional services through the fridge's display such as being able to manage grocery lists, set-up automatic online purchases when certain food items are used up, track expiry dates or receive recipe recommendations based on the available items. These services are directly incorporated in the fridge and, as their absence would prevent the fridge from performing these functions, they will likely constitute "related services".
To take this example on step further, the user could receive these services not just through the fridge's display but also be means of a connected app. So, in that case, the services are not physically incorporated in the product as they are being received on a different device. This raises the question whether the app-based services would still be considered to be "related services" (which would only be case if such app would be seen as being "interconnected" with the fridge). The Commission, however, does not provide further guidance as to how far the term "interconnected" should be understood.
Another question arising in this context is which "functions" actually are decisive for services to be considered a "related service"? Only core functions or also ancillary functions of the product? Recital 16 of the Data Act proposal states that a "related service" is a service which can be part of a contractual agreement with the user or which the user could reasonably expect given the nature of the product. Yet, it is not clear from the Data Act proposal whether the decisive criterion for a relevant "function" should be rather what can be reasonably expected by the user given the nature of the product or has been contractually agreed by the user, then whether it is a core function of the product being addressed by such service or not.
Ongoing legislative process
As shown, even in relation to the main terms defining the scope of the proposed Data Act, further guidance in the course of the legislative process is needed for businesses to be able to determine whether they are subject to the obligations set out in the proposed Data Act in relation to their specific products or related services. In any case, businesses offering data-driven products or related services should consider assessing the implications of the Data Act for their business activities today in order to prepare for the regulatory landscape of tomorrow.
This article first appeared on the Freshfield Technology Quotient blog and is reproduced here with permission.
Gernot Fritz is a Counsel in the Global Transactions group at Freshfields Bruckhaus Deringer and co-heads the technology and data practice in Vienna.
Estella Dannhausen in an Associate in the Global Transactions group at Freshfields Bruckhaus Deringer and a member of the technology and data practice in Vienna.
Ludwig Hartenau is a Partner in the Global Transactions group at Freshfields Bruckhaus Deringer and co-heads the technology and data practice in Vienna.
All pictures copyright Freshfields Bruckhaus Deringer.