New EU legislation that promotes rights of access to and use of data generated from connected products has moved closer to being finalised.
Law makers at the European Parliament and Council of Ministers announced that they had reached a provisional agreement on the proposed new EU Data Act on Tuesday.
In a statement, the Council said: “The political agreement clarifies the scope of the regulation allowing users of connected devices, ranging from smart home appliances to smart industrial machinery, to gain access to data generated by their use which is often exclusively harvested by manufacturers and service providers.”
“Regarding Internet of Things (IoT) data, in particular, the focus was moved to the functionalities of the data collected by connected products instead of the products themselves,” it said.
MEP Pilar del Castillo Vera, who led the Parliament’s negotiations on the Data Act, said: "Having data on the functioning of industrial equipment will allow factories, farms and construction companies to optimise operational cycles, production lines and supply chain management. The Data Act will create a new data-agile system that enables easy access to an almost infinite amount of high-quality data. It will be instrumental in optimising existing business models and processes, boost the development of new ones and create new value.”
Dr. Nils Rauer, MJI
Rechtsanwalt, Partner
With more and more products falling into the category of ‘connected devices’, we urgently need regulation in this field
The Data Act was trailed in the European Commission’s 2020 digital strategy and formally proposed in 2022. As well as providing for enhanced rights of access to and portability of data for users, the Data Act will also regulate the way in which businesses would have to make the data available to third party companies and how they would be compensated for doing so. It will also promote switching between cloud service providers and govern the international transfer of non-personal data by cloud service providers.
The Data Act will interact with other data-related legislation, including the EU General Data Protection Regulation (GDPR) and the Data Governance Act.
Technology law expert Nils Rauer of Pinsent Masons said: “With more and more products falling into the category of ‘connected devices’, we urgently need regulation in this field. Consumers as well as providers and product manufacturers need clarity on what the rules are to be complied with.”
“With respect to the Internet of Things (IoT) data, the focus is being moved to the functionalities of the data collected by connected products instead of the products themselves. We need to look into the details as regards this shift. From a systematic point of view, this shift resonates as the Data Act is about the data, not the device that collects or processes the data. Having said this, the manufacturers need to implement data processing routines complying with the new law. Therefore, the respective devices will remain within the scope, only on an ‘indirect’ basis,” he said.
Automotive companies are among those that will be impacted by the Data Act. Daniel Widmann, also of Pinsent Masons recently said: “Automotive companies have to have viable legal solutions to protect their intellectual property and trade secrets. They also need to update internal practices and procedures to be able to deal with an increase of data access requests and data sharing obligations.”
The final wording of the Data Act has still to be finalised and voted on by the Parliament and Council – both will need to formally adopt the legislation before it can become EU law.
The Data Act will be an EU regulation, meaning it will have direct effect in EU member states – it will not need to be implemented into national legislation, as EU directives have to be. An EU official told Out-Law that the Parliament and Council had agreed a 20-month implementation period from the point the Data Act comes into force before it will begin to apply.