Data Act – to share or not to share

July 2024  |  SPOTLIGHT | DATA PRIVACY

Financier Worldwide Magazine

July 2024 Issue

In recent months, the Artificial Intelligence Act (AI Act) has been focusing the attention of many organisations across the globe. Yet, they should also keep track of other European Union (EU) regulations that may impact their operations before the AI Act does.

One regulation that deserves particular attention is the Data Act, which is a key pillar of the European data strategy aimed at creating a single market for data and ensuring the EU becomes a leader in a data-driven society. But what it is about and why does it matter?

Internet of things (IoT) products allow devices that are connected to the internet (smart sensors for instance) to collect data related to their performance, their use or their environment and to transmit it through electronic communication services. This data represents an already high and growing economic potential (including for artificial intelligence (AI) applications) in the same way as personal data was a resource that allowed companies to build their economic models.

IoT products are deployed in the consumer sector (for example, health-monitoring devices, smart watches and smart cars) but also in the agricultural or industrial sector. When used in the context of industry, these devices are specifically called ‘industrial IoT’ and usually consist of smart sensors embedded in systems, machines, factories, planes, engines or drills. The analysis of such data can be used to improve their operation and predict any maintenance needs at low cost.

The adoption of the Data Act stems from the perceived untapped economic value of data (in particular industrial data) due to several obstacles including the lack of accessibility for data economy actors and the fact that large companies control a majority of the data. Therefore, the Data Act aims to allow users or third parties to access and reuse data generated by connected products to foster data-driven innovation and a competitive data market. The Data Act therefore identifies the actors that can obtain, share and use specific data, and determines the applicable conditions, and limitations.

Regarding its scope, the Data Act mainly applies to: (i) manufacturers of connected products and providers of related services placed in the EU market; (ii) the users of such connected products or services in the EU; (iii) data holders that make data available to recipients in the EU; (iv) data recipients in the EU; (v) providers of data processing services offering services to customers in the EU; and (vi) EU institutions and public sector bodies accessing data under the regulation. In addition, the regulation will have an extraterritorial reach and apply to foreign companies operating in EU markets, irrespective of their place of establishment.

As the Data Act imposes data sharing obligations, companies may be worried about the extent to which they will have to share their valuable data, especially in light of its strategic nature and commercial sensitivity.

Considering that data will create more value if shared between economic actors, the Data Act provides extensive obligations to ensure data can be accessed by users and shared with third parties. However, these obligations only apply to certain companies and are balanced by several safeguards to preserve incentives for companies to invest in the creation of products based on the use of data from sensors built into them.

The regulation clearly distinguishes data sharing between data holders and users (B2C), data sharing between data holders and third parties (B2B), and data sharing between data holders and public sector bodies (B2G).

B2C data sharing

The Data Act aims to provide the user of a connected product and related services more control over the data it generates by allowing it to understand what data will be generated and to access such data from the connected product by the intermediary of the data holder (e.g., the manufacturer).

The data in question (referred to as ‘product data’ and ‘related service data’) covers personal and non-personal data, generated from the use of a connected product or related service, which can be accessed without disproportionate effort going beyond a simple operation, as well as the metadata necessary to interpret and use the data. However, data inferred from such data through additional analysis (including by means of proprietary software or algorithms) is out of scope.

Before concluding a contract to purchase, rent or lease a connected product or related service, the provider should inform the user about the data that it will generate. This includes information on its type, format and estimated volume, whether the connected product can generate data continuously and in real time, and the frequency of expected product data. Such information can be provided through a uniform resource locator.

Data holders will have to design their products and related services so that associated data is by default directly accessible to the user. Such data can be accessible from the device either by on-device storage or through a server. Where such data cannot be directly accessed by the user, it must be made accessible to the user in compliance with certain requirements (for example, without undue delay, of the same quality as is available to the data holder, or in a machine-readable format).

Users and data holders can contractually agree to prohibit the access, use or further sharing of data if such processing could undermine the security requirements of the connected product, resulting in serious adverse effects on people’s health, safety or security.

Data holders will only have the right to use product or related service data if this is provided for in a contract between the data holder and the user which describes the purposes for which the data holder intends to use the data.

The data holder must not use the data to derive insights about the economic situation or production methods of the user in any way that undermines its commercial position.

Users cannot use the data to develop competing products or share the data with a third party toward developing a competing product.

The data holder cannot make available non-personal product data to third parties unless it is necessary to fulfil its contract with the user.

Data holders or the trade secret holder must identify the data which is protected and agree with the user which measures will be used to preserve the confidentiality of the shared data. If no agreement is reached, the data holder can withhold or suspend sharing of information identified as a trade secret.

B2B data sharing

Sharing data globally between a data holder and third parties can be beneficial, including for a user who decides to share (including for commercial purposes) data with a third party (potentially an aftermarket service provider who is a competitor of the data holder) either directly in response to a request or via a data intermediation service (as referred to in the Data Governance Act). In this respect, the scope of the data is the same as in B2C data sharing.

Upon receiving a request, the data holder will have to make data, as well as the metadata necessary to interpret and use such data, available to a third party (data recipient) under specific requirements (for example, without undue delay, of the same quality as is available to the data holder, free of charge to the user, or in a machine-readable format).

When ordered to make the data available, the data holder and the data recipient must contractually agree on the terms under which sharing of data will occur and must do so under fair, reasonable and non-discriminatory (FRAND) terms and in a transparent manner. The Data Act provides a list of terms that are presumed to be unfair.

In addition, the data holder and the data recipient can agree on compensation (which can include a margin) to be paid to the data holder. This must be non-discriminatory and reasonable. That said, the European Commission will develop model contractual terms on access and use to help parties draft and negotiate FRAND B2B data sharing contracts (before 12 September 2025).

Data holders cannot make data available to a data recipient unless the user requests so, and unless agreed to in a contract with the user. Third parties cannot transfer the data to another third party. In addition, a third party cannot use the data it receives to develop a product that competes with the connected product from which the data originates.

With regard to trade secrets, the same protection as for B2C applies.

The data holder cannot use the data to derive insights about the economic situation or production methods of the third party in any way that would undermine its commercial position.

B2G data sharing

Under certain exceptional circumstances, the public interest resulting from the use of certain data available only to the data holder may outweigh the data holder’s desire to freely dispose of the data.

Such circumstances include emergencies (such as a public health crisis, natural disasters or major cyber security incidents) or non-emergency situations – for example, if the European Central Bank cannot fulfil a specific task in the public interest due to a lack of data.

In any of these situations, certain public entities will be able to request that data holders share specific data in their possession, which may include personal or non-personal data.

Applicability and enforcement

The Data Act entered into force on 11 January 2024. Provisions of the Act will begin to apply 20 months from the date of entry into force, meaning affected businesses will need to be ready to comply with certain provisions by 12 September 2025. Certain obligations will only apply from 12 September 2026 and 12 September 2027.

The Data Act will be enforced by member states through a designated (new or existing) competent authority. Member states will also determine the rules for penalties considering certain elements such as annual turnover, aggravating circumstances or previous infringements. Finally, data supervisory authorities may, for infringement in relation to B2C, B2B and B2G sharing, and within their scope of competence, impose GDPR fines.

 

Ahmed Baladi is a partner and Thomas Baculard is an associate at Gibson, Dunn & Crutcher LLP. Mr Baladi can be contacted on +33 1 5643 1350 or by email: abaladi@gibsondunn.com. Mr Baculard can be contacted by email: tbaculard@gibsondunn.com.

© Financier Worldwide

BY

Ahmed Baladi and Thomas Baculard

Gibson, Dunn & Crutcher LLP

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.