The New Data Access Rights
The EU Data Act pursues a horizontal approach, establishing the basic cross-sectoral framework for data sharing across the Internet of Things within the EU.
Information obligations towards the user before concluding a contract
Under the EU Data Act, before concluding a contract for the purchase, rent, or lease of a connected product, sellers, rentors, or lessors (who may be manufacturers) are required to provide the user with the following information in a clear and comprehensible manner.
Users must be informed about the type, format, and estimated volume of data the connected product can generate. They should also know whether the product can generate data continuously and in real time, and whether it stores data on the device itself or on a remote server, including how long the data is intended to be retained.
Users need to understand how they can access, retrieve, or erase their data, including the technical means available to do so.
This information must also cover the terms of use and the quality of service related to data access, empowering users to make informed decisions and maintain control over their personal information.
Data Holder Use of Data and Restrictions
Under the EU Data Act, Data Holders shall only use any readily available non-personal data on the basis of a contractual agreement with the user and shall not make such data available to third parties for commercial or non-commercial purposes other than for fulfilling their contract with the user.
They shall determine which data is in scope, clarify intended data use or sharing, and differentiate between personal and non-personal data to ensure that personal data relating to other data subjects is not shared.
The user or any third party shall not use the data to develop a product that competes (noting that this does not extend to related services), share the data with another third party for that purpose, or use such data to derive insights into the manufacturer’s production methods.
Any third-party recipient shall only process the data for the purposes and under the conditions agreed with the user and shall not use the data in any way that adversely impacts the security of the product or related services, with a strategy to be developed to prevent misuse and enforce claims against data recipients in breach.
Key Provisions
In order to balance the data sharing obligations with the right to retain control over commercially sensitive information, The Act outlines key provisions to prevent unfair contractual imbalances, ensure legal clarity, and promote trust and innovation in the digital economy.
FRAND Terms for B2B Data Sharing
Under the EU Data Act, business-to-business (B2B) data sharing must be conducted on FRAND terms: Fair, Reasonable, and Non-Discriminatory, and in a transparent manner.
Unfair contractual terms and exclusive data-sharing arrangements not requested by the user are considered contrary to FRAND principles. The European Commission is expected to develop and recommend model contractual clauses to assist in drafting FRAND-compliant contracts. These clauses will not be binding and are not yet available.
Compensation Agreements
Special provisions apply for SMEs and not-for-profit data recipients, who may only be charged up to the costs incurred in making the data available. This includes costs for:
- Formatting the data
- Dissemination via electronic means
- Storage
- For other data recipients, reasonable compensation may include:
- Investments in the collection and production of data
- The volume, format, and nature of the data
- The Recitals note that the Commission should adopt guidelines on calculating reasonable compensation in the data economy.
Ownership and Protection of Data
The EU Data Act clarifies that copyright does not protect data and information as such. However:
- Compilations or collections of data may be protected if their selection or arrangement is original (see Football Dataco v Yahoo, CJEU, 1 March 2012, Case C-604/10).
- Machine-generated compilations without human intervention are not protected by copyright (Football Dataco, paragraph 39).
- The sui generis database right does not apply (Article 43).
The Act defines “data” as any digital representation of acts, facts, or information, and any compilation thereof, including sound, visual, or audiovisual recordings.
*Only raw data is in-scope. Out of scope data includes data resulting from complex algorithms or derivative data.
Trade Secrets and Data Sharing
The EU Data Act introduces both ex-ante and ex-post safeguards for trade secrets in the context of data sharing.
Ex-ante Protection
Trade secrets must be preserved, and disclosure is permitted only if both parties take all necessary measures prior to disclosure to ensure confidentiality.
Ex-post Non-Compete Restrictions
Users and third parties are prohibited from:
- Developing a connected product that competes with the original connected product from which the data originates (excluding related services).
- Sharing the data with another party for that purpose.
- Using the data to derive insights about the economic situation, assets, or production methods of the manufacturer or data holder.
Data sharing cannot be suspended or withheld solely because the data is considered a trade secret. There is an exception where sharing may be suspended or withheld for specific data in exceptional circumstances. Exceptional circumstances require a case-by-case evaluation, proof that the technical and organisational measures taken to protect the data are insufficient, and demonstration that serious and irreparable economic loss is highly likely.