The new Data Act to lay foundation for a fair and innovative data economy

Posted on

31 Oct


Dittmar & Indrenius > Insight > The new Data Act to lay foundation for a fair and innovative data economy

IoT device manufacturers must open user data for free to users and under FRAND terms to third parties – Impact assessment should start now.

As the European Union aims to acquire a leading role in data economy, there is a regulatory boost around data. It is high time especially for IoT companies to start digesting the changes that the proposed Data Act will bring on data markets. The Data Act targets industrial ‘non-personal’ data and will regulate B2B, B2C and B2G data sharing. We recommend IoT device manufacturers to start a proper impact assessment by evaluating the requirements introduced by the Data Act and to compare them to the current state of operations and capabilities in order to identify required actions and to prepare for future changes. Already now, businesses should take a stronger interest in data to maximise its value.

The Data Act will shape the state of competition within the EU data markets. The proposed act applies to data generated by products defined as “tangible, movable items” and related services. Device manufacturers will be obliged to open data generated by the use of these IoT (“internet of things”) products to users and also, upon request by a user, to third parties e.g. those providing users with aftermarket services. It is noteworthy, that this applies not only to data generated by consumer goods such as home equipment, health/wellness devices and vehicles but also in the industrial setting to agricultural and industrial machinery, just to name a few. Device manufacturers and designers must implement the “Data sharing by design” – requirement in their IoT products, and should keep this in mind both when developing new products as well as when adjusting current product models to new regulatory requirements.

“It appears on first read of the proposed act, that the IoT device manufacturers will be obliged to comply with the potentially costly changes to their products without much apparent up-sides, while users and third party service providers (including device manufacturers’ competitors!) reap the benefits of the access to vast amount of IoT data. Protection of trade secrets is on the radar, but it may be easier said than done.”

The Data Act is portrayed to expand the ‘data portability right’, familiar from the GDPR, to industrial data, as data should be shared to users or a third parties of their choice even in real time, where possible. The interoperability requirements introduced by the draft regulation are meant to facilitate data sharing. The Data Act will set requirements for data sharing agreements. Interestingly, the mandatory terms restricting device manufacturers’ freedom of contract as to sharing data resemble the license terms applicable to standard essential patents, which must made be available on fair, reasonable and non-discriminatory (“FRAND”) terms: Also the device manufacturers must share data on FRAND terms under the proposed Data Act. Further, the EU Commission aims to create non-binding model contractual terms for sharing of data. This, in turn, resembles of the open source licensing model, where code is provided for the users for free under standard terms.

“While SMEs are exempted from certain obligations imposed by the regulation, device manufacturers are prohibited from applying unfair contractual clauses in data-sharing agreements unilaterally imposed on an SME.”

IoT device manufacturers must also comply with the draft Data Act provisions that aim to reinforce the position of small and medium size companies (“SME”) in the data markets. While SMEs are exempted from certain obligations imposed by the regulation, device manufacturers are prohibited from applying unfair contractual clauses in data-sharing agreements unilaterally imposed on an SME. In addition to a general ban prohibiting such clauses, the draft regulation includes lists of clauses that are, or are presumed to be, unfair and thus invalid. In addition, the draft Data Act sets out obligations for private-sector data holders to share data with public-sector bodies for an exceptional need. This could apply, for example, in case of a sudden emergency, where the risks and/or impacts could mitigated by access to data.

New technologies and digital transformation of traditional businesses have affected all fields of society, and efficient access to data promoted by the Data Act is likely to speed up the transformation even more. Currently, the majority of data are still processed and analysed in data centres and centralised computing facilities. In the coming years, a larger portion of data is expected to be processed closer to the data source, for example in smart connected objects or in local computing facilities. The amount of data is growing exponentially, and it has been estimated that by 2025 the overall data volume will grow 530 % from the figures of 2018. In parallel, we see a clear trend in the growth of data-driven services and data-centred business models. There are new business opportunities within the data economy, for instance for facilitating the transfer and share of data. More extensive and efficient use of data could better support decision making and further accelerate research and development activities in many fields of business, for instance in improved personalised healthcare and new mobility solutions. Conscious use of data will improve traceability of products, help us contribute to a green deal and provide content for the training of artificial intelligence tools.

In order to address the transformation, the EU adopted the European strategy for data with a mission of making the EU a role model for a society empowered by data. Europe is not, however, the only player interested in the topic. Other big markets, such as China and the US, are actively developing and innovating their approach to access to and use of data. While the US market is largely shaped by big private sector players and China exploits all data to maximum effect without focusing on the protection of private individuals, the European approach to data economy is built on firm European values and fundamental rights.

As part of the European data strategy, the EU Commission has given proposals for five different data regulations:

  • Data Governance Act (DGA) aims to promote altruistic data sharing by creating a new governance structure and lays down conditions for re-use of certain categories of public sector data;
  • Digital Markets Act (DMA) lays down harmonised rules applicable to large online platform service providers (“gatekeepers”) with an objective to ensure fair digital markets;
  • Digital Services Act (DSA) lays down harmonised rules applicable to the provision of online intermediary services such as online platforms, with the aim of increasing the safety, security and transparency of such services;
  • Artificial Intelligence Act (AIA) lays down a risk-based legislative framework for AI applications and prohibits certain unacceptable AI practices; and
  • Data Act (DA) lays down harmonised rules on fair access to and use of data across different sectors.

The DGA and DMA have already been published (although applicable only after the transition periods) and the DSA is expected to be published soon. AIA and DA are still subject to discussion.

Special thanks to Amanda Terhonen who participated in the writing of this article and works as an Associate Trainee at Dittmar & Indrenius in autumn 2022.

More by the same author

AI, Free and Open Source Software and IPRs in the Context of Software Development

Artificial intelligence is speeding up software development Artificial intelligence (AI) has taken the world by storm and is becoming a common accelerator also in software development. Although AI in general is not something entirely new, with its roots reaching to the 1950s, generative AI has been soaring since the first commonly known large language models (LLMs) were launched a few years back. Generative AI tools are trained with content often referred to as training data (input) and they generate new content (output), such as software code, based on the user’s command, a prompt. The output may resemble human-generated text, pictures, sounds, videos – or software, for that matter.

Implementing the Data Act without Clashing with the GDPR?

The Data Act will largely apply as of 12 September 2025, imposing new obligations and rights in relation to personal and non-personal data in the context of, e.g., connected products and related services. As rules governing data expand, it is increasingly important to map what data sets are processed by an organisation and how they are managed in the upcoming regulatory framework. For data sets including personal data (which is often the case!), it is vital to align the implementation of the Data Act with existing GDPR compliance.

The Big 5 – Status of National Preparation in Finland

The so-called Big 5 acts – the Data Governance Act, Digital Markets Act, Digital Services Act, Data Act, and Artificial Intelligence Act – have been a key part of the European Data Strategy in recent years. Once approved, the Big 5 acts are directly applicable throughout the EU, but many of them require Member States to enact legislation to support their enforcement and supervision, e.g., to designate nationally competent authorities and assign them new powers.

Latest insights

Fostering Continuous Development

Article / 1 Jul 2024

Advocate for Change: Good Governance and Sustainability

Article / 1 Jul 2024