Definitions and scope
The Data Act encompasses all data processing activities, with a broad interpretation of data that includes both personal and non-personal categories. As stated in both the recitals and Article 1, the General Data Protection Regulation (GDPR) supersedes the Data Act. Recital 7 emphasises that the Data Act should not undermine or limit the right to privacy, data protection or confidentiality of communications. This results in two consequences: first, in the case of mixed data sets comprising both personal and non-personal data, the GDPR takes precedence. Second, the Data Act does not provide a legal basis for personal data processing; this must be identified by data holders and others.
Unfortunately, the terms of the GDPR and the Data Act are not aligned, and the Data Act introduces a number of new terms, such as “data holder”. Those are legal or natural entities with the right or obligation to use and distribute data as per the Data Act or existing EU law. Data holders are obligated to meet certain standards regarding service design, default access, data quality, third-party sharing, and compensation. Users, on the other hand, are defined as entities owning or having temporary contractual rights to a connected product or receiving related services. The Act provides provisions for users, whether they are data subjects or not. In instances where users are not data subjects, sharing between data holders and users requires a valid GDPR legal basis.
However, applying these new terms to GDPR terms is not straightforward. The Data Act offers limited guidance, and roles must be evaluated on a case-by-case basis, considering who effectively determines the purposes and means of processing. Corporate data users owning a connected product or choosing a specific data holder to process their data (provided it also includes personal data) are likely considered controllers. In some instances, data holders and users may jointly act as controllers. Third parties receiving data for their own purposes are also data controllers. Given the ambiguity in this area and lack of regulatory guidance, it is probable that data holders and users will need to define their roles based on general GDPR principles.
Data portability
Both the GDPR and the Data Act include obligations on data portability. The Data Act follows the basic structure of the GDPR and includes both the obligation to data holders to make data available to users in a commonly used and machine-readable format, as well as the option to share data with a third party upon request by the user. Diverging from the GDPR, the Data Act focuses on data created by a product or service, whereas the GDPR grants the right to data portability only for provided data. In cases where data holders are obliged to make data available to other businesses, the data holder may make an agreement with the data recipient and also ask for compensation, which can include a margin.
Even if a data holder and third party cannot agree on terms for such direct access, the data subject should still be able to exercise its GDPR rights. Consequently, the Data Act will strengthen this right for connected products, so that consumers can access and transfer all data produced by the product, whether personal or non-personal.
For businesses, it means that the sharing of data needs to be possible in a cost-efficient way as it is likely that data requests will become increasingly common.
Importance of data governance
The Data Act also requires designers of connected products to implement good data management practices. Article 3 states that connected products shall be designed and manufactured so that the data are easily accessible, secure, machine-readable and if possible, directly accessible to the user by default. The same applies to the related service data including meta data. This takes the GDPR provisions of data protection by design and by default one step further, as it impacts product design and documentation directly for all making connected products available to users. The goal is to make the data directly accessible to the user. While this provision is very much aligned with the European Data Strategy, data holders and manufacturers should also be careful not to provide access to unauthorised persons, as this could constitute a data breach.
Further, data governance is also stressed indirectly by the newly introduced information obligations in Article 3: The manufacturer, seller, renter or lessor of a connected product must make certain information available to the user on the data capabilities of the product, i.e. the type of product data, data format, classification schemes, whether storage is on-device or on a server etc. There are even more extensive obligations for the provision of a related service. By introducing those obligations, data holders and manufacturers are forced to increase the amount of documentation they make available to data users.
SIGN UP FOR OUR CONNECTED NEWSLETTER FOR A MONTHLY ROUND-UP FROM OUR REGULATORY & PUBLIC AFFAIRS TEAM
For further information, please contact:
Tobias Bräutigam, Partner, Bird & Bird
tobias.brautigam@twobirds.com