Takeaways for Data Holders and Users from the European Commission’s EU Data Act FAQs

On 6 September 2024, the European Commission published a set of frequently asked questions (FAQs) on the EU Data Act. Among other requirements, the Data Act regulates the access of usage data generated by certain products that are connected to the internet or through the use of such connected products for the provision of certain digital services (for more information on the Data Act, please see our previous alert here). 

The FAQs provide, among others, clarification on the concepts of a “connected product” and “related service”, the data within the scope of the Data Act, as well as the roles of “users” and “data holders”.

Connected products and related services 

The FAQs provide guidance on the type of products that will fall within the scope of a “connected product” under the Data Act. 

• Nature of connected products. Connected products are items that can generate, obtain, or collect data about their use, performance or environment and can communicate this data via a cable-based or wireless connection (including communication on an ad hoc basis, such as during maintenance operations). The FAQs acknowledge that this is a broad scope and includes smart home appliances, smartphones, consumer electronics and medical devices. 
• Connected products placed on the EU market. Connected Products “placed on the market in the Union” will fall within the scope of the Data Act. This must involve the transfer of ownership, possession or any other property right between two economic actors that occurs after the manufacturing stage. The FAQs further provide examples of actions that would not count as placing onto the market, such as when the product is purchased by a consumer in a third country and then subsequently brought by that consumer into the EU for their personal use, or when the product is manufactured in an EU member state with a view to exporting it to a third country. Similarly, the mere presence of a connected product in the EU will not constitute it being “placed onto the EU market” if there has been no transfer of ownership. This means that the presence of a connected vehicle in the EU in and of itself will not constitute the vehicle being placed onto the EU market, for example. 
• Products out of scope. Prototypes are out of scope of the Data Act. Products which primarily fulfil the function of storing, processing, or transmitting data, such as servers and routers will not constitute a connected product under the Data Act. The infrastructure a connected product relies on to function will also fall out of scope. For instance, a user of a connected vehicle is not entitled to obtain data from sensors that form part of the roads used by the connected vehicle. 

A “related service” under the Data Act is a digital service that can be linked to the operation of a connected product and affects the functionality of the connected product. This must involve a two-way/bi-directional exchange of data between the connected product and service provider. In addition, the service must affect the connected product’s functions, behaviour, or operation.  As such, determining the functions of the connected product is an ongoing and evolving task and will be further defined through practice and court decisions. 

The FAQs also provide several factors to help organisations determine whether a digital service constitutes a related service under the Data Act, including:

• User expectations;
• The marketing that accompanies the connected product and/or digital service; and
• Whether the digital service was pre-installed on a connected product. 

Roles of users and data holders 

Under the Data Act, a user is a natural or legal person that owns a connected product or to whom temporary rights to use that connected product has been contractually transferred, or who received a related service. The FAQs provide the following guidance with respect to users:

• Users must be established in the EU. Users must be established in the EU in order to be granted their relevant rights under the Data Act. Such users may request access to the data of connected products or related services, regardless of whether the data is stored or generated inside or outside of the EU. 
• Multiple users. There may be multiple users of the same connected product, if they are granted ownership or similar rights over that connected product via contractual arrangement. Entities may also have different roles, such as a company being a user and a data holder with respect to different connected products (i.e., in a factory that uses robots to manufacture connected products, a company may be the relevant user of the robots and the relevant data holder of the manufactured connected products). However, the company cannot be a user and a data holder of the same data at the same time.
• Rights of users, other than rights to access or transfer data. Other than the rights relating to the access, use or transfer of data, users also have other rights under the Data Act. In particular, users have several options that they may choose to exercise if their right to access and use data is not properly exercised, including the right to lodge a complaint with the relevant competent authority and/or supervisory authority (if personal data is involved), initiate legal proceedings, and to utilise their rights under EU consumer protection legislation (in particular, the right to lodge a complaint with the European Consumer Centres Network). However, users do not have an intrinsic right to be forgotten (unlike the GDPR) although the data holder and user may contractually agree to such deletion rights before the sale of the connected product. If so, data holders must provide information on how their data will be deleted to users.

Data holders are organisations or individuals who have the right or obligation, as applicable, to use and make available certain data generated or retrieved from the connected product. The FAQs provide the following guidance with respect to data holders:

• The role of data holder. The manufacturer of a connected product may not be the relevant data holder as the role of the data holder depends on which entity controls access to readily-available data. Thus, the provider of the related service may be the relevant data holder of the connected product, depending on its access rights to data. A manufacturer may also outsource the role of data holder to other organisations, as long as such organisations have a contractual right with the relevant user to use and access such data.  There may be instances where there is no data holder. This occurs in cases where only the user has access to the data, such as when the data is stored directly on the connected product or transferred to the user’s computer without permitting access to the data by the manufacturer. 
• Data does not always need to be directly accessible in the connected product. While connected products and related services must be designed in a manner that enables product data and related service data to be accessible to users, manufacturers of connected products have discretion to decide whether to design for direct access (where users have the technical means to access the data without having to request the data holder to provide access to data) or indirect access (where users must ask the data holder for access to data) to data. This is because not all products may be capable of being designed to permit direct data access, and organisations may implement solutions that “work best for them” when they have to comply with their obligations. 
• How data holders may use data. Data holders may use the data generated by users for any purpose provided that this has been agreed with the user beforehand and that the data holder does not derive insights about the economic situation, assets and production methods of the user in any other manner that could undermine the commercial position of the user. 

Data within scope of the Data Act 

The FAQs provide further guidance to determine the data that data holders are required to make accessible to users under the Data Act. Generally, product and related service data that is raw, pre-processed, and readily available to a data holder as a result of the manufacturer’s technical design will be subject to the data sharing obligations of the Data Act, unless they are covered by an exemption.

• Product and related service data, including historical data. Product data is data obtained, generated or collected by a connected product and which relates to its performance, use or environment, and related service data is data representing user action, inaction and events related to the connected product during the provision of a related service. In each case, this includes both personal and non-personal data, and does not include purely descriptive data that accompanies the connected product (i.e. data contained in user manuals or on the packaging of the product), although information provided prior to concluding a contract for the purchase, rent or lease of a product or related service may fall within scope. Users may request for access to historical data, such as data generated by previous users, although access to such data must be balanced against the rights and interests of other individuals and entities.
• Raw and pre-processed data. While only raw and pre-processed data will fall within scope of the Data Act, the metadata necessary to interpret and use such data will also fall within scope of the Data Act. For example, data collected from sensors to make collected data comprehensible for wider use-cases by determining a physical quantity or quality (i.e. temperature, pressure, audio, etc.). Otherwise, enriched or derivative data will not fall within scope of the Data Act (see below).  
• Readily available to data holders as a result of the manufacturers technical design. The data must be capable of being obtained by the data holder without disproportionate effort going beyond a simple operation. Although the FAQs do not elaborate further on what might constitute a disproportionate effort, they note that only data generated or collected after the entry into application of the Data Act (i.e. data generated or collected after 12 September 2025) will fall within scope as the definition of “readily available data” does not include a reference to the time of their generation or collection. 
• Data falling outside the scope of the Data Act. The type of data that will fall outside the scope of the Data Act includes:
  • Trade secrets. Under the Data Act, data constituting trade secrets are exempted and existing legal protections (such as Directive (EU) 2016/943) for trade secrets continue to apply. While this is not an unqualified exemption, as a mere claim that certain data constitutes trade secrets will not be enough to prevent the exercise of data rights provided by the Data Act, data holders have the right to require users and other third parties to preserve the confidentiality and secrecy of their data by exercising the “trade secrets handbrake”.  This involves (i) identifying the relevant trade secrets; (ii) agreeing the measures to be used to safeguard the confidentiality of such trade secrets with the user or third party; and (iii) withholding or suspending the sharing of trade secrets if there is no agreement, if the third party or user does not implement the agreed measures, or if the confidentiality of trade secrets is otherwise undermined by the user or third party.
  • Highly enriched data. Highly enriched data (i.e., inferred or derived data, or data resulting from additional investments including by way of proprietary, complex algorithms) as well as content covered by intellectual property rights (such as textual, audio or audiovisual content) will be out of scope of the Data Act as this will not constitute raw or pre-processed data.
  • Data that if processed may undermine the security requirements of the connected product. Data holders may restrict or refuse to share data if there is a risk that the security requirements of the connected product may be undermined, resulting in serious adverse effects to the health, safety or security of individuals. As with trade secrets, this is also not an unqualified right and the exercise of the “safety and security handbrake” requires the data holder to notify the relevant competent authority.

Commentary

The FAQs provide welcome clarity for organisations whose products or services fall within the scope of the Data Act. In particular, its guidance on what constitutes product data or related service data and how organisations may avail of the “trade secrets handbrake” and “safety and security handbrake” provide helpful clarity to organisations seeking to understand the scope of data that may potentially be made accessible under the Data Act, and the discretion afforded to organisations regarding how users can access such data means that organisations would not have to redesign their connected products to allow for direct access. 

However, there are also several areas of uncertainty, such as what might constitute data that would require a “disproportionate effort” to retrieve. In such circumstances, organisations are left with further discretion to justify and interpret such requirements, pending further guidance from the European Commission, practice or court decisions. In addition, the European Commission notes that the FAQs are a “living document” and will be updated when necessary, and the conclusions and guidance provided therein may therefore be subject to future changes.  

Regardless, the scope of product data and related services data that may potentially be made accessible to users and third parties under the Data Act remain very broad. To that end, organisations that develop connected products or provide related services should conduct an evaluation of their position under the Data Act to:

• Identify the roles they and their relevant stakeholders occupy under the Data Act;
• Understand whether their product or service constitutes a connected product or related service;
• Understand what data is generated by such products and services; and
• Understand whether they can avail of any of the exemptions provided for under the Data Act.
• If the connected product has yet to be manufactured, organisations should also consider whether to make such data directly or indirectly accessible, depending on the function and type of product. 

Subscribe to Ropes & Gray Viewpoints by topic here.