This is Part 2 in a series of blog posts on recent developments in the EU’s data strategy, which aims to establish EU leadership in our data-driven society by creating a single market for data and encouraging data sharing. The series looks in particular at the recently adopted Data Governance Act (DGA) and the proposed Data Act (DA). (See also Part 1).
Broadly speaking, the purpose of both the DGA and the DA is to encourage “data sharing” and create a level playing field in this area. This concept covers several types of acts such as: “making data accessible”, “accessing” or “using” data, “sharing” data with third parties, and “receiving” data.
It is the proposed DA that sets out the specific data sharing provisions and provides a framework for other laws that impose data sharing. It considers data sharing according to different models in B2C and B2B relations, and relies on generic personas such as the “user”, the “data holder”, “data recipient” (each with their own abstract definition). In particular, it imposes an obligation to share data that is generated by the use of connected devices, and it creates an obligation, in case of exceptional need, to share data with certain public authorities. This “exceptional need” obligation will be examined in more detail in Part 3 of this blog series.
B2C and B2B Data Sharing – Connected Devices
The DA looks at data sharing according to different models for B2C and B2B relations. Its main purpose is to make data that are generated by connected devices (“products” in DA terminology) available to the users of the devices. Widely diverse situations are targeted, from a company using Internet of Things (IoT) devices for tracking shipped goods, to the owner of a wind power plant, to a person measuring their heart rate with a medical tracker and its associated app.
All these different “users” are entitled to have access to the data generated by the use of the connected device and any indispensable digital services. The design of the IoT device should, if possible, allow the data to be directly accessed by the user. Alternatively, the data holder must ensure that the data are available either to the user, or, upon the user’s request, to a chosen third party.
“Third party” is not defined in the DA, but would cover, for example, a doctor who reads the data from a glucose monitor to get a more detailed view of their diabetic patient’s condition, or the provider of maintenance services (e.g., for connected cars) who may seek to optimize the planning and performance of the maintenance services using the data generated by the car.
As a result of the DA, the user, the data holder and third parties could have simultaneous access to the same data, generated by the use of the connected device. This would leave them vulnerable to each other: e.g., access to the data could reveal technical details about the IoT services, or sensitive information about the operations of the IoT user.
In order to control these risks and to establish trust within the IoT ecosystem, the DA imposes certain restrictions upon the use of the IoT data.
- The data holder must share the data, thus losing its privileged position regarding data exclusivity. However, if the data holder itself produces connected devices and related services, it is protected to the extent that neither the user, nor their elected third party, may use the data to develop a competing product.
- Conversely, the data holder may not generate any insights regarding the user’s or third party’s economic situation, assets or production methods that could undermine their commercial position in the market.
- The user’s interests are protected in the sense that the data holder and the third party may only use the user’s non-personal data if the user agrees. The DA is also wary about the power that a third party may wield over the user, and it explicitly prohibits the third party’s use of “dark patterns” and the profiling of natural persons, and the data (even non-personal, raw, aggregated or derived data) may not be made available to other third parties. User lock-in is also limited since a third party may not preclude the user from making the same data available to other third parties.
B2B – Mandatory Data Sharing (Legal Obligation)
In some situations, data holders may be subject to a legal obligation to make data from connected devices available to “data recipients” (this broad term covers, but is not limited to, a user’s chosen third party). Specific legal obligations may appear in sector regulation (e.g., repair and maintenance information concerning connected motor vehicles).
If the data holder is legally obliged to share data (but not if it does so as a result of a voluntary agreement), it must make the data available on “fair, reasonable and non-discriminatory terms.”
The data holder must conclude an agreement (covering issues such as access, use, liability, termination and “reasonable” compensation) with the data recipient. Micro, small or medium-sized enterprises are protected as data recipients against abusive practices inter alia by a black and grey list of unfair contractual terms relating to data sharing. Where no agreement can be reached, the parties should have access to a national dispute settlement mechanism.
New Legal Restrictions on the Use of Information (Far-Reaching Sanctions)
Although the DA does not create a new exclusive right to data, it does provide for new legal restrictions on the use and re-use of “data”, without requiring that any substantive threshold be met. This means that contracts governing any IoT ecosystem must be adapted to reflect this protection of the various interests involved.
Moreover, the DA provides that if a data recipient makes unauthorised use or disclosure of data (e.g. they don’t meet the (legal) conditions to qualify for reuse or they don’t comply with the (contractual) restrictions of the use of the data), unless the user or data holder instructs otherwise, the data recipient must destroy the data and all copies, and, in addition, bring to an end the production and / or commercialization of any goods, derivative data or services that have been produced on the basis of knowledge obtained as a result of the unauthorized data (the DA even speaks of “infringing” goods). These redressive measures can be avoided only if the data holder suffers no significant harm, or the sanction is deemed disproportionate.
These legal sanctions are far reaching. They resemble the measures available to a holder of an intellectual property right or trade secret in case of infringement, and they go beyond the remedies or sanctions available in case of breach of contract. Indeed, they could protect a data source that is not a party to the data sharing contract. It is therefore vital that data users be aware of both the contractual and extra-contractual risks to which they are exposed in case they fail to respect the conditions for access or re-use.
Part 3 in this series of blog posts will look in more detail at the concept of “exceptional need” and at data sharing between businesses and government (B2G and G2B).