The data game: Tactics and protection under the Data Act

The main aim of the Data Act (hereinafter "DA") is to distribute the data generated by IoT products fairly throughout the market. To this end, the users of IoT products are granted data access claims against the data holder. This article deals specifically with the exercise of these data access claims and the means of defense available to the data holder.

1. The initial situation

The Data Act assigns the data generated by a connected product or a related service to the user. The data holder may also only use the data that it has in view of de facto control on the basis of a contract with the user, Art. 4 (13) DA.

2. The first move: the user request their data

The user starts of the "game" by asserting his claim against the data holder for data access, making data available and use of that data pursuant to Art. 4 (1) DA or for the sharing of data with third parties pursuant to Art. 5 (1) DA.

3. Defence by the data holder against Art. 4 (1) DA

The data holder has various options to "fend off" the user's attack.

Access restrictions

• Contractual restriction, Art. 4 (2) DA: The data holder has a right to refuse performance if the security requirements of the IoT product may be undermined by access, use or further sharing of data and therefore serious adverse effects on the health, safety or security of natural persons are to be expected. If the data holder exercises its right to refuse performance, it must notify the competent authority (to be determined).
• Protection of trade secrets, Art. 4 (6), (7), (8) DA: If the data holder identifies trade secrets in the data to be disclosed, it shall agree appropriate technical and organisational measures (TOMs) with the user (e.g. model contractual terms, confidentiality agreements (NDAs), strict access protocols, technical standards and the application of codes of conduct).
  • General right of refusal: The TOMs are intended to ensure that the disclosed trade secrets are adequately protected, although the user is granted de facto control over them. If there is no agreement between the user and the data holder on the TOMs to be complied with or if the user does not implement them, the data holder has a right of refusal.
  • Right of refusal in exceptional circumstances: The data holder also has a right of refusal if, despite the implemented TOMs, there is a high likelihood of serious economic damage to the data holder if the trade secrets are disclosed (special scope of justification required).

  If the data holder raises an objection based on trade secret protection, he must notify the competent authority (to be determined).

• Data protection: Data protection law must be taken into account in addition to the Data Act, see Art. 1 (5) DA. If product or related service data are intertwined as mixed data sets in such a way that they cannot be separated, anonymized or pseudonymized, they may not be disclosed to users who are not data subjects within the meaning of the GDPR and cannot provide a legal basis for lawful processing of the data in accordance with the GDPR, see Art. 4 (12) DA.
• Prohibition of the exchange of information under antitrust law, Art. 101 TFEU: The exchange of sensitive business information that is likely to influence the business strategy of competitors is generally prohibited. This is intended to prevent collusive behavior by companies and protect other market participants from damage caused by information disadvantages and atypical market conditions. The provisions of the DA may not restrict competition contrary to the provisions of the TFEU (recital 116 DA). This becomes an important objection if the user is a competing company and the information content of the data can lead to an adjustment of its business strategy.
  
  

Prohibitions on utilization and means of delay

• Data may not be used to develop a competing product or to gain insights into the economic situation of the data holder, Art. 4 (10) DA.
• The data holder must verify the user and data subject status of the claimant, Art. 4 (5) and (12) DA. A more thorough examination than necessary could delay the release of the data.
• The TOMs to be agreed between the data holder and the user pursuant to Art. 4 (6) DA can also be negotiated more extensively in order to delay the process.

Data access itself cannot be prevented by enforcing prohibitions on utilization and using means of delay. They only have an indirect defensive effect. Nevertheless, the resulting restricted use of the data and subsequent or late access to the data can have a significant impact on the attractiveness of the data access claim. For example, if data holders consistently enforce the statutory prohibitions on exploitation in the event of infringements by users or third parties, they signal to the market that attempts to exploit the data without complying with the statutory requirements will not pay off. However, it should be noted that such strategies expose the data holder to a particular risk of fines.

4. Defense against Art. 5 (1) DA - in relation to the data recipient

The data holder’s defense repertoire is very similar to that against Art. 4 (1) DA. However, some of them are legally linked to other standards – restriction due to the protection of business secrets, Art. 5 (10) and (11) DA; restriction due to data protection, Art. 5 (7) and (8) DA. Significant deviations lie above all in the fact that:

• "Gatekeepers" according to Art. 3 DMA cannot be data recipients
• the requirements for the disclosure of trade secrets are stricter→ only those trade secrets that are "strictly necessary" for the agreed purpose must be disclosed. However, it is problematic that the purpose of the contract is determined by the user and data recipient without the involvement of the data holder.
• the impairment of the security requirements is now only structured as a prohibition of utilization and no longer constitutes a right of refusal, Art. 6 (2) (f) DA.
• the objection of the prohibition of the exchange of information under antitrust law pursuant to Art. 101 TFEU has become more important in relation to the data recipient→ Data recipients are more likely to compete with the data holder than the user. In addition, data recipients can - also through economic incentives - persuade a large number of users to assert the right to share data with third parties in their favour. Data recipients then have significantly more extensive access to data than the user, the collection of which entails a far-reaching risk for the adaptation of business strategies.
  
  

5. The counter-move of the user

If the data holder refuses (partial) access to the data by invoking their right to refuse, the user can appeal to a court in the Member State under Art. 4 (1) DA or the third party under Art. 5 (1) DA.

Alternatively, when asserting the right to refuse performance (only the user) or the general right of refusal or right of refusal in exceptional circumstances, it is possible to lodge a complaint with the (yet to be determined) competent authority (Art. 4 (3) (a) / Art. 4 (9) (a) / Art. 5 (12) (a) in conjunction with Art. 37 (5) (b) DA) or to agree with the data holder on the involvement of a dispute resolution body (Art. 4 (3) (b) / Art. 4 (9) (b) / Art. 5 (12) (b) DA).

Preparation tips for practice

It is not yet possible to predict what the outcome of the games for data treasures will be in practice. Although the allocation of product and related service data to the user and the high requirements for access restrictions by the data holder put the user in a good starting position, the data holder is not without a chance. With sufficient preparation, they can hold their own in many cases.

In addition to familiarization with the Data Act, this preparation includes in particular the analysis and classification of data (Objective 1: Identification of product data and the trade secrets contained therein), a concept for user management (Objective 2: Identification of users and third parties) as well as the definition of own purposes of use for product data and the handling of data access claims (Objective 3: Data license agreements, Art. 4 (13); Terms of Use and TOMs, Art. 4 (6) / Art. 5 (9); procedures for denying data access claims, in particular notification to the authority).Terms of use and TOMs, Art. 4 (6) / Art. 5 (9); procedure for the denial of data access claims, in particular notification of the authority).

To-dos for companies

• Data classification: Identify the data covered by the Data Act.
• Develop verification processes: Make sure that only authorized users can access the data.
• Protect business secrets: Implement technical and organizational measures (TOMs) to protect sensitive data.
• Contract management: Adapt your contracts to the new requirements of the Data Act.

Co-Author: Julian Holst (Research assistant)