With the Data Act, the EU wants to utilise the data treasures of connected products and enable completely new business models. What legal rules apply when IoT devices use AI or when the data is used to train AI models? An overview.
Introduction
Following the promulgation of "Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonized rules for fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828" ("Data Act") in the Official Journal of the European Union ("EU") at the end of 2023, the Data Act will enter into force on January 11, 2024. After a further period of twenty months, the Data Act will apply directly throughout the EU from September 12, 2025.
The primary objective of the Data Act is to improve access to and use of data – especially data generated by connected products ("IoT devices"). The European legislator intends to stimulate the development of new business models and to drive innovation and competitiveness in the internal market.
In order to achieve the aforementioned objective, the Data Act provides for a claim by users of IoT devices against the data holder for the provision of data generated through the use of the IoT device (Art. 4 Data Act). In addition, the user can also request the data holder to transfer the data to a third party, a so-called data recipient (Art. 5 Data Act).
The regulatory scope of the Data Act has no specific connection to the use of artificial intelligence ("AI") per se. In certain cases, however, the use of AI can also lead to the opening of the scope of application of the Data Act.
Interfaces between Data Act and AI
AI-based IoT devices
The data access claims regulated in the Data Act are limited to data generated by IoT devices. AI models are of great importance for IoT devices, as they can significantly expand the functionalities of the IoT device through data analysis, automation and intelligent decision-making.
PRACTICAL EXAMPLE: Voice assistance systems today use AI models to make conversations with users more "natural".
If an IoT device is AI-based, the user's right to data provision also includes the data generated by the AI model. This would therefore have to be provided to the user or a third party as part of the IoT data.
Use of IoT devices to train third-party AI
The data generated by IoT devices can also be of interest to third parties in order to train AI models based on the data collected.
PRACTICAL EXAMPLE: A start-up could use the data collected by a "smart" fridge (e.g. food contained in the fridge with an expiry date) to create an AI-based app with recipe suggestions.
If data from IoT devices is used as training, test or validation data, the requirements of the Data Act apply. For the app development example described above, this means that the start-up, as the data recipient, would first have to obtain access rights to the IoT data from the refrigerator user by means of a data license agreement. The fundamental possibility created by the Data Act to use previously unused IoT data treasures for the further development of AI could provide a further boost for AI-based technologies.
Processing in accordance with the GDPR
Both the Data Act and the use of AI offer a wide range of new opportunities for data collection and use. However, as soon as personal IoT data is involved, the requirements of the General Data Protection Regulation ("GDPR") must also be observed. The Data Act does not affect the GDPR – the two sets of regulations stand side by side. In particular, the processing of personal data using AI requires a legal basis. In practice, consent will be required for this in most cases (Art. 6 para. 1 sentence 1 lit. a GDPR). In addition, for the interaction of IoT data and AI, the requirements of the AI Act, which comes into force in spring 2024, must also be taken into account in future.