18 October 2024
The main aim of the Data Act (hereinafter "DA") is to distribute the data generated by IoT products fairly throughout the market. To this end, the users of IoT products are granted data access claims against the data holder. This article deals specifically with the exercise of these data access claims and the means of defense available to the data holder.
The Data Act assigns the data generated by a connected product or a related service to the user. The data holder may also only use the data that it has in view of de facto control on the basis of a contract with the user, Art. 4 (13) DA.
The user starts of the "game" by asserting his claim against the data holder for data access, making data available and use of that data pursuant to Art. 4 (1) DA or for the sharing of data with third parties pursuant to Art. 5 (1) DA.
The data holder has various options to "fend off" the user's attack.
If the data holder raises an objection based on trade secret protection, he must notify the competent authority (to be determined).
Data access itself cannot be prevented by enforcing prohibitions on utilization and using means of delay. They only have an indirect defensive effect. Nevertheless, the resulting restricted use of the data and subsequent or late access to the data can have a significant impact on the attractiveness of the data access claim. For example, if data holders consistently enforce the statutory prohibitions on exploitation in the event of infringements by users or third parties, they signal to the market that attempts to exploit the data without complying with the statutory requirements will not pay off. However, it should be noted that such strategies expose the data holder to a particular risk of fines.
The data holder’s defense repertoire is very similar to that against Art. 4 (1) DA. However, some of them are legally linked to other standards – restriction due to the protection of business secrets, Art. 5 (10) and (11) DA; restriction due to data protection, Art. 5 (7) and (8) DA. Significant deviations lie above all in the fact that:
If the data holder refuses (partial) access to the data by invoking their right to refuse, the user can appeal to a court in the Member State under Art. 4 (1) DA or the third party under Art. 5 (1) DA.
Alternatively, when asserting the right to refuse performance (only the user) or the general right of refusal or right of refusal in exceptional circumstances, it is possible to lodge a complaint with the (yet to be determined) competent authority (Art. 4 (3) (a) / Art. 4 (9) (a) / Art. 5 (12) (a) in conjunction with Art. 37 (5) (b) DA) or to agree with the data holder on the involvement of a dispute resolution body (Art. 4 (3) (b) / Art. 4 (9) (b) / Art. 5 (12) (b) DA).
It is not yet possible to predict what the outcome of the games for data treasures will be in practice. Although the allocation of product and related service data to the user and the high requirements for access restrictions by the data holder put the user in a good starting position, the data holder is not without a chance. With sufficient preparation, they can hold their own in many cases.
In addition to familiarization with the Data Act, this preparation includes in particular the analysis and classification of data (Objective 1: Identification of product data and the trade secrets contained therein), a concept for user management (Objective 2: Identification of users and third parties) as well as the definition of own purposes of use for product data and the handling of data access claims (Objective 3: Data license agreements, Art. 4 (13); Terms of Use and TOMs, Art. 4 (6) / Art. 5 (9); procedures for denying data access claims, in particular notification to the authority).Terms of use and TOMs, Art. 4 (6) / Art. 5 (9); procedure for the denial of data access claims, in particular notification of the authority).
To-dos for companies
Co-Author: Julian Holst (Research assistant)
by Dr. Carolin Monsees, CIPP/E and Stephanie Richter, LL.M. (Torino), CIPP/E
Stephanie Richter and Gabriel Drewek look at the draft Data Act which is intended to unlock industrial data, clarifying who can create value from data and under what conditions.
by Stephanie Richter, LL.M. (Torino), CIPP/E and Gabriel Danyeli, LL.M. (Köln/Istanbul Bilgi)