In order to foster a functioning European data economy, the Data Act imposes data access obligations on manufacturers of connected products and providers of related services (collectively referred to as "data holders"). These obligations are designed to enable broader access to data generated through the use of the devices. This raises two key questions:What kind of data must be shared and how should it be made accessible?
The definition of "data"; in the Act is intentionally broad. It encompasses any digital representation of information, in any form or format - including sound, visual, and audiovisual content. To comply with the Act, data holders must ensure that connected products are designed in a way that enables users to access both the data and all necessary meta-data in a manner that is easily accessible, secure, free of charge and in a common machine-readable format. Where technically feasible, this access should be enabled directly through the product ("Data Access by Design").
If direct access through the product is not possible, the data holder must provide readily available data - including all meta-data - to the user. This access should, where possible, be provided in real time and continuously. This obligation entails two important requirements:
- User authentication: The data holder must be able to verify user identity, which can pose practical challenges – especially for low-authentication devices like a washing machine.
- Low-threshold access: Data must be provided free of charge and by simple request through electronic means.
It is important to note that only data primarily generated through the use of the product or service qualifies as readily available data under the Data Act, meaning secondary or derived data does not need to be shared. However, the right to access is not unlimited. Specific restrictions and conditions apply, which we will explore in greater detail in an upcoming article.
To ensure transparency, the Data Act imposes pre-contractual information obligations on data holders, like type and scope of data and the intended use by the data holder.
Data holders may only use data on the basis of a contract with the user, showing that economically, all data generated through use is attributed to the user. However, not all purposes of use are allowed under the Data Act. This means, users must grant a license to the data holder. Furthermore, data may only be shared with third parties if this aligns with the purposes specified in the user contract.
Data holders must be ready by 12 September 2025 – failure to comply with the Data Act could have severe legal and operational consequences. So what's the good news? There is still time to act:
- Adapt contracts to ensure compliance with the Data Act.
- Implement processes to handle data access requests efficiently.
- Ensure user verification mechanisms are in place to prevent unauthorized access.
We anticipate an abundance of access requests, so the question is: "Are you prepared to take action?"
In our next article, we will explore the obligation to share data with third parties at the user's request - a critical topic for understanding the broader data-sharing framework under the Data Act.
Stay tuned!
Need guidance on the Data Act?
