EU: The “Data Act” – New rules on IoT data and switching cloud services

With the number of devices connected to the internet steadily increasing, the internet of things (“IoT”) has become a reality. However, only a small part of IoT data being generated is used and its value is available only to a few large companies.

The recently proposed draft EU Data Act (COM (2022) 68 final) is part of the European Union’s wider Data Strategy and addresses this issue by proposing rules to facilitate access to and use of data generated by IoT devices and related services by companies, public authorities and individuals. The aim is to create a European single market for data (COM (2015) 192 final). The Data Act also proposes important changes to make it easier to switch cloud services.

The objectives of the Data Act – IoT data

The Data Act aims to facilitate consumers’ and businesses’ access to, and use of, data generated by IoT devices and related services, while prohibiting such data from being used to create competing products or services. It also contains rules allowing access by public bodies in certain cases.

In more detail:

  • User rights of data: Any individual or company who/which has contributed to the generation of IoT data (the “user”) is entitled to request access to it from the individual or company (the “data holder”) that is entitled or obliged and, regarding non-personal data, able to make the data available. The data shall be made available on fair, reasonable and non-discriminatory terms.
  • Data by design: Importantly, IoT devices should be designed to make the IoT data directly accessible to the user by default in a manner that is easy and secure.
  • Right to share data with third parties: A user can request the data holder to make the data available to a third party, where applicable, continuously and in real time.
  • Exclusions for Big Tech: Companies providing core platform services that are particularly large and influential (“gatekeepers”, as defined in the proposed Digital Markets Act, e.g. Google or Amazon) are not eligible third parties to receive data on a user’s request.
  • Limitations on use of data: The user and the third party are prohibited from using the data to develop a product that competes with the product from which the data originated. Furthermore, the third party may not onward transfer the data received to another third party, unless this is required to provide the services requested by the user.
  • SME exceptions: Data generated using manufactured products and related services provided by micro and small enterprises are exempt from the aforementioned obligations incumbent on the data holder, provided, however, that these privileged companies are not economically dependent on larger companies which are not exempt.
  • Public bodies: Public bodies in member states and on EU level are entitled to request access to data in circumstances of exceptional need, e.g. to respond to a public emergency ( such as a pandemic or state disaster), and to share such data with third parties for not-for-profit scientific research.
The objectives of the Data Act – Cloud switching

The Data Act is also intended to facilitate customers of cloud and edge services to switch between cloud providers covering the same type of service. This is done by requiring cloud providers to remove commercial, technical, contractual and organisational obstacles.

In more detail:

  • Switching between data processing services: Providers of cloud, edge or other data processing services are required to remove obstacles of a commercial, technical, contractual and organisational nature that inhibit users from switching to another provider of the same type of service.
  • 30-day termination right: Importantly, this appears to include a right for customers to terminate on 30 days’ notice. While many large public cloud providers are likely already to provide this flexibility, there are also smaller (and larger) bespoke cloud services where this could significantly change the commercial relationship.
  • Safeguards in international transfer or governmental access: Cloud and edge providers must take appropriate measures to prevent international transfers and governmental access to non-personal data held in the EU where such transfer or access would conflict with EU or member state law.
Other issues

The Data Act includes provisions to encourage the development of interoperability standards for data to be reused in different industry sectors to reduce barriers between and within domain-specific data spaces. It also leaves intact the separate rights and obligations under the GDPR that apply to personal data, which must be read in parallel – albeit the Data Act applies to all data, including non-personal data.

Member states must designate a competent authority to enforce the Data Act and set the administrative fines or financial penalties sanctioning any infringement. The Data Act also paves the way for new dispute settlement bodies to settle disputes about data sharing and access.

What’s next?

Before the Data Act can enter into force it must be approved by the European Parliament and the Council. This means that it could reasonably be expected to be adopted in late 2023 or in 2024.

Once finally approved, companies offering services and products into the European market will have 12 months to implement the legal requirements, in particular regarding the new contractual terms and technical means enabling access to data.

More fairness, but more uncertainty

The Data Act strives for more fairness in the handling of IoT data by granting consumers and businesses access to the data generated by their devices and enabling them to use it for subsequent value-added services such as predictive maintenance.

The additional information will help users to make better choices, thus allowing them to purchase higher quality or more sustainable products and services. With access to more IoT data, businesses and industry players can benefit from a competitive market for data which allows them to tailor their services to the specific needs of their customers and thus to compete with comparable service offerings. Finally, pooling IoT data could help to develop entirely new digital services.

At the same time, the Data Act poses major challenges for the IoT industry in the way data is handled. In particular, it will require significant design changes to ensure that the data generated by IoT devices is, by default, easily, securely and directly accessible to users.