What will the Data Act mean for you? Impact on Data Sharing, Data Sharing Agreements and Cloud Services

On 22 December 2023, the regulation on harmonised rules on fair access to and use of data (“Data Act”) was published in the EU’s Official Journal. The Data Act will now enter into force on 11 January 2024. Most of the provisions of the Data Act will become applicable as of 12 September 2025.

As one of the cornerstone pieces of the European strategy for data, the Data Act aims to unlock the full potential of data for the European economy. The Data Act is a wide-ranging and sector-neutral legislation. Due to its horizontal nature, the Data Act regulates several aspects of the data economy and will be relevant for many companies. The main chapters of the Data Act focus on the following topics:

• Chapter II lays down rules concerning access and use of connected product and related service data (both in B2B and B2C contexts) to empower users of connected products and related services with respect to such data, vis-à-vis connected product manufacturers and suppliers of related services;
• Chapter III aims at creating a legal framework for B2B data sharing agreements, when a data holder is obliged to make data available under the Data Act or any other EU or national law obligation.
• Chapter IV prohibits unfair contractual terms in B2B data transactions, where unilaterally imposed by one contracting party.
• Chapter V imposes a data sharing obligation on data holders that are legal persons to share – in cases of exceptional need – the data they hold (and associated metadata) with public bodies, the European Commission, the European Central Bank and Union bodies, subject to certain conditions;
• Chapter VI incorporates rules with regard to switching cloud and edge services to address lock-in scenarios;
• Chapter VII contains the measures to ensure that non-personal data is not transferred to countries outside the European Economic Area (EEA) without sufficient protection of intellectual property rights, trade secrets, confidentiality, and other EU interests aside with transparency obligations upon providers of data processing services (such as cloud and edge services);
• Chapter VIII provides various interoperability and minimum requirements for data processing service providers and participants in common European data spaces.

Currently, the scope of the Data Act still seems to be underestimated by many businesses. Therefore, in this blogpost, we will provide an overview of the scope of the IoT related data sharing obligations introduced by the Data Act (Part 1), the impact of the Data Act on B2B data sharing agreements (Part 2) and the contractual requirements to be taken into account when drafting or negotiating data processing services (cloud and edge services) (Part 3).

1. Data sharing obligations for IoT data under the Data Act

Under the Data Act, several types of data sharing obligations are introduced. To better comprehend these obligations, the corresponding definitions first need to be explained.  

Key concepts

Chapter II of the Data Act refers mainly to two products and services to define the scope of the data sharing obligations: 'connected product(s)' and 'related service(s)'. The Data Act defines a 'connected product' as "an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user" (Article 2(5)) An electronic communications service is not explicitly defined in the Data Act and there is no reference to the definition of the European Electronic Communications Code (“EECC”, Directive (EU) 2018/1972), Nevertheless, Recital 14 of the Data Act does refer to a few examples, including "land-based telephone networks, television cable networks, satellite-based networks and near-field communication networks". These services would in principle also be covered under the EECC definition of ‘electronic communications service'. The Recital adds that these products are relevant to various sectors of the European economy "including in private, civil or commercial infrastructure, vehicles, health and lifestyle equipment, ships, aircraft, home equipment and consumer goods, medical and health devices or agricultural and industrial machinery". In addition, the European Commission's impact assessment report on the Data Act refers to braking systems of a tractor, lifts, factory machines, smart dishwashers, cleaning robots, fitness trackers and even smart solar panels as connected products which also demonstrates the wide scope of this term.  According to the same report, there are nearly 300.000 companies established in the EU that produce connected products that generate data. It goes without saying that almost any business will be a user of connected products.  

In addition, a 'related service' is defined as "a digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the connected product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected product" (Article 2(6)). Therefore, related services include software that obtains, generates, collects and communicates the data that is harvested by the hardware of connected products. This includes, for example, software that runs the schedules of a smart dishwasher or a cleaning robot, as well as the software of lifts that manages commands of users. Also virtual assistants can be caught when they interact with a connected product or related service. Virtual assistants are defined as "software that can process demands, tasks or questions including those based on audio, written input, gestures or motions, and that, based on those demands, tasks or questions, provides access to other services or controls the functions of connected products" (Article 2(31)).

Data sharing obligations

Regarding the data sharing obligations, manufacturers of connected products and suppliers of related services placed on the market in the EU must ensure 'access by design' for the user, to “(…) product data and related service data, including the relevant metadata necessary to interpret and use the data (…)” as per Recital 20. Such access should be easy, secure, free of charge, in a comprehensive structured, commonly used, and machine-readable format, and, where relevant and technically feasible, directly accessible.

In addition, where the user cannot directly access those data, the data holder must make "readily available data" as well as the relevant metadata necessary to interpret and use those data accessible to the user. Readily available data means "product data and related service data that a data holder lawfully obtains or can lawfully obtain from the connected product or related service, without disproportionate effort going beyond a simple operation" (Article 2(17)). The access, use or further sharing of such data may be contractually restricted to uphold the security requirement of the connected products. In such case, a refusal must be notified by the data holder to the competent authority and users may seek judicial redress, file a complaint with the competent authority or agree with the data holder to refer the matter of a dispute settlement body. There are also mechanisms in place to protect the trade secrets in the data that are shared. 

While the concept of a ‘user’ includes a data subject (within the meaning of the GDPR) that owns, rents, or leases a product or receives a related service, the notion also includes legal persons and thus also applies in B2B relations. This will likely cause an important shift in thinking compared to the current EU data (protection) regulation.

To facilitate these access rights, manufacturers (or sellers, rentors or lessors) of connected products and suppliers of related services are also subject to pre-contractual information obligations. They must provide various types of information to data users before concluding a contract for a connected product or related service such as the type, format and estimated volume of product data, storage details of such data, intended duration of retention and means of communication.

The Data Act's data sharing requirements have direct implications on the manufacturers of connected devices in various sectors. Additionally, these rules also impact related service providers, which may be producing add-on elements to such connected products – such as software companies, providers of sensors and other electronic equipment that are relying on connected products. Following the implementation of these requirements, companies and consumers using connected products and related services will have more opportunities with regard to the use and further exploitation of the data they generated.  Consequently, the availability of these IoT data will likely lead to the creation of (new) secondary markets for many organisations, which may for manufacturers and service providers result in more competition. The obtained data can, however, not be used to compete with the originating product (i.e., on the product’s primary market).

2. Data sharing agreements: What to consider?

An important takeaway from the Data Act is that contract freedom in relation to data sharing agreements is more and more restricted, even in B2B relations.

Data sharing agreements in case of data sharing obligations

The first set of restrictions is relevant where data sharing obligations apply, whether imposed by the Data Act or any other EU or national law. In such case, the Data Act determines that the contractual conditions between the data holder and data recipient must be fair, reasonable, transparent and non-discriminatory (FRAND) and – unless upon the user’s request – non-exclusive.

Such data sharing agreements may only provide for a reasonable and non-discriminatory compensation that considers the Data Act criteria, even in B2B relations.

Contractual terms in a data sharing agreement which, to the detriment of one party/the user excludes or derogates from the Data Act rules shall not be binding on that party.

Data sharing agreements in case of unfair unilaterally imposed terms

A second set of restrictions applies where a contractual term concerning access to and the use of private sector data or liability and remedies with regard to data related obligations has been unilaterally imposed by one party. The contractual terms provided by one contracting party without the other contracting party's influence on the content of the term, despite the attempts to negotiate, will be regarded as 'unilaterally imposed'.

In such situations, a fairness test with broad applicability will mitigate contractual imbalances which would normally impact smaller contracting parties. Unfair contractual terms that businesses (e.g., SMEs) must accept and that have been unilaterally imposed on them regarding the access and use of data, the resulting liabilities for the breach of data related obligations will not be binding.

The Data Act provides for a general catch-all clause for ‘unfair terms’ which are terms “that are of such a nature that its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing”.  In addition, the Data Act contains a blacklist (clauses that are always unfair) and grey list (clauses that are presumed to be unfair), which is similar to the mechanism applied in consumer protection law. It is, for example, always unfair to exclude the remedies for such a party in the case of non-performance of contractual obligations, or the liability in the case of a breach of those obligations. Terms that are presumed to be unfair are, for example, the prohibition for the weaker party to terminate the agreement within a reasonable period or, in contrast, that allow the party that imposed the contractual term to terminate the contract at unreasonably short notice.

It must be noted that the clauses that define the primary subject matter of the agreement or the adequacy of the price to be paid are not covered by these rules.

To improve legal certainty on the interpretation of these articles of the Data Act, the European Commission will provide a non-binding model contract on data access.

It follows from the above, that businesses will need to review their data sharing agreements in view of the limitations of the Data Act and to avoid invalidated/unenforceable contractual provisions.

3. Switching cloud and edge services

Aside from the data sharing obligations and requirements for data sharing agreements, the Data Act also contains rules that aims to avoid lock-in scenarios that businesses face when they want to switch cloud and edge systems. According to the European Commission, the Data Act will make it easier to "move data and applications (from private photo archives to entire business administrations) from one provider to another without incurring any costs, because of new contractual obligations that the regulation presents for cloud providers, and a new standardisation framework for data and cloud interoperability."

Facilitation of switching

Providers of data processing services (including cloud and edge services) will need to ensure that their customers can switch to different data processing services of another service provider of the same service type, to an on-premises system or to use several providers at the same time.

A data processing service is as "a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction" (Article 2(8)). Recital 81 clarifies that data processing services cover "a substantial number of services with a very broad range of different purposes, functionalities and technical set-ups" and among others, include "Infrastructure as a Service (IaaS), Platform as a service (PaaS) and Software as a Service (SaaS)".

The Data Act prohibits any type of obstacles that inhibit customers, for example, from terminating the service agreement after the maximum notice period, or from porting customer’s exportable data and digital assets to another provider or on-prem system. In addition, customers may not be prevented from maintaining ‘functional equivalence’ of the service in the IT-environment of the different provider(s).

This concept was highly debated during the negotiations. Ultimately, a compromise was found for a somewhat less demanding standard for data processing service providers which requires that customers must be able to “re-establish on the basis of their exportable data and digital assets a minimum level of functionality” in the new environment after switching “where the destination data processing service delivers a materially comparable outcome in response to the same input for shared features supplied to the customer under the contract” (Article 2(37)).

Regulation of customer agreements

While switching as such must comply with the requirements set out above, customer agreements for data processing services are subject to a set of minimum requirements, including the requirement that the rights of the customer and the obligations of the provider of a data processing service in relation to switching need to be clearly set out in a written contract, as well as requirements for transition and notice clauses. Article 25 of the Data Act provides a minimum list of contractual terms that should be included in the agreement between providers of data processing services and their customers (which is a similar mechanism as provided for in Article 28 GDPR for data processing agreements).

Additional information and contractual transparency obligations are also applicable (e.g. with regard to the location of processing and the measures to prevent international transfer of non-personal data).

In addition, a gradual withdrawal of switching and data egress charges within three years after the entry into force is foreseen and, in some situations, technical measures to facilitate switching are made mandatory.

Most of these obligations do not apply to custom-built data processing services, adapted to the individual needs of the customer. Only data processing services that are not offered at broad commercial scale via the service catalogue of the provider of data processing services can potentially benefit form this exclusion.

Therefore, this Chapter of the Data Act will result in additional rights for customers of cloud services as well as in more transparent and detailed service agreements. Cloud service providers need to start preparing for these (demanding) requirements by reviewing their cloud contracts and related documentation.

Authors: Kristof De Vulder, Heidi Waem, Muhammed Demircan and Simon Verschaeve