The EU Data Act came into force on 11 January 2024. While its provisions will not be applicable for a while yet, businesses will likely need the intervening period to scope out and plan for the impact that the Data Act will have on their product and services designs.
Specifically, the Data Act requires businesses to give users access to the data that is generated by using a connected product such as smart consumer goods, vehicles, smart machinery, phones or connected health devices, and related digital services (for an overview of the Data Act, see here). In light of this, businesses need to get a clear view on what data their products generate that are subject to those access obligations of the Data Act.
The Data Act categorizes data according to the level of processing they have undergone, just like a restaurant categorizes steaks according to their “doneness”: There is “raw” data (i.e. primary data), “medium rare” data (i.e. pre-processed data) and “well-done” data (i.e. processed data and derived information).
The regular Data Act menu has two options: (i) “raw” data and (ii) “medium rare” data. Users can place an “order” to receive such data for free, or request that the data is shared with someone else of their choice. If users want more than the regular Data Act menu, there is a “fine dining option” available and, if this is offered by a business, select “well done” data as the premium solution. However, such “well done” data (i.e. processed data) and derived information are not subject to the mandatory data access obligations of the Data Act, so businesses may only offer them under separate arrangements.
How do businesses determine the “doneness” of their data then?
Introducing “raw” and “medium rare“ data
Raw data refers to data points that are automatically generated without any further form of processing, i.e. which have not been substantially modified. Like data that is automatically generated and collected by sensors (without these sensors performing any further algorithmic operations).
Pre-processed data is raw data that has been altered to a certain extent to make it understandable and usable prior to being processed further. The Data Act sets out a rather narrow understanding of the term “pre-processed data”. In particular, if substantial investments must be made in cleaning and transforming the data by removing duplicates or missing values or adding additional metainformation, the resulting data should not be considered being “pre-processed data”.
By way of example, pre-processed data includes data collected from a single sensor or a connected group of sensors which has been transformed to make it comprehensible for wider use cases. Pre-processing covers e.g. activities such as determining a physical quantity or quality (e.g. temperature, pressure, flow rate, audio, pH value, liquid level, position, acceleration, or speed). Information inferred or derived from such data, which is the outcome of additional investments into assigning values or insights from the data, in particular by means of proprietary, complex algorithms, including those that are a part of proprietary software, are not “pre-processed” any more.
Know the source of your data
Before serving any data on their Data Act menu, businesses must assess where their ingredients come from, e.g. how the data is generated. Raw data and pre-processed data must come from the use of a connected product or a related service to trigger the Data Act’s access obligations. This means data that is deliberately gathered or data resulting from the user’s activity, e.g. data that the connected product obtains from its surroundings or interactions through its sensors (temperature, air pressure, etc.). It also includes data collected by embedded applications, e.g., by software embedded in a product to perform a very specific set of functions, such as indicating the hardware status and malfunctions.
Even data that is being generated during periods of inactivity, e.g., when the user chooses not to use a connected product for a given period of time, leaving it in standby mode or even switched off, is in scope. By contrast, static data which relates to immutable information about the product such as colour, product number, etc. does not fall within the remit of the Data Act.
Different “cuts” of data
As every chef knows, not all cuts of meat are equally suitable for being served as a “raw” steak. The same applies to data: not all raw data is relevant under the Data Act. Only raw data that has been designed by the manufacturer to be retrievable from the connected product is covered – i.e. if it can be retrieved via an electronic communications service, a physical connection or on-device access, by a user, a data holder or a third party or by the manufacturer itself. Data, however, that is only created and used by some parts of the product which is not designed to store or send the data outside the part where the data is created or the connected product itself (for example, "volatile data"), is not included.
“Well-done” data
Businesses may decide to give access to inferred data or derived data as well, even though the Data Act does not require them to do so. The Data Act does not define what "inferred" or "derived" data means, but data that is the outcome of complex, exclusive algorithms, which might also involve proprietary software, would be considered as “derived”. This includes data that comes from extra investments in giving values or insights to primary data. For instance, such data could include information that comes from sensor fusion, which uses multiple sensors to infer or derive data, using complicated algorithms that may have intellectual property rights. Also, anonymised data would be derived data, as it involves a complex processing operation.
Preparing for the big day
Just like a restaurant owner checks the ingredients in his kitchen before the big day, businesses will have to check their data before the Data Act kicks in and see which of their data is "raw" and "medium rare” data vs. "well done" data.
Hungry for more? Visit our EU Digital Strategy Hub for further insights on the Data Act and other EU digital regulations.
