This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Freshfields TQ

Technology quotient - the ability of an individual, team or organization to harness the power of technology

| 8 minute read

Key insights for businesses from the EU Commission’s FAQ on the EU Data Act

To aid in its implementation, the European Commission has published frequently asked questions on the EU Data Act. Check out our earlier blog post for a quick rundown of the EU Data Act. 

Reflecting the European Commission’s intentions, the FAQ aims to support stakeholders in applying the legal provisions. The FAQs apparently are the product of extensive stakeholder interaction, and intend to be a ‘living document’ that are expected to be updated as and when necessary.

Although many topics are only briefly covered, the FAQ offer useful insights and occasionally unexpected remarks that can assist businesses in their journey to comply with the Data Act:

The Data Act’s scope of application

  • Data in scope: In relation to the term ‘readily available data’, the European Commission has clarified that only data generated or collected after the entry into application of the Data Act should be considered as falling within the scope of the Data Act’s data access obligations. In addition, it has been clarified that purely descriptive data is out of scope.
  • Historical data: Interestingly, in the context of second-hand products, the FAQ suggests that historical data generated by previous users should be provided to the current user. Yet, access to historical data must comply with the protection of the previous users, including respecting requests for data deletion. This approach aims to balance data access with privacy concerns and business interests.
  • Smartphones and TVs: The recitals did not explicitly mention smartphones and TVs, causing ambiguity about their status as ‘connected products’. The Commission has now confirmed that both smartphones and TVs fall within this category.
  • Servers and routers: Devices mainly used for storing, processing, or transmitting data like servers and routers, are out of scope, unless they are owned, rented, or leased by the user. This is particularly important for cloud business models that involve renting servers or offering server-like functionalities.
  • Related services in scope: A digital service is considered a ‘related service’ if it (i) exchanges data both ways with the connected product and (ii) affects the product's functions, behaviour, or operation. To help determine if a digital service is ‘related service’, data holders should consider (i) user expectations for the product type, (ii) marketing of the product and service, (iii) contractual terms, (iv) how easily the service can be replaced, and (v) whether the service comes ‘pre-installed’.
  • Placing on the market: The concept of ‘placing on the market’ refers to each individual product, not to a product type. As a result, two items from the same product line may receive different treatment depending on when they are initially introduced to the market.
  • Geographical scope: Once a connected product has been placed on the market in the EU it doesn’t matter where the user actually uses the product. The data generated by that connected product both inside and outside the EU should be made available to the user. For example, this could be the case when 'movable' connected products such as ships, airplanes, trains, and cars which have been placed on the EU market are used by the user outside of the EU. Further, registration in a Member State is an indicator that the connected product in question was placed on the EU market.
  • Data recipients in scope: The Commission clarifies that based on Article 5(1) a user may ask a data holder to share data with an entity or person that is not established in the EU, but the data holder is not obliged to grant that request.
  • Other data sharing obligations in scope: Considering that the Data Act is a horizontal piece of legislation, the rules regarding conditions, compensation and technical protection measures for whenever a data holder is obliged under EU or national law to share data with a data recipient, apply to data sharing obligations set out in other laws that enter into force after 11 January 2024 (ie the date on which the Data Act entered into force). For newly introduced rules on data sharing between 11 January 2024 and 12 September 2025 (ie the data on which the Data Act becomes applicable), the European Commission believes that best efforts should be made to ensure alignment. However, they do not perceive this as a legal requirement.

Roles under the Data Act

  • Definition of user: The Commission clarifies that persons must have a stable right on the connected product (eg ownership, or a right from a rent or lease contract) to be considered a user. This indicates that non-contractual relationships are deemed unstable and are thus omitted. For example, a daughter casually using her mother's car wouldn't typically be classified as a user unless there is some form of contractual usage agreement in place (even if it isn't documented in writing).
  • Multiple users:  Data holders should have mechanisms in place to ensure that each user can access the data to which they are entitled. In the context of multiple users the commission thinks of two potential solutions: a corporate account where a company (such as a car rental company which is also a user) provides login details to its end customers, or individual accounts where users (eg the end customers) set up their own accounts and data-sharing agreements directly with the manufacturer (data holder).
  • Role of data holder: Remarkably, the Commission clarifies that the Data Act allows an entity (eg the manufacturer) to ‘outsource’ the role of ‘data holder.’ Identifying the data holder hinges on who controls access to the readily available data. In any case the user must always be informed of the identity of the data holder(s) before signing the respective contracts.
  • Data holder vs. user: Interestingly, the Commission states a company can't simultaneously be a user and a data holder for the same data. This seems to conflict with recital 34, which suggests a user receiving personal data can become a data holder if they meet certain criteria. The clarification might imply that when a user becomes a data holder, they are no longer considered a user for that data.

Data access and data sharing

  • Direct vs. indirect access: The Commission clarifies that ‘direct access’ allows users to access, stream, or download data from connected products (such as through their interface) without having to request access from the data holder (ie without any interaction). In contrast, ‘indirect access’ necessitates that users request data from the data holder. The qualification of providing data through a separate app as direct access remains debatable. However, one could contend that it does qualify, considering that no interaction with the data holder is required. 
  • Ensuring direct access: The Commission notably reinforces that manufacturers of connected products have significant discretion in implementing data access. Manufacturers should have the flexibility to decide whether to design products for ‘uncontrolled’ user access or for access that includes additional controls. This clarification significantly alters the situation, clearly stating that manufacturers are not required to ensure direct access by every possible means.
  • Protection of trade secrets: Direct access doesn't have to be unconditional. The manufacturer can require the user to protect certain directly accessible data through contractual obligations to safeguard trade secrets.
  • User verification: Data holders may require appropriate user identification to verify a user's entitlement to access the data. The Commission now specifies that the requested information must ‘conclusively demonstrate that a person is a user’. The phrase ‘conclusively demonstrate’ suggests that the documentation should leave no reasonable doubt about the person's identity as well as about the person’s status as a user. 
  • Compensation: The Commission details ‘non-discriminatory’ compensation, stating that entities in similar situations should be treated equally. Each case must be evaluated independently if data recipients are comparable. Although fair compensation is the aim, specific assessments are necessary, offering data holders some discretion. The Commission noted that guidelines for determining fair compensation are expected only after the Data Act takes effect on 12 September 2025. 

B2G data sharing

  • Mitigation of or recovery from a public emergency: The Commission stretches that in the context of B2G access, the concept of ‘mitigation of or recovery from a public emergency’ is not defined in the Data Act. But rather the factors to be considered are likely to be laid down in national law.
  • Equivalent conditions: Article 15(1) entitles a public sector body to request data from the data holder to respond to a public emergency if it is unable to obtain such data by alternative means in a timely and effective manner ‘under equivalent conditions’. The Commission specifies that ‘under equivalent conditions’ implies the public sector body should first verify if similar data can be accessed elsewhere with comparable effort. 

Providers of data processing services

  • Interoperability: The Commission has shed some light on how the repository for standards for the interoperability of data processing services will look like. It will take the form of an online platform and will become a one-stop-shop for providers to see which harmonized standards or common specifications (on the basis of open interoperability specifications) apply to the type of service they offer. Providers must ensure that the interfaces that they make accessible to customers are compatible with the standards/specifications referenced in the repository. The repository will be a living document and will be continuously updated with new relevant harmonized standards and common specifications per service type.
  • Protection measures: Data processing service providers should take all reasonable measures to prevent  access to systems on which non-personal data are stored. Such measures could include, ‘the encryption of data, frequent submission to audits, verified adherence to relevant security reassurance certification schemes, and by the modification of corporate policies.’ The Commission stated that it may in the future offer further guidance on this point to the competent authorities, following the advice of the EDIB.
  • Transfer of non personal data to third country authorities: The Commission clarifies that the definition of third country ‘government’ or third country ‘public authority’ should not be too narrow when evaluating whether a particular body falls in that category. 

Enforcement

  • Penalties: In principle, the Member States are responsible for setting penalties and all the necessary measures relative to their application. However, the Commission clarifies that to ensure high consistency across the EU, the EDIB will be used as a platform to evaluate, coordinate, and adopt recommendations on setting penalties for infringements of the Data Act.
  • Legal representatives: Entities established outside the EU that provide services or products in the EU market must appoint a legal representative. The Commission clarifies that these legal representatives are liable only for their duties as representatives under the Data Act. They are not accountable for the overall responsibilities of the data holder.
  • Model contractual clauses: The Commission announced that an Expert Group on B2B data sharing and cloud computing contracts, which is jointly managed by DG JUST and DG CNECT, is currently developing model contractual terms for data sharing and standard contractual clauses for cloud computing contracts. The model contractual terms for data sharing will cover contracts between data holders and users, data holders and data recipients, and between users and data recipients. The standard contractual clauses for cloud computing contracts will cover elements related to switching & exit, term & termination, non-dispersion, non-amendment, security & business continuity and to liability. The Commission reassured that it will adopt a recommendation on those model terms before 12 September 2025. 

The FAQ should not be interpreted as the official stance of the European Commission. The opinions given are further not definitive and do not predict any future actions the European Commission might take, including its possible stances before the Court of Justice of the European Union.

These FAQ sheds light on the legislator's intentions, but many questions remain unanswered. It's uncertain if national authorities will consistently adhere to it. The final interpretation will be up to the Court of Justice of the European Union. 

Nonetheless, the Commission's explanations offer valuable insight into the practical application of the Data Act. Companies are well-advised to thoroughly examine the FAQ as part of their Data Act preparation initiatives.

Tags

consumer, data, data protection, eu data act, europe, internet of things, manufacturing, regulatory, regulatory framework, tech media and telecoms, eu digital strategy