To aid in the implementation of the EU Data Act, the European Commission has released a set of frequently asked questions (FAQ). For a concise overview of these FAQs, refer to our previous blog post. With the Data Act being new and its implementation raising many questions, the Commission has now, five months later, issued an updated FAQ (version 1.2). In this post, we summarize the key changes of this update.
Data in scope: raw, pre-processed and derived
Data holders are obliged to make available product data and related service data. However, only raw data and pre-processed data are within scope, while derived or inferred data are excluded from the data holder’s obligations. For details, see our previous blog post outlining why the EU Data Act does not care for “well-done” data.
A key question for businesses is to identify their data as raw or pre-processed and to determine which processing activities produce derived or inferred data.
In its updated FAQ, the Commission clarifies that ‘the level of enrichment of the data is one of the key factors in achieving a balanced and fair allocation of data value'. To distinguish between raw and pre-processed data and derived and inferred data, the Commission reiterates that recital 15 mentions concepts such as ‘substantial modification', ‘substantial investments in cleaning and transforming the data', and ‘proprietary and complex algorithms'. However, the Commission fails to offer specific guidance on the interpretation of these terms, which would have been beneficial in practical application.
The Commission further explains that all sensor measurements ‘require some level of interpretation before they can be communicated in a digital format, and additional investments may be necessary to make the data usable and understandable’ (eg cleaning, transforming, or reformatting). The Commission indicates that businesses are not required to make significant investments in these processes. Instead, it is expected that users or third parties will possess a ‘reasonable’ level of technical capability to interpret the data independently.
Data in scope: exemption for ‘content’
Recital 16 stipulates that ‘content’ data is not in scope of the Data Act’s data access obligations. The Commission explains that ‘content’ includes textual, audio, or audiovisual material often protected by intellectual property rights. In other words, ‘content’ refers to copyrightable material from creative processes, intended for human consumption. The Data Act does not replace existing protections for such data but aims to open markets for other data types, such as measurements generated by connected products and non-creative output.
For instance, data holders of digital cameras must share data like usage patterns and battery levels, but not the audiovisual content itself. Similarly, users cannot request access to films on smart TVs. However, the Commission points out that cameras with advanced sensors, such as those in vehicles or agricultural machinery, generate non-creative imagery not destined for human consumption. Thus, such data should be in scope of the data sharing obligations of the Data Act.
Data in scope: the question of anonymised data
The Commission takes the opportunity to clarify a highly relevant question in practice: whether anonymised data can be considered derived data. Interestingly, the Commission explains that data resulting from pseudonymisation and other privacy-enhancing technologies should not be considered inferred or derived data ‘just because these technologies are applied’.
However, it is essential to recognize that fully anonymising data in accordance with GDPR principles requires sophisticated methods that extend beyond mere cleaning, transformation, or reformatting of processing activities typically used for creating ‘pre-processed’ data. A careful selection and combination of anonymisation techniques, such as randomization and generalization, should be considered as the implementation of complex algorithms within the context of derived data. Furthermore, the Commission's use of the term ‘just’ suggests there may be circumstances where anonymised data are regarded as out of scope, although this aspect is not explicitly clarified.
The Commission’s assertion that privacy-enhancing technologies are solely investments for data analysis while preserving privacy, rather than for deriving insights or assigning values, appears unconvincing. In practice, resources devoted to anonymising data regularly complement those used for extracting valuable insights and assigning (new) values (like with generalisation techniques). Further, the primary factor in determining whether data should be classified as derived data depends on the complexity of the processes used to generate the data, rather than the purpose of the investments made.
Providing data of the same quality
According to articles 4.1 and 5.1 of the Data Act, data holders must provide data in the same quality as it is available to them. The Commission clarifies that this means data should be shared in a format consistent with how it would be shared within the same corporate group or in accordance with industry standards or practices in a specific industry.
There can only be one? The situation of multiple data holders
The Commission further elaborates on situations involving multiple data holders and refines its previous guidance. As an example, if two component suppliers provide data-generating components and one supplier obtains data directly via an embedded SIM card, that supplier must establish a contract with the user in accordance with Articles 4.13 and 4.14 of the Data Act (assuming that the data is classified as non-personal data). The Commission recommends that this contract should ideally be facilitated by either the manufacturer or distributor during the sale, lease, or rental of the connected product, as these parties are best positioned to relay the user's identity to the component supplier.
User or data holder? Or both?
The Commission notes that a company cannot be both a user and a data holder for the same data at the same time. Furthermore, when a user shares data with a third party, they should not be considered a data holder for that third party. Recital 34 of the Data Act, however, clarifies that if a user is an enterprise (including a sole trader) rather than a data subject, they are regarded as a controller. As a consequence, recital 34 also indicates that once data has been made available, such a user may subsequently become a data holder (in relation to these other users).
The Commission now proposes a rather narrow interpretation of recital 34, i.e. that recital 34 only applies in scenarios where two companies act as joint controllers for users who are data subjects. The allocation of joint controllership responsibilities could result in the initial user (who is not the data subject) becoming a data holder for additional users.
Further, the Commission clarifies that there may be situations in which there are users, but no data holders.
Prepared for the road ahead?
The Commission's guidance offers valuable insights into the legislative intent of the Data Act. However, it remains to be seen how the Court of Justice of the European Union will eventually interpret the Data Act, and whether national authorities will adhere to the FAQ consistently.
Navigating the complexities of the Data Act can be challenging. Get in touch with us if you would like to discuss further.
