From fitness wristbands to smart household appliances and cars to industrial production facilities - they all collect or generate usage and environmental data, which they then pass on. The data is often reserved for the manufacturers of these networked devices, and according to information from the European Commission, 80 per cent of industrial data is never used. Yet unearthing this huge treasure trove of data could be of great value, for example for training artificial intelligence (AI), innovative developments or optimised product maintenance. Removing the legal, economic and technical obstacles that stand in the way of sharing such data is therefore also a core concern of the European data strategy.
The Data Act (DA), the "Regulation on harmonised rules for fair access to and use of data (Data Regulation)", was published in the EU Official Journal on 22 December 2023. The DA requirements will essentially apply from 12 September 2025. Manufacturers of connected products and providers of the associated software should definitely use this time to prepare for the new legal situation.
Essential contents
The Data Act gives consumers and companies that buy, rent or lease a connected product the opportunity to obtain secure access to the data that is generated or collected by the product or the associated services. This goes well beyond the right to a copy known from the EU General Data Protection Regulation (GDPR). On the one hand, the scope of the Data Act includes non-personal data as well as personal data. On the other hand, (raw) data access should be possible in real time and, if necessary, continuously for users and, at their request, also for third parties.
Barbara Scheben
Partner, Head of Forensic, Head of Data Protection
KPMG AG Wirtschaftsprüfungsgesellschaft
In future, new networked products and associated services must even be designed and developed in such a way that the data is easily and directly accessible to users ("access by design"). In principle, there are only significant simplifications for small and micro-enterprises.
Manufacturers are also subject to certain transparency and information obligations, for example regarding the scope and type of data generated and how users can access it and make it available to third parties. In addition, the Data Act contains numerous requirements for the design of relevant contractual clauses. In future, the Commission will also provide corresponding model contract clauses.
As far as personal data is concerned, the Data Act supplements the data protection provisions of the GDPR, does not affect them and, in particular, does not create a new legal basis for processing. The specific data provision obligations under the Data Act therefore depend, among other things, on the extent to which the data relates to specific individuals. The Data Act provides for a graduated system of technical, contractual and organisational protective measures for the protection of trade secrets. However, a refusal to disclose data for the purpose of protecting trade secrets will only be permitted in exceptional cases and only after notification to the competent authority.
In addition, the Data Act also contains new technical, organisational and contractual requirements for data processing providers (in particular cloud or edge services), which are primarily intended to enable a simple change of provider and protect non-personal data from access by third country authorities.
Outlook
The Data Act will be directly applicable in all EU member states from 12 September 2025, without the need for transposition into national law. In principle, the requirements will also apply to legacy products and legacy databases. Similar to the GDPR, it also applies to non-European companies under certain circumstances (market location principle) and provides for fines of up to 4 per cent of global (group) annual turnover for violations.
In order to comply with the new requirements, affected companies should be prepared for sometimes very extensive preparatory work, for example with regard to the precise collection and classification of the data concerned, technical and organisational issues of data provision, data and trade secret protection, security concepts, contract design and transparency obligations. Even if measures for implementing other laws, such as the GDPR or the Trade Secrets Act, can be used as a basis in some cases, the transition period is quite short in view of the expected implementation effort. Therefore, affected companies should not waste any time here.
The experts at KPMG will be happy to answer any questions you may have.
¹ Within narrow limits, a right of access for public authorities is also provided for, but only in exceptional circumstances, such as in the event of natural disasters (see Art. 14 et seq. DA).
² See Art. 15 para. 3 GDPR.
This means for companies that employ fewer than 50 people and whose annual turnover or annual balance sheet does not exceed EUR 10 million (however, the exception does not apply if the company in question has a partner company or an affiliated company that is not considered a small or micro-enterprise, or if the company in question has been subcontracted to manufacture or develop the relevant products or provide the relevant services), Art. 7 para. 1 sentence 1, Art. 2 no. 25 and 26 DA in conjunction with Art. 2 Annex to Recommendation 2003/361/EC. For medium-sized companies (fewer than 250 employees and an annual turnover of less than EUR 50 million or an annual balance sheet of less than EUR 43 million), the corresponding simplifications only apply if they have only exceeded the qualification threshold for medium-sized companies less than one year ago or if the relevant product of a medium-sized company has been on the market for less than one year, Art. 7 para. 1 sentence 2 DA in conjunction with Art. 2 Annex to Recommendation 2003/361/EC.
⁴ There is an exception for the "Access by Design" obligation: this only applies to connected products and the services connected to them that were placed on the market after 12 September 2026, Art. 50 DA.