Welcome to Update 3 in our series dedicated to keeping you informed about the Data Act and Data Governance Act. In today's update, we would like to draw your attention to the material, territorial and personal scope of the Data Act.
Introduction
The EU Data Act entered into force in January 2024. One of the main questions when taking a first look at this new law is whether the Data Act is applicable to your organization. Chapter I of the Data Act lays the foundation for determining the applicability.
Personal and territorial scope
Personal scope
Art. 1(3) of the Data Act outlines the key stakeholders governed by the Data Act and defines the territorial scope of the Act:
- Manufacturers of connected products and Providers of related services
- Users of the products and related services
- Data holders, i.e., anyone who uses and makes available data to data recipients
- Data recipients, i.e., anyone to whom data are made available by a data holder
- Public sector bodies, the Commission, the European Central Bank and
Union bodies - Providers of data processing services, i.e. in particular cloud service providers.
- Participants in data spaces and vendors of applications using smart contracts and persons who deploy smart contracts for others in the context of executing an agreement
The definition of “data holder” in particular has the potential to cause uncertainty in practice. From a practical point of view, a “data holder” can only be a party who has actual control over the data and is in a position to grant data access under the Data Act.
The use of a smart car is a practical example for the different roles under the Data Act:
- The driver is the user of the smart car. It is only through their use of the car that driving data is collected. In the case of a shuttle company, the role of the user can also be multi-levelled (the company would be just as much a user as the specific employee).
- The data holder is usually the manufacturer of the car (who has factual control over the data). The collected data is transmitted to the manufacturer. The manufacturer has an interest in using the data for wear and tear or consumption analyses.
- Alternatively, an individual supplier of a connected part may be the data holder if they have direct access to the generated data.
Territorial scope
The Data Act has an extra-territorial scope of application and follows the market principle in Art. 1(3)(a-d) of the Data Act. Manufacturers and providers are in scope, even if they do not have to have their place of establishment in the European Union, if they place products or related services in the European Union. Data Holders inside and outside the European Union are in scope, if they make data available to data recipients in the European Union. Data Processing Services, who provide such services to customers in the European Union, are also in scope. In Art. 1(3)(e) and (f) of the Data Act, the reference “in the Union” is missing.
Material scope of application
Art. 1(1) of the Data Act lays down the material scope of the Data Act while recital 5 of the Data Act summarizes the intent of this new law:
“This Regulation ensures that users of a connected product or related service in the Union can access […] the data generated by the use of that connected product or related service and that those users can use the data, including by sharing them with third parties of their choice. It imposes the obligation on data holders to make data available to users and third parties of the user’s choice […]. It also ensures that data holders make data available to data recipients in the Union under fair, reasonable and non-discriminatory terms and conditions and in a transparent manner. […] In addition, this Regulation seeks to facilitate switching between data processing services and to enhance the interoperability of data and of data sharing mechanisms and services in the Union.”
What is a connected product and a related service?
In assessing the applicability of the Data Act is indeed applicable, one primary focus is on understanding what constitutes a connected product and a related service. These two definitions are crucial, as they serve as one of the key differentiators.
A connected product is an “item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user”, see Art. 2(5) of the Data Act.
Although specific assessments will vary on the individual case, common examples of such connected products include:
- Wearables (such as smart watches),
- Smart solar panels,
- Cleaning robots,
- Fitness trackers,
- Smart cars,
- Smart industrial machines, and
- Smart medical devices (such as glucose monitors or biosensors).
The Data Act does not cover products and modules that do not permit the transfer of data and items whose main function is to store third-party data, such as servers or cloud infrastructure.
A related service is “a digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the connected product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected product”, see Art. 2(6) of the Data Act.
Common examples of such related services include:
- Voice assistants,
- Music streaming services which connect to a smart speaker,
- Lifestyle apps that connect to fitness trackers, and
- Software that control smart industrial machines.
In Update 4, we will discuss the individual data sharing obligations under the Data Act.