The Data Act
The Data Act establishes horizontal rules for accessing and sharing data from internet of things (IoT) products and related services across the EU’s data market, aiming to ensure fairness in the allocation of the value of data among all actors in the data economy. It also includes measures to protect companies from unfair contractual terms relating to data sharing and facilitates switching between data processing services (such as cloud and edge computing) by introducing minimum requirements on interoperability and switching. You can read more about the Data Act in our blog here and about the previous version of the FAQs here.
Summary of key changes in the updated FAQs
Only data generated or collected after the Data Act's application date falls within the scope of Chapter II. The definition of "readily available data" now excludes references to the time of data generation or collection. New examples clarify that content generated by digital cameras and smart TVs is excluded, while imagery from cameras on connected vehicles and agricultural machinery, which can be considered "sophisticated sensors", is subject to the Data Act. There are also clarifications on what constitutes sufficient data enrichment to exclude raw or pre-processed data from Chapter II obligations. The updated FAQs clarify that privacy-enhancing technologies (PETs) do not qualify as such enrichment.
Detailed scenarios explain the roles and responsibilities of data holders, manufacturers, and users, including specific examples involving suppliers of data-generating components. Previous guidance notes on renegotiating data access obligations and protection of trade secrets for legacy products have been deleted. Additionally, there is an expanded explanation on how a company can be both a user and a data holder for different connected products or services, and the specific exception for joint controllers in multi-user scenarios.
We discuss these changes in more detail below.
The roles of user, data holder, manufacturer, and component suppliers
The updated FAQs have expanded the answer to the question of whether a company can be both a user and a data holder at the same time (Question 34):
- As explained in previous version of the FAQs, a company can be both a user and a data holder with respect to different connected products or related services (e.g. a manufacturer can be a user of the robots in its factory and a data holder for connected products it manufactures).
- However, a company cannot simultaneously be a user and a data holder for the same data. A user sharing data with a third party should not be considered a data holder for that third party.
If personal data is involved, Recital 34 of the Data Act explains that the data holder and the user may be joint controllers within the meaning of Article 26 GDPR, requiring them to determine their respective GDPR compliance responsibilities. And such a user, once data has been made available, may in turn become a data holder. The FAQs now clarify that the specific exception in Recital 34 of the Data Act refers to a possible multi-user scenario where two companies (a data holder and the initial user who is not a data subject) act as joint controllers for additional users who are the data subjects. This could result in the initial user becoming a data holder for those additional users.
The updated FAQs also include important clarifications on the roles of manufacturers, component suppliers and users (Question 21, with an example in a flow chart on p. 15):
- Addressing a specific situation where a product manufacturer has two suppliers of data-generating components, a Supplier A receives data directly from the component via an embedded SIM card and is identified as a data holder in pre-contractual information. If Supplier A wants to use this data, it needs to have an agreement with the user: at the point of sale/rent/lease, the manufacturer or distributor should facilitate this agreement from which Supplier A is notified of the identity of the user. The Supplier B of another data-generating element can receive its component data from the manufacturer according to their individual agreement “which is subject to the user’s approval”. In this scenario, Supplier A is a data holder and Supplier B is a third party.
- The European Commission moved to the Question 21 a note clarifying that there can be a user without a data holder (such as, e.g., if a user acquires a connected product where the data are stored directly on the device or transferred from the device to the user's computer, and the manufacturer does not have access to any of the data. In this scenario, there is no data holder, since only the user has access to any of the data). However, for an obligation on a data holder under Chapter II of the Data Act to arise, there must always be a user.
Enriched data
The Data Act in particular concerns raw and pre-processed data generated by connected products or related services. Inferred or derived data and content, e.g. highly enriched data, are in principle out of scope.
The updated FAQs include a new Question 5 that clarifies what level of data enrichment would transform raw and pre-processed data into inferred or derived data, therefore excluding it from the scope of Chapter II Data Act obligations. Recital 15 of the Data Act already mentions "substantial modification", "substantial investments in cleaning and transforming the data", and "proprietary and complex algorithms” to illustrate such data enrichment, and in this regard the updated FAQs provide the following significant clarifications:
- Data should be “easily” usable and understandable by entities other than those who generated it. And while all sensor measurements require some level of interpretation before they can be communicated in a digital format and additional investments may be necessary to make the data usable and understandable (e.g. cleaning, transforming, or reformatting), the European Commission clarifies that the data holder is not obliged to make substantial investments in these processes.
- The updated FAQs further clarify that the data holder is required to share data of the same quality as it makes available to itself, implying a format and quality of data should be consistent with how the data would be shared with another subsidiary within the same corporate group or in a manner that aligns with industry standards or practices within a specific industry.
- Processing that is designed to preserve the privacy of the information (naming specifically anonymisation, pseudonymisation, and encryption) should not be considered sufficient for the data to be excluded from the scope of Chapter II of the Data Act (see also below).
Privacy-enhancing technologies (PETs)
The updated FAQs include new Question 13 on whether applying PETs to achieve anonymisation or pseudonymisation results in derived or inferred data, thereby excluding applicability of the obligations for data holders under Chapter II of the Data Act.
Although the European Commission recognises that pseudonymisation or anonymisation of personal data play an important role in the implementation of the Data Act and can be achieved by applying PETs, it clarifies that a mere application of these technologies does not result in inferred or derived data.
This is because the protection of data holders' inferred or derived data is intended to safeguard "additional investments into assigning values or insights from the data" – and PETs are investments that are made for the purpose of being able to analyse data while protecting privacy rather than assigning values or deriving insights.
Anonymisation or pseudonymisation can still be relevant when the data holder must respond to a request under Article 4 or 5 Data Act, in particular, in multi-user situations where several data subjects are involved or where a requesting party is not the data subject using connected product. In such situations, applying PETs can assist with ensuring compliance with the GDPR. In this respect, the European Commission provides an example of a rented car.
When content is excluded
Recital 16 of the Data Act explains that certain data generated by sensor-equipped connected products when the user is recording, transmitting, displaying, or playing content, as well as the content itself, are not covered by the Data Act. The updated FAQs include a new Question 6, clarifying that excluded “content” refers to “something akin to copyrightable material, i.e. the result of a creative process”, typically destined for human appreciation or consumption, unlike data such as “measurements and non-creative output”.
Examples include digital cameras, smart TVs, connected vehicles and agricultural machinery. For instance, data holders of digital cameras must share readily available data (e.g. usage patterns, battery charging levels, timestamps, location, event logs etc.) but not the audiovisual content itself (e.g. photos and videos).
In contrast, imagery from cameras on connected vehicles or agricultural machinery, used for collision warnings or plant health, falls within the Data Act’s scope as it lacks creative elements and is not intended for “human consumption”. The FAQs point out that these cameras could be viewed as “sophisticated sensors”.
Model clauses for data sharing and cloud computing
The European Commission has been working on preparing non-mandatory Standard Contractual Clauses (SCCs) for cloud computing contracts and Model Contractual Terms (MCTs) for data access and use under the Data Act. Both SCCs and MCTs are expected to be adopted before the Data Act becomes applicable in September 2025.
The SCCs will cover elements related to switching and exit, term and termination, non-dispersion, non-amendment, security and business continuity, and liability.
The proposed MCTs were discussed at expert seminars in November-December 2024, and updated drafts are expected in the spring. If you would like to discuss the direction in which the European Commission is working, please reach out to Nicole Wolters Ruckert, Marleen van Putten or your usual A&O Shearman contact.
Conclusion
The updated FAQs on the Data Act offer important clarifications that will help organisations navigate the complexities of data access, sharing, and compliance and ensure they meet regulatory requirements.
However, companies may find it challenging to assess whether their connected product data processing meets the criteria of data enrichment for exclusion from the access and sharing obligations. Determining and delineating the roles and responsibilities of various actors in multi-user and multi-controller environments remains difficult and complex to implement. The distinction between data and content, particularly the requirement that content must be akin to copyrightable material, can be ambiguous. Companies may struggle to classify certain types of data, such as imagery from connected vehicles or agricultural machinery, and determine whether they fall within the scope of the Data Act. And while the upcoming SCCs and MCTs are a welcome development, their voluntary nature might impede their use. In addition, companies need to stay informed and be prepared to integrate these tools into their data sharing and cloud computing contracts.
The press release is available here and the updated FAQs here.
