Data Act

Connected products that obtain, generate or collect, by means of their components or operating systems, data concerning their performance, use or environment and that are able to communicate those data via an electronic communications service, a physical connection, or on-device access, often referred to as the Internet of Things, should fall within the scope of this Regulation, with the exception of prototypes. Examples of such electronic communications services include, in particular, land-based telephone networks, television cable networks, satellite-based networks and near-field communication networks. Connected products are found in all aspects of the economy and society, including in private, civil or commercial infrastructure, vehicles, health and lifestyle equipment, ships, aircraft, home equipment and consumer goods, medical and health devices or agricultural and industrial machinery. Manufacturers’ design choices, and, where relevant, Union or national law that addresses sector-specific needs and objectives or relevant decisions of competent authorities, should determine which data a connected product is capable of making available.

The data represent the digitisation of user actions and events and should accordingly be accessible to the user. The rules for access to and the use of data from connected products and related services under this Regulation address both product data and related service data. Product data refers to data generated by the use of a connected product that the manufacturer designed to be retrievable from the connected product by a user, data holder or a third party, including, where relevant, the manufacturer. Related service data refers to data, which also represent the digitisation of user actions or events related to the connected product which are generated during the provision of a related service by the provider. Data generated by the use of a connected product or related service should be understood to cover data recorded intentionally or data which result indirectly from the user’s action, such as data about the connected product’s environment or interactions. This should include data on the use of a connected product generated by a user interface or via a related service, and should not be limited to the information that such use took place, but should include all data that the connected product generates as a result of such use, such as data generated automatically by sensors and data recorded by embedded applications, including applications indicating hardware status and malfunctions.

This should also include data generated by the connected product or related service during times of inaction by the user, such as when the user chooses not to use a connected product for a given period of time and instead to keep it in stand-by mode or even switched off, as the status of a connected product or its components, for example its batteries, can vary when the connected product is in stand-by mode or switched off. Data which are not substantially modified, meaning data in raw form, also known as source or primary data which refer to data points that are automatically generated without any further form of processing, as well as data which have been pre-processed for the purpose of making them understandable and useable prior to subsequent processing and analysis fall within the scope of this Regulation. Such data includes data collected from a single sensor or a connected group of sensors for the purpose of making the collected data comprehensible for wider use-cases by determining a physical quantity or quality or the change in a physical quantity, such as temperature, pressure, flow rate, audio, pH value, liquid level, position, acceleration or speed. The term ‘pre-processed data’ should not be interpreted in such a manner as to impose an obligation on the data holder to make substantial investments in cleaning and transforming the data. The data to be made available should include the relevant metadata, including its basic context and timestamp, to make the data usable, combined with other data, such as data sorted and classified with other data points relating to them, or re-formatted into a commonly used format.

Such data are potentially valuable to the user and support innovation and the development of digital and other services to protect the environment, health and the circular economy, including through facilitating the maintenance and repair of the connected products in question. By contrast, information inferred or derived from such data, which is the outcome of additional investments into assigning values or insights from the data, in particular by means of proprietary, complex algorithms, including those that are a part of proprietary software, should not be considered to fall within the scope of this Regulation and consequently should not be subject to the obligation of a data holder to make it available to a user or a data recipient, unless otherwise agreed between the user and the data holder. Such data could include, in particular, information derived by means of sensor fusion, which infers or derives data from multiple sensors, collected in the connected product, using proprietary, complex algorithms and which could be subject to intellectual property rights.

This Regulation enables users of connected products to benefit from aftermarket, ancillary and other services based on data collected by sensors embedded in such products, the collection of those data being of potential value in improving the performance of the connected products. It is important to delineate between markets for the provision of such sensor-equipped connected products and related services on the one hand and markets for unrelated software and content such as textual, audio or audiovisual content often covered by intellectual property rights on the other hand. As a result, data that such sensor-equipped connected products generate when the user records, transmits, displays or plays content, as well as the content itself, which is often covered by intellectual property rights, inter alia for use by an online service, should not be covered by this Regulation. This Regulation should also not cover data which was obtained, generated or accessed from the connected product, or which was transmitted to it, for the purpose of storage or other processing operations on behalf of other parties, who are not the user, such as may be the case with regard to servers or cloud infrastructure operated by their owners entirely on behalf of third parties, inter alia for use by an online service.

It is necessary to lay down rules regarding products that are connected to a related service at the time of the purchase, rent or lease in such a way that its absence would prevent the connected product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to or adapt the functionality of the connected product. Such related services involve the exchange of data between the connected product and the service provider and should be understood to be explicitly linked to the operation of the connected product’s functions, such as services that, where applicable, transmit commands to the connected product that are able to have an impact on its action or behaviour. Services which do not have an impact on the operation of the connected product and which do not involve the transmitting of data or commands to the connected product by the service provider should not be considered to be related services. Such services could include, for example, auxiliary consulting, analytics or financial services, or regular repair and maintenance. Related services can be offered as part of the purchase, rent or lease contract. Related services could also be provided for products of the same type and users could reasonably expect them to be provided taking into account the nature of the connected product and any public statement made by or on behalf of the seller, rentor, lessor or other persons in previous links of the chain of transactions, including the manufacturer. Those related services may themselves generate data of value to the user independently of the data collection capabilities of the connected product with which they are interconnected. This Regulation should also apply to a related service that is not supplied by the seller, rentor or lessor itself, but which is provided by a third party. In the event of doubt as to whether the service is provided as part of the purchase, rent or lease contract, this Regulation should apply. Neither the power supply, nor the supply of the connectivity are to be interpreted as related services under this Regulation.

The user of a connected product should be understood to be a natural or legal person, such as a business, a consumer or a public sector body, that owns a connected product, has received certain temporary rights, for example by means of a rental or lease agreement, to access or use data obtained from the connected product, or receives related services for the connected product. Those access rights should in no way alter or interfere with the rights of data subjects who may be interacting with a connected product or a related service regarding personal data generated by the connected product or during the provision of the related service. The user bears the risks and enjoys the benefits of using the connected product and should also enjoy access to the data it generates. The user should therefore be entitled to derive benefit from data generated by that connected product and any related service. An owner, renter or lessee should also be considered to be a user, including where several entities can be considered to be users. In the context of multiple users, each user may contribute in a different manner to the data generation and have an interest in several forms of use, such as fleet management for a leasing enterprise, or mobility solutions for individuals using a car sharing service.

Data literacy refers to the skills, knowledge and understanding that allows users, consumers and businesses, in particular SMEs falling within the scope of this Regulation, to gain awareness of the potential value of the data they generate, produce and share and that they are motivated to offer and provide access to in accordance with relevant legal rules. Data literacy should go beyond learning about tools and technologies and aim to equip and empower citizens and businesses with the ability to benefit from an inclusive and fair data market. The spread of data literacy measures and the introduction of appropriate follow-up actions could contribute to improving working conditions and ultimately sustain the consolidation, and innovation path of, the data economy in the Union. Competent authorities should promote tools and adopt measures to advance data literacy among users and entities falling within the scope of this Regulation and an awareness of their rights and obligations thereunder.

Data processing services should cover services that allow ubiquitous and on-demand network access to a configurable, scalable and elastic shared pool of distributed computing resources. Those computing resources include resources such as networks, servers or other virtual or physical infrastructure, software, including software development tools, storage, applications and services. The capability of the customer of the data processing service to unilaterally self-provision computing capabilities, such as server time or network storage, without any human interaction by the provider of data processing services could be described as requiring minimal management effort and as entailing minimal interaction between provider and customer. The term ‘ubiquitous’ is used to describe the computing capabilities provided over the network and accessed through mechanisms promoting the use of heterogeneous thin or thick client platforms (from web browsers to mobile devices and workstations). The term ‘scalable’ refers to computing resources that are flexibly allocated by the provider of data processing services, irrespective of the geographical location of the resources, in order to handle fluctuations in demand. The term ‘elastic’ is used to describe those computing resources that are provisioned and released according to demand in order to rapidly increase or decrease resources available depending on workload. The term ‘shared pool’ is used to describe those computing resources that are provided to multiple users who share a common access to the service, but where the processing is carried out separately for each user, although the service is provided from the same electronic equipment. The term ‘distributed’ is used to describe those computing resources that are located on different networked computers or devices and which communicate and coordinate among themselves by message passing. The term ‘highly distributed’ is used to describe data processing services that involve data processing closer to where data are being generated or collected, for instance in a connected data processing device. Edge computing, which is a form of such highly distributed data processing, is expected to generate new business models and cloud service delivery models, which should be open and interoperable from the outset.

The generic concept ‘data processing services’ covers a substantial number of services with a very broad range of different purposes, functionalities and technical set-ups. As commonly understood by providers and users and in line with broadly used standards, data processing services fall into one or more of the following three data processing service delivery models, namely Infrastructure as a Service (IaaS), Platform as a service (PaaS) and Software as a Service (SaaS). Those service delivery models represent a specific, pre-packaged combination of ICT resources offered by a provider of data processing service. Those three fundamental data processing delivery models are further complemented by emerging variations, each comprised of a distinct combination of ICT resources, such as Storage as a Service and Database as a Service. Data processing services can be categorised in a more granular way and divided into a non-exhaustive list of sets of data processing services that share the same primary objective and main functionalities as well as the same type of data processing models, that are not related to the service’s operational characteristics (same service type). Services falling under the same service type may share the same data processing service model, however, two databases might appear to share the same primary objective, but after considering their data processing model, distribution model and the use cases that they are targeted at, such databases could fall into a more granular subcategory of similar services. Services of the same service type may have different and competing characteristics such as performance, security, resilience, and quality of service.

Digital assets refer to elements in digital form for which the customer has the right of use, including applications and metadata related to the configuration of settings, security, and access and control rights management, and other elements such as manifestations of virtualisation technologies, including virtual machines and containers. Digital assets can be transferred where the customer has the right of use independent of the contractual relationship with the data processing service it intends to switch from. Those other elements are essential for the effective use of the customer’s data and applications in the environment of the destination provider of data processing services.

Switching is a customer-driven operation consisting of several steps, including data extraction, which refers to the downloading of data from the ecosystem of the source provider of data processing services; transformation, where the data is structured in a way that does not match the schema of the target location; and the uploading of the data in a new destination location. In a specific situation outlined in this Regulation, unbundling of a particular service from the contract and moving it to a different provider should also be considered to be switching. The switching process is sometimes managed on behalf of the customer by a third-party entity. Accordingly, all rights and obligations of the customer established by this Regulation, including the obligation to cooperate in good faith, should be understood to apply to such a third-party entity in those circumstances. Providers of data processing services and customers have different levels of responsibilities, depending on the steps of the process referred to. For instance, the source provider of data processing services is responsible for extracting the data to a machine-readable format, but it is the customer and the destination provider of data processing services who are to upload the data to the new environment, unless a specific professional transition service has been obtained. A customer who intends to exercise rights related to switching, which are provided for in this Regulation, should inform the source provider of data processing services of the decision to either switch to a different provider of data processing services, switch to an on-premises ICT infrastructure or to delete that customer’s assets and erase its exportable data.

Functional equivalence means re-establishing, on the basis of the customer’s exportable data and digital assets, a minimum level of functionality in the environment of a new data processing service of the same service type after switching, where the destination data processing service delivers a materially comparable outcome in response to the same input for shared features supplied to the customer under the contract. Providers of data processing services can only be expected to facilitate functional equivalence for the features that both the source and destination data processing services offer independently. This Regulation does not constitute an obligation to facilitate functional equivalence for providers of data processing services other than those offering services of the IaaS delivery model.