The new Data Act – An Overview
Skip to main content
Select location Germany
Insight

The new Data Act – An Overview

Christian Schultz, LL.M. (King's College London)
21/11/2024
A bright, glowing padlock icon in neon blue is displayed at the center against a dark background filled with floating binary code in shades of purple. The image conveys themes of digital security and encryption.

Locations

Germany

Part 1 – Why a data usage clause will soon be a must in every Internet of Things contract

With the new Data Act (Regulation (EU) 2023/2854), the EU has fundamentally reorganised data traffic in the European single market in key areas. This change also affects traditional industries that, at least in their core business, have had little contact with personal data so far (e.g. building and plant engineering, manufacturing, automotive suppliers). This is because the Data Act also covers ‘machine data’ generated through the operation of smart products. However, even companies that are already experienced in dealing with the GDPR and other regulations (in particular suppliers and manufacturers of smart products and connected software) must take action at an operational and legal level.

Individual regulations of the Data Act have already attracted considerable attention, in particular the right of access of users to product data (Art. 4(1) Data Act), the obligation to disclose product data to third parties (Art. 5(1) Data Act) and the facilitated switching between cloud providers (Art. 23 et seq. Data Act) – more on this shortly.

However, one of the most important changes in the Data Act goes even further: On what basis can manufacturers and software providers actually use machine data from the use of their products? The Data Act significantly changes the situation here: In the future, it will no longer be sufficient to have actual access to such data. Rather, contractual permission from the respective user of the product will be required. For this reason, a contractual provision on data use – also with regard to non-personal data – will soon be a mandatory part of any contract for smart products and related software.

In detail: What data does the new Data Act apply to?

The Data Act applies to both personal and non-personal data. However, the Data Act brings the most significant changes for non-personal data; personal data will continue to be comprehensively protected by the General Data Protection Regulation (GDPR).

The central objective of the Data Act is to regulate access to and use of product data and service data. This refers to data that is generated by the use of a connected product or the related service and can be accessed via an interface.

  • A connected product is any item that obtains, generates or collects data about its use or its environment and can transmit product data via an electronic communication service, a physical connection or device-internal access (e.g. connected cars, health monitoring devices, smart home devices, aircraft, robots, industrial machines).

  • A related service is a digital service, including software, that is connected to the product in such a way that the connected product could not perform one or more of its functions without it (including subsequent additions to the product).

The obligations of the Data Act often only apply to ‘readily available’ data, i.e. data that can be obtained from the product or service without disproportionate effort; this includes the associated metadata required for interpretation and use. However, information inferred or derived from raw data that is the result of additional investment is often excluded. It is worth taking a close look at this distinction. Where exactly the line is drawn is a question of individual cases and should also be documented when reviewing data use within the company. It should not be forgotten that even investment-intensive enriched data started out as raw data; at least to this extent, the step from raw data to the company's ‘special sauce’ should be sufficiently secured by contract.

In detail: Am I affected by the regulations of the new Data Act?

The key players in the Data Act are the users and data owners. The following rule of thumb can be used to deal with these terms in the Data Act in practice:

  • A user is any natural or legal person who, on a contractual basis, permanently or temporarily owns a networked product or uses a related service.

  • A data controller is any natural or legal person who controls access to the product/service data. This includes, among others, manufacturers of connected products, components installed in them and providers of connected services.

Important here: The group of ‘users’ can be very broad and includes not only B2C cases (e.g. the purchaser of a smart refrigerator), but also B2B transactions (e.g. the sale of a smart spare part for an industrial manufacturing machine).

Significant change: (Own) use of usage data only on the basis of a contractual agreement with the user

The Data Act fundamentally reorganises the existing balance of power between data owners and users: Whereas previously, the actual access of the data owner to such data was sufficient for the use of ‘machine data’ from the use of products (e.g. for improvement of the next product series), the Data Act completely overturns this model. As of September 2025, the user will have legal control over whether and how this data can be used. The manufacturer as the ‘data holder’ is therefore not automatically the “owner” of the usage data. The English version of the Data Act (‘data holder’) makes it clearer that the manufacturer's actual access initially only refers to the ‘management’ of this data.

The reason for this allocation in favour of the user of a product is the consideration that without the user, the product or service data would not exist at all (Recital 18, sentence 3):

‘The user bears the risks and enjoys the benefits of using the connected product and should also enjoy access to the data it generates. The user should therefore be entitled to derive benefit from data generated by that connected product and any related service.’

This means that all data controllers who do not merely manage usage data on a fiduciary basis but also wish to use and exploit it themselves have a very specific need to take action. This is because Article 4(13) of the Data Act expressly provides that it shall be directly applicable from 12 September 2025:

A data holder shall only use any readily available data that is non-personal data on the basis of a contract with the user.

A comprehensive and detailed data usage agreement that is made available to the user in a transparent manner prior to conclusion of the contract is therefore now part of the contractual checklist for the sale and purchase of networked products and related services.

Integration of the data usage agreement along the entire distribution chain

Suppliers of smart products and connected services who do not have direct contact with end customers but nevertheless receive usage data via the components they supply should ensure that the necessary data usage agreement is passed on along the distribution chain via their contractual partners. Here, too, existing agreements will need to be adapted in many cases.

A pragmatic alternative may be to ‘bypass’ the intermediaries and conclude the data use agreement directly with the user. This could be done, for example, via a ‘product registration’ process, as is common when purchasing electronic devices. There are already calls in the market to become part of a ‘feedback community’ or similar in order to create a direct link with users. For most companies, supplementing their existing contracts is likely to be the better option, especially in order to be independent of the questionable conversion rates of such calls.


Current To-Dos for Companies to Enable Their Own Data Use

Companies that want to continue using data from the use of their products and services within their own operations (e.g., for product improvement) can therefore take the following practical steps:

  1. Commercial review of existing products and services: Companies should first analyse what data is generated through the use of their connected products or services. The second step is to clarify where this data is used within the company and where it should be used in the future. The Data Act also offers a commercial opportunity to make established data silos usable and, if necessary, to enter new business areas, particularly with regard to ‘aftermarket services’ (e.g. repairs, updates) or connection to other applications (e.g. smart plant or building control, predictive maintenance).
  2. Draft data usage agreements and supplement existing contracts: Because under the Data Act, the use of usage data will only be possible in future on the basis of an agreement with the user (Article 4(13) Data Act), companies should expressly add permission to use this data to their contracts and terms and conditions. The intended use of the data (what for? disclosure to third parties? exclusive?) should be regulated as precisely as possible; a blanket ‘catch-all’ clause in favour of data owners is likely to run counter to the express legislative intention to assign control of usage data to the user and may also give rise to considerable problems further down the supply chain. On the other hand, drafting such granting clauses based on the model of classic IP licence clauses seems more appropriate. Here, too, there is a need for adaptation to the technical specifics of each individual case.

We would be happy to help you find a clause that is suitable for your company to secure your data use and to navigate the other comprehensive changes of the Data Act.

 

Insights

Areas of Expertise

Data Protection

Related Work Areas

Technology