Nowadays, most devices are smart and connected to internet. Such devices collect large volumes of valuable data. The possibility of sharing such data with other parties brings innovative benefits, but at present such data are typically only available to the manufacturer or seller of the device, or to the provider of a service related to the device. This is about to change by the arrival of the Data Regulation. The purpose of this Regulation, also known as the ‘Data Act’, is to improve access to data generated by smart devices. On the other hand, the Data Act will also protect users by giving them control over the data generated by the use of smart devices.
The Data Act in short
One of the main aspects of the Data Act is the right of users of smart (internet of things, ‘IoT’) devices to access such data, and to share them with third parties at the request of the user. Already when a product is being designed, the manufacturer should take into account that the data – including the metadata – that will be collected by the device must be made available to the user and/or third parties. The user is also entitled to the information on the data that the device collects and the way in which the user may access or delete such data.
The data generated by smart devices is of interest to third parties, who can use these data to offer new services or improve existing services. When data are shared with third parties, personal data must be protected and the confidentiality of potential trade secrets must be preserved. The recipient of data may process such data only for the purposes and on the conditions agreed with the user. Parties that exchange data can agree on compensation for sharing the data. Such a compensation has to be non-discriminatory and reasonable, but it may include a margin. Where the data recipient is a small or medium-sized enterprise, compensation cannot exceed the costs incurred in making the data available.
Furthermore, the Data Act contains a list of contractual terms that are considered unreasonable in the contractual relationship between the provider of the data (the manufacturer, seller or service provider that holds the data, also referred to as “data holder” in the Data Act) and the recipient. Here too, the aim is to protect small and medium-sized enterprises by preventing unfair terms from being imposed unilaterally.
Finally, the Data Act sets out ways for public sector bodies to access the data in situations of exceptional need, and creates rules that facilitate the switching of providers for customers of cloud services.
Contractual changes as well as many new contracts
The Data Act may be a good reason to examine or adjust contractual terms and conditions. Both the manufacturer or seller and the data recipient may want to do this, especially for contracts that were concluded with users of a smart device. A data recipient who offers a product or service that uses data from smart devices (e.g. software for data analysis) may instruct the user by contract to provide the data it needs to offer its service. This way, the potential recipient prevents having to request such instruction from each individual user later on, or becoming dependent on the user for receiving the data.
Parties who had already concluded contracts earlier about permission to use data from smart devices may seize the opportunity of the Data Act to (re-)negotiate a fee for those data. The costs of making the data available, investments in the data collection and production, and the volume, format or nature of the data should all be taken into account when negotiating such a fee. The data holder has to be transparent about the ground for the calculation of the fee, in order to allow the data recipient to assess whether the fee is non-discriminatory and reasonable.
Most of all, the Data Act gives parties a reason for concluding new contracts for the exchange of data. It sets out the basic principles for doing so. First of all, the data holder and the data recipient have to contract on fair, reasonable and non-discriminatory terms. Terms that have been imposed unilaterally or are unfair are not binding. Unfair terms are terms of such a nature that their use grossly deviates from good commercial practice in data access and use, or are contrary to good faith and fair dealing. To create more clarity, the Data Act also gives examples of unfair terms. Contractual terms are unfair if liability for intentional acts or gross negligence has been limited, or if they give the party that imposes them the exclusive right to interpret the contract. Under Dutch law, such terms will usually not prevail. There are also terms that are presumed to be unfair, so that a party that relies on them will have to substantiate this. The Data Act creates a number of contractual starting points that contracting parties will have to take into account. Otherwise, freedom of contract still allows parties to decide for themselves on the contractual terms for providing the data.
Although the Data Act entered into effect already in January 2024, most of its provisions will only take effect in September 2025, and some of them even later.