Doing Business In EU: New Data Law In The Pipeline



PSA is a boutique law firm known for its business and resolution centric approach. The lawyers are trained and equipped to think out-of-the-box so they are able to provide holistic advise mapped with business objectives of its clients, global and domestic.
Data is acknowledged as a core component of the digital economy.
European Union Media, Telecoms, IT, Entertainment
To print this article, all you need is to be registered or login on

1. Introduction

Data is acknowledged as a core component of the digital economy. The volume of data generated by humans and machines has increased exponentially in recent years, while its potential is only eked out by few who, in turn, are able to gain enormous competitive advantages. One significant reason for such effect relating to Internet-of-Things ("IoT") products is the exclusive control over user-generated data by manufacturers and providers of products and related services. IoT products are devices often referred to as smart or connected, like smart fridges, smart watches, or health devices for monitoring body functions1. European Union ("EU") legislators believe that the crucial prerequisite for a fair data economy is sharing access to data and, to this end, the European Commission proposed ­a regulation on harmonised rules on fair access to and use of data ("Draft Act"). The Draft Act aims to foster the economic benefits of data as a non-rival good and assign access and usage rights as the generated data are a crucial input for the aftermarket and complementary markets.2

This newsletter focuses on the rights and obligations which stem from the Draft Act and the competitive infrastructure it aims to establish, which will impact international businesses.

2. The Broad Scope

So far, policy on data was primarily concerned with the protection of rights of natural persons when processing their personal data, regulated in the EU by the General Data Protection Regulation ("GDPR"). The 2020 European strategy on data is directed at unlocking the economic and societal potential of data and data-driven technology.3 This means, in times to come, international companies will have to comply when acting in the EU market. On the other hand, the significance of IoT products and data generated by them will further increase. IoT big data statistics show, that with increased adoption, devices will globally generate exponentially more data in the years to come4.

The Draft Act is a crucial component of data strategy which will regulate data generated by use of IoT products and related services. A product under the Draft Act is (a) any tangible item that obtains, generates, or collects data concerning its use or environment, (b) while being able to communicate such data electronically, and (c) whose primary function is not storing or processing data. Related service is any digital service, including software, incorporated in or interconnected with a product in a way that its absence would prevent the product from performing its functions. For example, energy-consuming devices which integrate internet connectivity, like lamps or heating systems. Users can remotely control such devices via a cloud-based interface and generate data by communicating with utilities to balance power generation and energy consumption. Smart building technology offers tools for monitoring, analysing, and optimising the way a building runs, by tools using IoT sensors that generate comprehensive data on equipment functionality and environmental conditions. Such a technology can be an example of a related service.

3. Rights and Obligations of the Parties

3.1 User can access and share: Article 3(1) of the Draft Act states that products and related services must be designed in a way that the data generated are easily, securely, and directly accessible to the user. If direct access is not possible, the data holder must make a service available which the user can request for. So, the Draft Act merely facilitates access to information. The limitations of this right can be inferred by Article 4(4) which restricts the user to take requested data for developing a product that competes with the original generating product.5 The requirements of Article 3(1) for design of a product or service are formulated vaguely, indicating this norm only establishes a general principle.6 General principles are abstract and used by courts for interpreting the law, but are not necessarily enforceable. In disputes, courts will have to determine concrete requirements of design relating to a particular product, and if they are met or not in the case at hand. Nevertheless, the user's position intended by the Draft Act is valuable. The data holder must make data accessible for the user, fast and free of charge; and the user can share access with third parties. Finally, the data holder requires consent of user if it wants to use generated data for its own purpose. Thus, granting a user access to data generated by his IoT device fosters user choice.

3.2 Data holders and third parties: Under the Draft Act, the user's consent in sharing access to data with third parties and utilization by the data holder will occur contractually. Third parties will be permitted for limited purpose, who cannot impair the autonomy and decision-making of the user and are bound by the duty of "good faith". Significant parts of the Draft Act deal with the relationship between data holders and third parties that demand data for commercial use, designated as data recipients. Here, parties can agree on reasonable compensation for making data available to recipients including technical measures to avoid unauthorized use and disclosure. The Draft Act provides for protective measures to counter unfair terms regarding access and use between enterprises as well as access to public sector bodies in case of exceptional need.

3.3 Transparency about the generated data: Prior to contracting for an IoT product certain information must be provided to prospective users. There must be transparency regarding the nature and volume of generated data, access, and identity of data holders. Currently, there is no obligation to ensure the information is acknowledged or understood by the user, so the provision is under debate. An alternative wording can be expected to ensure the user may not read or misunderstand the information. There is a chance that the final Act will implement a requirement similar to the one in Article 12(1) GDPR, which obligates the controller to take appropriate measures to provide relevant information to data subject in a concise and easily accessible form.

3.4 Privilege for micro and small enterprises: The obligations of the Draft Act do not directly oblige micro and small enterprises i.e., those who employ less than 50 persons and annual turnover below EUR 10 million since their design obligations, under the current state of technology, are burdensome. Nevertheless, such small entities should consider their business strategies to avoid competitive disadvantages. Offering products and services combined with transparency about data and chances to use, monetize or exclude others from access represents an extra value, besides the product and service itself.

4. A competitive infrastructure for data sharing

The Draft Act also contains provisions establishing a competitive infrastructure for data sharing. These are rules on switching between providers of data processing services and interoperability.

Chapter VI lays down contractual, commercial, and technical provisions to enable customers to switch their data and other digital assets between providers of data processing services., Such services, for instance, are those on cloud which allow online access to computing resources like applications, servers, or data storage hosted at remote data centers. The providers often offer a multitude of services and thereby create integrated ecosystems. As customers may use several features, the costs for switching single services are immense, as they are no longer connected with the environment. Network effects also get negatively affected as switching providers means losing contacts. So, without rules on switching between providers, the market entry barriers are indescribably high, and, consequently, incentives for innovation low. Chapter VIII states the interoperability requirements within data spaces and introduces common standards for smart contracts. These specifications enable a seamless multi-vendor cloud environment, which is seen as a key requirement for innovation in the data economy.

The provisions in the Data Act on switching between data processing services and interoperability have the potential to open up markets for the entry of new providers, which are not established yet. Users' ability to switch between cloud and edge services and port their own data in the new environment while having a functional equivalent confers them increased decision power. They will no longer be stuck in the services they initially chose, while established providers will be at risk to lose their monopolistic positions. The potential for innovation in this sector is enormous, so international businesses should consider their options.

5. Conclusion

The Draft Act aims to give users of IoT products access to the data they generate and strengthen consumer choice. Lock-in effects are countered while innovation in secondary markets can rise. Manufacturers and providers face new obligations in terms of design, while micro and small enterprises are partly privileged. For some, the concept of the proposed Draft Act represents fairness i.e., to say existing monopolies of data from IoT products are likely to be opened. Legal certainty about the use of generated data will be established, while innovation on aftermarket and complementary markets unfolds. Furthermore, users and third parties will be legally restricted to act competitively with the requested data. It remains to be seen if the right of the data holder to request compensation from data recipient is an instrument to incentivize continued investment for generating valuable data, like legislators intend.

International businesses processing data generated by EU users should follow the legislative process, with an eye on obligations on design and transparency. Even as data holders must make data available under non-discriminatory terms and freedom is limited for manufacturers plus providers, they can benefit from the right to compensate third parties for access to data. And while their price-setting powers are restricted, the compensation may hopefully be an incentive for future investments in relevant technical tools and generation of valuable data.

This Newsletter is written by Kristin Birkenzeller, a law post graduate from University of
Cologne, Germany (under the guidance of Priti Suri, Founder & Managing Partner) who is pursuing her internship at PSA


1. Ducuing, Charlotte: An analysis of IoT data regulation under the Data Act through property law lenses, CiTiP Working Paper 2022, 20. September 2022,, last accessed on Feb 23, 2023

2. European Commission: Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act)", COM(2022) 68 final, Explanatory Memorandum, Explanatory Memorandum p. 2, recital 6,, last accessed on Feb 23, 2023

3. Metzger, Axel/ Schweitzer Heike: Shaping Markets: A Critical Evaluation of the Draft Data Act, ZEuP 2023/1, p.2,, last accessed on Feb 23, 2023

4. See, last accessed on Feb 23, 2023

5. Metzger, Axel/ Schweitzer Heike: Shaping Markets: A Critical Evaluation of the Draft Data Act, ZEuP 2023/1, p.6

6. Hennemann, Moritz et al.: The Data Act Proposal. Literature Review and Critical Analysis, University of Passau IRDG Research Paper Series No. 23-01, p.30-31,, last accessed on Feb 23, 2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More