The Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (hereinafter – Data Act) is a new Regulation being actively discussed in the European Parliament. The Data Act proposes to regulate the use of data generated by networked devices when transmitting data about their work within the Internet of Things (IoT) concept.
This Regulation is being adopted as part of an effort to create a single market for data. The basic idea is that data can not only be collected and stored (the scope of GDPR) but also sold and used in various economic relationships. That is, data should move freely and be used for the benefit of business and society. Data must not lie dormant and be stored on a server by the holder of the data (the one who has made and maintained the networked device). Through the provisions proposed in the Regulation, a legal framework for the movement and use of data throughout the marketplace is established.
In recent years, there has been a boom in the generation and use of big data, where vast amounts of data are generated using millions of networked devices (for example, a robot vacuum cleaner or a smart fridge). With proper processing of this data (data mining), this data can open up new opportunities for businesses and ordinary users. However, the need to regulate the transmission and use of such data has arisen.
Please note that since the Regulation is still under negotiation, the purpose of this article is to give a general understanding of the subject of regulation, as well as the objectives and the actors involved. Many details and specific provisions may change by the time the Rules are finalized.
It is important to note that this Regulation will have a very precise subject framework. For simplicity, let us present a scheme of the actors and how the exchange of data between them takes place.
In the Internet of Things concept, there are a huge number of devices that communicate with each other. Let’s call them networked devices. Imagine this is your fridge or your vacuum cleaner. You own what is called a network device, and in relation to the data it collects, you are the user of that data. Your device transmits the data which is collected on the server of the manufacturer of the device. The manufacturer is referred to in this scheme as the holder of the data.
This data is “stored” on his servers and most often is not used outside of his business in any way. The task of the Regulation is just to create a legal framework and opportunities for this data to be transferred to you as a network device owner and user (B2C scheme), another business (B2B scheme), or even the government (B2G scheme).
Although the Data Act regulates among other things the use of personal data generated during the use of network devices, the general framework and rules for the treatment of personal data are established in the General Data Protection Regulation (in short – GDPR) – the Regulation that governs the treatment of personal data.
The data collected from the network devices is the data on the activity of these devices collected through sensors, detectors, and any other mechanisms. Accordingly, the subject of regulation of the two Regulations is different.
The use of network devices may also generate personal data. Any processing of personal data must comply with the rules set out in the Regulations.
Imagine that you bought a smart fridge. Inside the fridge, there are sensors and detectors that collect information about how the fridge is functioning. This data is transmitted to the manufacturer and he uses it to improve his own product or if your refrigerator is broken. In this case, using the data from the sensors, you can understand the cause of the failure and fix it.
Suppose the service that is repairing your refrigerator is too expensive and you want to change it. In this case, you need to transfer the data collected from the sensors to another service, so that they can assess the cause of the breakdown. This is where the Data Act rules come into play.
First, network devices (in our case, a fridge) must be manufactured so that they can collect data from them and transmit them in a convenient format.
Secondly, this data must be transmitted to you for free. That is, in the output we get a scheme by which you can request and receive data about your devices for free for subsequent use, including the sale.
The most interesting innovations are for businesses. Businesses use a huge amount of machinery and equipment that collect information through sensors and detectors. In this situation, the holder of the data can already sell the collected data for further commercial use.
There are two categories of businesses to which the data owner can sell data: small and medium-sized businesses (hereinafter – SMB) and big businesses.
SMEs have a turnover of no more than 50 million euros per year. In order to maintain competition, data can only be sold to SMEs at the “cost price” of the data. That is, the cost can only include the cost of collecting and storing this data, without a margin.
Conversely, it is possible to charge large companies a margin. This is done so that there is an incentive for data owners to collect and store this data.
Also, there are restrictions related to competition between businesses. Naturally, if data is purchased by a company that is a competitor of the data owner, it can use that data to gain a competitive advantage. An example would be two companies producing the same type of product (smart fridge). A business cannot use purchased data to create a competing product. This is expressly prohibited in the Regulations. A business can use it to create auxiliary information products.
Moreover, during the discussion, the business community had some concerns about the transfer and use of trade secrets. We will explore this issue in more detail in the following sections.
The last of the three directions of data transfer is the forced transfer of data to the government in exceptional cases.
What cases may be exceptional:
In the event of exceptional circumstances, data owners will be required to turn over such data to the government to deal with the consequences of extraordinary incidents.
The Regulation sets out the conditions for obtaining such data: 1) the requesting person cannot obtain this data by any other means within the necessary period; 2) the data requested must not be excessive, i.e. it must be reasonably necessary to solve the problem.
As we mentioned above, some concerns have been raised about the transfer of trade secrets. In the latest revision adopted by the European Parliament, additional attention has been given to the protection of trade secrets.
First, the holder must notify the user of the data about the trade secrets in the data being transmitted. Secondly, adequate measures must be taken to protect such data: standard contractual provisions, technical measures to preserve trade secrets, access protocols, and regulations for the handling of trade secrets must be adopted.
In case of a breach of any of the contractual terms of use of the secret, the holder may stop the transfer of such data, as well as prohibit the use of data already received.
A special and very interesting innovation for ordinary users is the obligation of cloud providers to ensure the interoperability and accessibility of cloud platforms. That is, uniform standards should be introduced for easy movement of data between clouds.
Imagine a situation where you want to move all your data from one cloud to another. For example, you’re not comfortable using Microsoft Azure or you don’t like the cost of their services and you want to move to Amazon Web Services. At this stage, it is quite difficult to do so because different standards for data storage and processing are applied. The regulation establishes the requirement that you as a user can change cloud service providers or use them in parallel without obstacles or additional costs.
This Regulation is a continuation of the EU’s efforts to create a single market for data. Data should not only be collected and stored in an appropriate way but also shared and used by businesses to improve the quality of their products and services. Users must choose where to store their data and what to use it for. Data must become as much a commodity as the networked devices themselves. There should be no technical obstacles to the movement of this data.
At the same time, the Data Act establishes protective measures to ensure that the data used cannot be used to gain a competitive advantage. The main innovation for businesses is the possibility to purchase data on the open market to improve their own services, and for the average user – the ability to receive all data from their devices for free and use them at their discretion. The Data Act is currently under consideration by the European Parliament. Adoption and entry into force are expected in 2023 or 2024, depending on the speed of all necessary approvals and the final vote.