Introduction

The Data Act represents a monumental shift in the European Union’s approach to the digital economy. Designed to foster competition and innovation, the Act introduces robust measures for enhanced data sharing across the digital supply chain, addressing both personal and non-personal data from IoT devices. Our Technology and Innovation Group has created a three-part video series led by Ciara Anderson, senior associate, which has been collated for this podcast episode and focuses on data access and sharing, obligations for data holders, and cloud switching provisions.

Ciara Anderson

Hello, and welcome to the first in our bite-size series on the Data Act. We are going to be getting into what it means for organisations and what benefits it might offer. In our first video in the series, we’re going to get into some of the concepts and the purposes for the Data Act. In our second video, we’ll get into a bit more detail on the data access and sharing obligations and then our final video, we’ll talk about the switching provisions so I am joined today by my colleague, Vivian Spies, in our Technology and Innovation Group. So Vivian, it would be helpful just to start with getting an overview of the Act.

Vivian Spies

Thanks, Ciara and yes, of course. We probably don’t appreciate the vast quantities of data that are generated by users’ use of connected products and when I refer to connected products, I mean Internet of Things or IoT products. This is from consumer products all the way to industrial equipment so at its heart, the Data Act is about increasing competition by using the value of data across the digital supply chain. For example, it will facilitate competition in aftermarket services, it will incentivise and standardise the widespread sharing of both personal and non-personal data from IoT products, and it will also reduce friction when consumers want to change cloud services.

Ciara Anderson

Okay, that’s helpful. In this series, I think we’re just going to focus on the data access and sharing obligations and the switching obligations, but there’s a whole lot more in the Data Act. Are there any other areas that you’d like to highlight?

Vivian Spies

Yeah, There’s a lot in the Data Act, and certainly more than we can cover in this series. For example, while we, in this series, focus on provisions on B2B and B2C data sharing, there are provisions in the Data Act which mandate business to government data sharing in certain instances of extreme need, like pandemic or a natural disaster. There are also provisions relating to interoperability of cloud computing services.

Ciara Anderson

I know we’ll be getting into more detail in the second video, but it would be helpful just to have a summary of those data access and sharing obligations that you mentioned.

Vivian Spies

Yes so in short, users, which can be both consumers and businesses, have the right to request certain data from connected products and they also the right to request that this data be shared with third parties in certain instances. Maybe an example would be helpful. Let’s say I buy a smartwatch. I can ask the maker of that smartwatch to provide performance data of the watch to a local electronics maintenance company so that they can fix certain performance issues I’ve been having with the watch. Now, the data we’re talking about here is raw but usable data which is picked up by sensors in the product so this would be metadata, including, for example, timestamps. Equally, I could request the data relating to my interactions with apps on the watch from the relevant app provider.

Ciara Anderson

Okay, that makes sense. That’s quite a powerful right? But as far as I understand, those rights don’t just apply to consumers and consumer products. They apply to businesses as well.

Vivian Spies

Yeah, so they apply in the B2B context, too. Perhaps another example would also be helpful here. Let’s say there is a factory operator that might lease machinery that is used to build widgets. Now, the manufacturer of the machinery would need to make certain information about the product, its performance, and its environment, and how to use it available to the factory operator on request. Alternatively, though, the manufacturer may choose to make this data directly accessible to consumers via designing open interfaces where consumers can directly access that data of the product. Now, I won’t get into all of the data sharing obligations in the Act, but suffice it to say that there are also certain rules around the request sharing and the use of this data.

Ciara Anderson

Okay. There’s loads there for our second video to talk about in more detail but we might do a quick summary of the switching obligations so everyone’s familiar before we do our third video.

Vivian Spies

Sure. The switching provisions relates to any data processing service, which is essentially any cloud computing service. This would include infrastructure as a service, platform as a service, and software as a service. In short, if a customer wants to change from an old cloud service provider to a new cloud service provider, the old cloud service provider can’t frustrate them from doing so. For example, by restricting termination, implementing long notice periods for termination or restricting unbundling. Also, as part of this move to frictionless switching, switching charges will eventually be eliminated. The original provider will have to port any data and digital assets to the new service provider or to the consumer themselves if they’re moving the service in-house and the Act also requires that cloud computing service providers make available, free of charge, open interfaces that facilitate switching.

Ciara Anderson

Okay, so again, there’s a lot in that, too. I mean, that’s going to have a huge effect on cloud providers because it essentially has creating an automatic termination, I suppose, if you want to move as a customer but we might switch gears from the substantive obligations and just talk a little bit about the mechanics. How is the Data Act going to be governed or enforced?

Vivian Spies

Of course. The Data Act provides that each member state will designate a competent authority. However, given the sheer breadth of the Data Act, it’s very possible that member states may designate more than one competent authority, in which case they’ll also have to appoint a data coordinator, which will act as a single point of contact. The Data Act also establishes the European Data Innovation Board, which will function somewhat like the EDPB does with the GDPR to ensure harmonised enforcement. Then, of course, the DPC will remain the regulator for processing of personal data in Ireland.

Ciara Anderson

Okay, that’s helpful. Now, in terms of disputes, of which I’m sure there will be many, how will those function under the Act?

Vivian Spies

Each member state will need to appoint a dispute resolution body that users can choose to use. When it comes to issues like compensation for B2B data sharing and trade secrets, I’m sure there’s going to be absolutely no shortage of disagreement and of course, then users, which, like we’ve said, can be businesses or consumers, can choose to seek effective remedy in the courts.

Ciara Anderson

Access the courts. Okay and then I suppose our final topic is just in relation to timing. There’s obviously a lot in the Data Act, so the question is, how long do we have to achieve compliance?

Vivian Spies

The Data Act came into force 11th of January, 2024. From today, It will become effective in less than a year in September 2025 when the data access and sharing obligations kick in. However, some obligations will only apply later, so direct access and design requirements won’t apply until September 2026, and then switching charges won’t be fully eliminated until January 2027.

Ciara Anderson

Okay, that’s really helpful. Thank you, Vivian. It’s really great to get that overview before we get into the detail, particularly because there is so much in the Data Act. I just want to thank you for joining us, and please look out for the next video in our series, and we’re going to get into a bit more detail on the data access and sharing obligations.

Ciara Anderson

Hello, my name is I’m Ciara Anderson. I’m a senior associate on the Technology and Innovation Group here at Arthur Cox. This is our second video in our bite-size series on the EU Data Act, and we are going to talk about the data access and sharing obligations. I am kindly joined by my colleague, Fionn Henderson, who is an associate on our Tech and Innovation Group as well. Fionn, do you mind just jumping in and giving us a quick summary of what the data access and sharing obligations are?

Fionn Henderson

Sure, and thanks, Ciara. So in a nutshell, individual consumers and businesses will have a new right under the Data Act to access, request, and share data from their use of connected products and related services.

Ciara Anderson

Thanks, Fionn. So I guess the first question is what’s in-scope? So what is a connected product under the Act?

Fionn Henderson

Sure. So the Act refers to these devices as connected products, but we might more commonly refer to them as Internet of Things or IoT devices. These are essentially any product that are collecting or generating data from their use, which can then be shared either wirelessly or via a physical connection and being honest with you, it’s almost more difficult nowadays to think of a product that wouldn’t be considered a connected product for the purposes of the Data Act. So examples can range from mobile phones and laptops through to connected cars, smart home products, and even machinery and certain infrastructure, such as turbines.

Ciara Anderson

Okay, so it’s quite broad and probably encompasses a lot more than we think but you mentioned that they cover services as well?

Fionn Henderson

That’s correct. So they cover what’s referred to as related services, which is essentially any service that is linked to a connected product that interacts with it and affects its behaviour. I’d say that almost all services related to connected products will be considered in-scope, except for limited exceptions like analytics services because these don’t actually affect the product’s behaviour.

Ciara Anderson

Okay, so I guess the question is for product manufacturers and providers of related services, and I think they’re called data holders under the Act, what is it that they have to do comply with these obligations?

Fionn Henderson

Sure. So there are two ways that data holders can make available the data to users. It can either be direct or indirect, but in both cases, it has to be easy and free of charge. So first on direct access, this would essentially be where the connected product itself allows access to the data, perhaps through an interface that allows the user to access or download or stream the data in question and then indirect access would cover a scenario where the user requests access from the data holder, perhaps through a web portal, for example and as between the two, it’ll really be down to the data holder to decide which method to implement and relevant considerations might be the volume of users and requests or the type of data in question.

Ciara Anderson

Okay, that makes sense and I suppose the follow on question from a scoping perspective is what data are we talking about has to be shared?

Fionn Henderson

Sure. Here we’re talking about product data as well as data from related services. So product data is essentially any data relating to the performance, use or environment of the connected product and so examples here would be whether the product is off or in standby mode, as well as certain other information readings, perhaps temperature and acceleration and it’s also important to note at this point that product data includes metadata so that’s the information underpinning that type of data, such as timestamps. And then data from related services is any data that represents user actions, inactions or behaviour. And we can come to trade secret data in a second, but it is in scope.

Ciara Anderson

Okay. Is there anything then that is excluded?

Fionn Henderson

Yeah, sure. So derived data will be excluded from these obligations and this is essentially where the data holder has applied know-how or an algorithm, perhaps to infer something about the user. An example here in the case of a connected car might be where onboard sensors indicate that the user hasn’t interacted with the steering wheel for a period, and internal cameras also don’t register eye contact for the same period. In that case, the inferred data here would be that the driver isn’t paying attention, and this would then be excluded.

Ciara Anderson

Okay, that’s interesting. So we might just switch to talk about briefly the B2B sharing obligations under the Act because I think they’re quite interesting.

Fionn Henderson

So we’re requested by the user, the data holder must provide any raw but usable data, again, including metadata, to a third party and again, the idea here is to reduce supplier lock-in and promote aftermarket services, which is ultimately part of the underlying concept of the Data Act.

Ciara Anderson

Yeah, they’re quite far reaching obligations, I think, ultimately for businesses to be sharing data that they probably previously considered their own data with another business. So are there any restrictions or limitations they can put on the use of that data under the Act.

Fionn Henderson

Yes, that’s right, Ciara. So there are certain restrictions under the Act on how users and third party can use this type of data. So in the first instance, a third party can only use the data pursuant to the user’s instructions and so it can’t go off and use the data more broadly for its own purposes and then secondly, users and third parties can’t use the data that is being shared in order to develop a competing product. However, it’s important to flag here that this restriction is limited to the development of competing products, and so it will be possible for users and third parties to develop competing related services.

Ciara Anderson

That’s interesting. So are there any additional restrictions? I think you mentioned trade secret data. Are there any restrictions on sharing that type of data?

Fionn Henderson

Sure so like I’ve mentioned, trade secret data is in scope, and the idea here is that trade secret status will still apply to that type of data, irrespective of the obligations under the Data Act. In this case, the data holder can set certain restrictions such as contractual confidentiality obligations, as well as technical access controls on this type of data and then if the user or the third party breaches these obligations, the data holder can suspend access to this data. However, to do so, they will need to inform the competent authority in what the European Commission are referring to as the “Trade Secret Handbrake”.

Ciara Anderson

Okay, that’s interesting. I think I’ll just mention that I think there’s a similar security restriction or security handbrake so if the data holder can show that sharing that data would ultimately undermine the security requirements for the product. Where those requirements are set out in law, they can do so, but they have to, similar to the Trade Secret, a restriction, notify the competent authority. The restrictions seem quite narrow, and then the notification obligation is a little bit onerous but to the extent that they do have to share data, obviously that data has value to their business, is there any mechanism for compensation?

Fionn Henderson

Sure. So the data holder can agree compensation where the user has directed access and where this occurs, it must be based on FRAND principles, so fair, reasonable, and non-discriminatory and it can include a markup for investment time on behalf of the data holder and then it’s just important to clarify at this point that the right of access and sharing is always free of charge.

Ciara Anderson

That’s helpful and interesting. I’m sure data holders will be pleased to hear that so we might get back to our original question, which is just the practicality. So what is it that you would recommend in terms steps for data holders, product manufacturers, and related service providers to do to start to comply or prepare to comply with these obligations?

Fionn Henderson

Sure. So at the practical level, in terms of preparation for compliance with the Data Act, the first step will be essentially a scoping exercise. So this will be where data holders take a look at their products and services and determine which fall under the scope of the Data Act and then related to this, we’ll be considering what data falls within the obligations imposed by the Data Act. After this, they’re going to want to remove move to a consideration of whether to implement direct or indirect access and how to do this and in this case, a consideration of engineering and technical lead in times in order to actually implement this will be important. Then moving on, they’ll want to consider their transparency obligations and then also develop certain documentation required by the data act, such as data sharing contracts and technical access controls.

Ciara Anderson

Okay, so decent work stream there and I just might mention on timing so the Data Act, most of the obligations come into force on the 12th of September, 2025, and that will include the obligations to provide indirect access on request from users and to share data but there is a delay for the requirement to design products in a way that allows for direct access. So that’s 12th of September, 2026. I wanted to thank you for your time so I appreciate you explaining what is a complex area, certainly. Thank you for joining us, and please look out for our third video in the series on the cloud switching rules. You can also get more information at arthurcox.com/dataact

Ciara Anderson

Hello, and welcome to our bite-size series on the EU Data Act. So far in our series, we’ve covered an overview and a purpose of the Act. Our second video was on the data access and sharing obligations, and today we’re going to talk about the cloud switching rules. I am joined by my colleague, Shay Buckley, on our Tech and Innovation Group so shay, could you just provide us a brief summary of what those cloud switching rules are?

Shay Buckley

Sure, hi Ciara so as you’ve already discussed in the first two videos of the series, the Data Act is about increasing competition and reducing friction in the digital economy. For cloud computing services in particular, the EU wanted to combat supplier lock-in. To do this, the Data Act introduces a prohibition on any restrictions or obstacles on a customer when they’re seeking to move from one provider to another provider. Their providers are also under a proactive obligation to facilitate that switching process.

Ciara Anderson

Okay, and so who are we talking about here when we’re talking about cloud providers?

Shay Buckley

So the Act actually refers to this cohort of services as data processing services, but essentially, yes, we’re talking about cloud computing services. Cloud computing services are any digital service where data is processed and stored remotely and where customer use is elastic in that space is provisioned based on demand. The definition encompasses the three main categories of cloud computing services that we usually think of. The first being infrastructure as a service, such as cloud storage services or rented servers. The second being platform as a service, which is any digital service where a customer can deploy an application without the need to maintain or provision or manage the infrastructure and software as a service, which is any cloud-based application which is ready for the end user.

Ciara Anderson

How does this concept of data processing service or cloud provider relate to the concept of a related service which has to do with the connected products and therefore the data access and sharing obligations we talked about on the in the second video?

Shay Buckley

Yeah, so there are different definitions, but there’s definitely overlap there. For example, a SaaS provider might be providing a related service with respect to a certain connected product and would therefore need to comply with the data sharing and data access rules but that SaaS provider is also likely to be considered a data processing service and would therefore need to facilitate switching.

Ciara Anderson

And what exactly are the cloud providers prevented or prohibited from doing?

Shay Buckley

The providers need to facilitate switching so essentially, they can’t to inhibit the customer from terminating the contract and moving to a new provider. In addition to that, the providers can’t prevent the customer from unbundling services.

Ciara Anderson

Okay, and do they have to or how do they have to facilitate or actively facilitate switching?

Shay Buckley

To facilitate the switching, the provider will need to port the customer’s exportable data and any digital assets on the customer’s request to either a new cloud service provider or to on-premises infrastructure. The process can take no longer than 30 days unless the provider notifies the customer that it is not possible to complete that switching process within the 30 days, in which case the period can be extended by up to seven months. For platform as a service and software as a service providers, they also have to make available open interfaces. These have to be made available free of charge to customers and to subsequent providers. The interfaces need to have sufficient information in order to allow the development of software which can communicate with the service for the purpose of data portability and interoperability.

Ciara Anderson

So they have to facilitate switching and the SaaS providers and platform as a service providers have to publish these open, especially specifications but is there a requirement to have functional equivalence between the old and new system?

Shay Buckley

So that obligation only applies to the infrastructure cloud providers. For those providers, they need to facilitate functional equivalence. In In other words, where there are shared features between the new service and the old service, the new service needs to be able to produce materially comparable outcomes when the same inputs are put into it.

Ciara Anderson

Okay, so the functional equivalence is only in relation to cloud storage providers. It does seem that this switching process obviously involves the original provider, the customer, and the new provider. So is the new provider as well under a duty to participate?

Shay Buckley

Yeah. So all parties involved in the switching process under the Data Act are under an obligation to cooperate in good faith to facilitate facilitate that switching and also to maintain continuity of service for the customer.

Ciara Anderson

Okay. I’ve certainly heard about the elimination of switching charges. What is the timeline in relation to that?

Shay Buckley

So switching charges will be entirely prohibited from the 12th of January, 2027. From the 11th of January, 2024 to the 12th of January, 2027, switching charges can be imposed, but these switching charges must be limited to those costs that are directly incurred by the provider. Just a small caveat on that, that the prohibition on switching charges does not apply where the customer requests a period of parallel use of services because that requires a constant and continuous sharing of data between the services.

Ciara Anderson

Okay, that makes sense and I think the elimination of switching charges from the customer’s perspective will certainly be a welcome change. Just on transparency, we talked about in the second video in relation to the data access and sharing obligations, there is a requirement on providers of connected products and related services is to disclose information about the type of data that’s processed and how that data can be accessed and shared. So the question is, are there equivalent transparency obligations in relation to the switching obligations?

Shay Buckley

There are transparency obligations. The cloud service providers or the data processing services need to disclose the information on the procedure for that switching process, and they also need to make available a link to a register which will contain information on data formats and data structures, as well as all relevant standards and any open interoperability specifications. Additionally, those providers need to make available information on the location or the jurisdiction where their ICT infrastructure is located and the measures that they are implementing in order to prevent unlawful government access to that data.

Ciara Anderson

Okay, so changes will have to be to public information or notices. In relation to the contracts, again, in the second video in the data access and sharing obligations, we mentioned that there is a prohibition on unfair terms in a B2B context. Are there any contractual requirements in relation to the switching obligations.

Shay Buckley

The contract between the provider and the customer need to be updated to align with the requirements of the Data Act. Importantly, the Data Act requires that the contract clearly states that the contract automatically terminates on the successful completion of the switching process.

Ciara Anderson

Okay, I think that’s going to be quite big for providers to consider what that means for them financially in terms of revenue recognition, for example. But thank you for taking us through that. That’s incredibly helpful and thank you to everyone for participating and listening to this series. We have three videos in the series that you might review, but thank you for your time.