Products and services covered by the proposed European data law
As part of the EU data strategy, the Data Act is intended to be a landmark piece of legislation, creating a horizontal framework for accessing and sharing data. It will apply to a wide range of companies in all sectors, such as technology, health, automotive, energy or agriculture. This will lead to a paradigm shift allowing users (and third parties) to access the data generated by the use of the products and related services.
Obligation to inform users and obligation to provide access to data
When a company offers users certain types of related products or services, before entering into an agreement to purchase, rent or lease that related product or service, at least the following information must be provided by the company offering the related product or service to the user, in a clear and understandable format:
(a) the nature and volume of data likely to be generated by the use of the product or the associated service;
(b) whether the data is capable of being generated continuously and in real time;
(c) how the user can access this data;
(d) whether the manufacturer supplying the product or the service provider supplying the related service intends to use the data itself or to allow a third party to use the data and, if applicable, the purposes for which this data will be used;
(e) whether the manufacturer supplying the product or the service provider supplying the related service itself is the data holder (i.e. the one who has the right or ability, by technical design control products or related service, to ensure data availability) and, if not, the identity of the data holder;
(f) the means of communication that allow the user to quickly contact the data holder and to communicate effectively with this data holder;
(g) how the user can request that the data be shared with a third party; and
(h) the user’s right to file a complaint alleging a breach of data law with the competent authority.
Users (whether consumers or not) will have the right to request access to all data generated by the use of these products from the “data holder” (which need not be the company responsible for provide the information above).
The products and associated services are designed and manufactured, and the associated services must be provided, in such a way that the data generated by their use is, by default, easily, securely and, where applicable, directly accessible to the user.
Where the Data is not directly accessible by the User from the Product, the Data Holder shall make available to the User the Data generated by its use of a Product or related Service without undue delay, free of charge and, where applicable, continuously and in real time. -time. This is done on the basis of a simple electronic request when technically possible.
If requested by the User, the Data Holder will make available to a third party the Data generated by the use of a related product or service, without undue delay, free of charge for the User, in the same quality than that available for cardholder data and, where applicable, continuously and in real time.
However, these information, data sharing and data access obligations apply only to a particular set of “products” and “related services”.
A “productis defined by the Data Bill as “tangible personal property, including when incorporated into real property, that obtains, generates or collects data regarding its use or environment, and that is capable of communicating data through a publicly available electronic communications service and whose main function is not the storage and processing of data”.
Recital 14 of the data law proposal stresses that not only consumer goods such as vehicles or household appliances, but also medical and health devices or agricultural and industrial machinery would in principle be covered by the data law. the data.
However, products whose primary function is the storage and processing of dataare out of range. Recital 15 of the data law proposal specifies that the elements which are “primarily designed to display or play content, or to store and transmit content, including for use by an online service” should not be covered by data law (because they “require human intervention to produce various forms of content, such as text documents, audio files, video files, games, digital mapsand thus oppose products thatobtain, generate or collect, by means of their components, data concerning their performance, their use or their environment”). Examples of products excluded from the scope of the Data Act (as foreseen in the Commission’s proposal) include personal computers, servers, tablets, smart phones, webcams, sound recording or text scanners.
As clear as it may seem, drawing the line between products outside of this explicit set of examples could be difficult in practice.
The comparison between smart phones and smart watches is a good example. To some extent, both collect data through their components such as sensors. In fact, both have motion sensors to measure the steps of the user, position sensors to detect the physical location of the user, or ambient sensors to detect information about the environment of the user. user (temperature, light, etc.). Both are also designed to display or play content (playing music on an app, displaying messages, displaying information such as weather), or recording and transmitting content (for example, a smartphone can record images , a smartwatch can record sleep patterns). Considering the similarities and following the reasoning of the Commission as set out in the mentioned recital, there are good arguments that a smartwatch should also not fall within the scope of the Data Act.
During the legislative process, the Presidency of the Council has already addressed this uncertainty and pleads to include smartwatches in the “some products“definition as they have it”an important element of collecting data on indicators or movements of the human body and should therefore be considered covered by the definition of the product.”
It remains to be seen which argument will prevail at the end of the legislative process. Yet this example shows that the currently proposed definition of relevant products is not so “clear” and that further guidance from the EU legislator would indeed be helpful.
Relevant “related services”
The Data Act defines “related service” like a “digital service, including software, that is incorporated into a product or interconnected with a product in such a way that its absence would prevent the product from performing any of its functions.”
Take the example of a connected refrigerator. Such a refrigerator may contain cameras to track the contents of the refrigerator or sensors that scan the RIFD tag or barcode on grocery items to create automatic inventory. The user can be offered additional services through the fridge screen, such as the ability to manage shopping lists, set up automatic online purchases when certain foods are sold out, track expiry dates, or receive recipe recommendations based on available items. These services are directly integrated into the refrigerator and, since their absence would prevent the refrigerator from performing these functions, they are likely to constitute “associated services”.
To take this example one step further, the user could not only receive these services through the refrigerator display, but also through a connected app. Thus, in all cases, the services are then not physically incorporated in the product because they are received on a different device. This raises the question of whether app-based services would still be considered “associated services” (which would only be the case if such an application were considered “interconnected” with the fridge). The Commission, however, gives no further guidance as to the extent to which the term “interconnected» is it necessary to understand.
Another question that arises in this context is what “functionsare in fact decisive for the services to be considered a “related service”? Only the essential functions or also the auxiliary functions of the product? Recital 16 of the proposed data law states that a “related serviceis a service which may be part of a contractual agreement with the user or which the user may reasonably expect given the nature of the product. Yet it is not clear from the proposed data law whether the decisive criterion for a “function” should rather be what the user can reasonably expect given the nature of the product or which has been contractually agreed by the user, then if it is an essential function of the product addressed by this service or not.
Current legislative process
As noted, even with respect to key terms defining the scope of the proposed Data Act, further guidance through the legislative process is needed for businesses to determine whether they are subject to the obligations set out in the proposed data law. Act in relation to their specific products or related services. In any case, companies offering data-driven products or related services should consider assessing the implications of data law for their business activities today to prepare for the regulatory landscape of tomorrow.