Data Act Mandates: Ensuring Accessibility and Interoperability in Connected Products by 2027
A key element of the Data Act is the design requirements for connected products and the timing of their market entry. Article 3(1) and Article 4(1) stipulate that connected products and services must be designed in such a way that the relevant data, including necessary metadata, is easily, securely, and freely accessible by default. This access is facilitated by a comprehensively structured, commonly used, and machine-readable format. (CMS Law, 2024)
These requirements come into effect from the first quarter of 2027 and aim to improve the interoperability mentioned in Article 2 and reduce the lock-in effect that often binds consumers to certain products or services. Articles 22-32 and 33-36 contribute to a further reduction of the lock-in effect by regulating short notice periods, technical support services and the gradual abolition of switching fees (after a transitional period, their collection is no longer possible). (CMS-Law, 2024)
New design standards and key requirements for connected products after 2026
The clear design requirements for connected products apply to those brought onto the market after September 12, 2026. Affected products are all devices that collect data about their usage or environment and then communicate this data via an electronic communication service, a physical connection or access to the device. Particularly in the B2B or B2C sector. Products not affected are those that are primarily intended for displaying or playing content or for recording and transmitting content. (Dunn, Gibson, 2024)
Promoting access and fair compensation for Data Sharing
Another important domain of the Data Act concerns access to data and the sharing of it. According to Article 5 (1) and Article 8 (4), users can demand that their data be passed on directly and exclusively to third parties, so-called data recipients. This is often accompanied by a service in return. This is described in Article 9 (1) and states that the data controller may demand consideration with an appropriate margin from the data recipient. The provision on consideration in Article 8 (4) does not apply if the data recipient is a small/medium-sized company or a non-profit research organization. This promotes the development of follow-up and additional services such as insurance or external repair services. (Ackermann, Dr. Sonja & Schwarz, Dr. Tim Jonathan, 2024)
Art. 7 para. 7 and Art. 5 para. 10 regulate this right of data controllers to refuse or suspend the transfer of data if necessary measures are not taken and an agreement cannot be reached. However, this decision must be justified, communicated to the user or third party in writing without delay and forwarded to the competent authority, stating the specific facts of the case. According to Article 4 (13), the data controller itself may only use the non-personal data generated by the customer based on a contractual agreement, the data license agreement.
Article 3 (2) and (3) are part of the right of access and establish pre-contractual information obligations regarding data access and the use of non-personal data by the data owner. This makes it clear that the use of such data may only take place based on a contractual agreement. (O’Keeffe, Eoghan, 2023)
New contractual terms and transition periods under the Data Act
The Data Act also introduces new contractual terms and transition periods. Article 8(6) clarifies that the obligation to disclose data to third parties does not compel the data owner to disclose trade secrets. In addition, contractual terms for new contracts will automatically take effect from September 12, 2025, while for existing contracts before this date, regulations will come into force on September 12, 2027. (Dunn, Gibson, 2024)
Safeguarding privacy and access rights in the new digital era
A central aspect of the Data Act is data protection and the prevention of misuse. Article 15 regulates the right to data access for public entities, while Article 32 ensures protection against unlawful access and government transfer. Furthermore, to ensure the protection of data, data processing service providers must take appropriate technical, organizational and legal measures to prevent international transfers and access from third countries to non-personal data stored in the EU. (CMS Law, 2024)
The Data Act smart contract requirements
Article 36 sets out requirements for the use of smart contracts regarding their implementation of data transmission procedures. As a result, the Data Act expects a high degree of robustness and access control mechanisms from an application provider, which are security measures.
As a result, the Data Act not only distinguishes between digital contracts and smart contracts that use distributed ledger technology but may also have an impact on existing contracts on public blockchains. (CMS Law, 2024)
New regulations aim to rein in data power abuse
Finally, the Data Act contains special provisions for gatekeeper companies, i.e. companies that hold a dominant market position in a certain area. Although these companies are allowed to receive data, they are subject to restrictions on their use, particularly regarding central cloud services. This is intended to curb the abuse of data power by dominant companies. (Dunn, Gibson, 2024)