Internet Explorer 11 (IE11) is not supported. For the best experience please open using Chrome, Firefox, Safari or MS Edge

New EU Rules for Connected Products and Cloud Services

The EU Data Act will have a significant impact on the data economy in the EU, particularly for connected products and cloud services. Our Technology team discusses the key considerations of the legislation.

The recently published EU Data Act introduces new requirements for access to data, switching cloud service providers and interoperability requirements in the EU.

The purpose of the Data Act (Regulation (EU) 2023/2854[1]) is to:

  • Unlock potential for data innovation in the EU
  • Help create value from data, and
  • Ensure greater balance between the different players in the market

The Data Act is part of the European strategy for data, and complements the Data Governance Act which applies since September 2023. The Data Act will have considerable significance for a range of actors, including manufacturers, providers and users of connected devices and related services and for providers and customers of cloud services.

Data Sharing

The Data Act will have a significant impact for data sharing within the EU.

1. Access to data of connected products

The Data Act introduces rules enabling users of connected products access to product and related service data from those products. This includes metadata which is required to interpret this data. Products must be designed and manufactured in a way which makes it possible, where relevant, for this data to be provided by default, easily, securely, free of charge and in a comprehensive, structured, commonly used and machine -readable format. There are also pre-contractual information requirements such as providing information to the user of the type, format and estimate volume of product data that the connected product is capable of generating.

The Data Act also contains rules permitting users to share this data with third parties subject to conditions, such as using the data only for the purposes agreed with the user and to erase the data once it is no longer needed. Users, in this context, includes both businesses and consumers. However, micro and small companies are not subject to these obligations.

2. Obligation to share data with the public sector

The Data Act introduces requirements for data holders to make data available to public sector bodies and EU institutions where they can demonstrate an “exceptional need” to use the data requested. This will arise in situations such as where it is necessary to respond to a public emergency, where necessary to mitigate a public emergency, and to fulfil specific tasks in the public interest explicitly provided by law. The Data Act also provides for a compensation scheme to cover the technical and organisational costs incurred to comply with the request in certain circumstances.

3. Unfair contract terms

The Data Act will introduce the concept of unfair contract terms in a business-to-business context for data sharing agreements. A contractual term is unfair if it is “of such a nature that its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing”. A black list of terms is provided which will always be unfair if unilaterally imposed by one enterprise on another while a grey list of terms is provided which are presumed to be unfair when unilaterally imposed by one enterprise on another. This will be a departure from existing Irish law which currently only regulates unfair contract terms in a business-to-consumer context.

Cloud switching

The Data Act will make the process of switching between cloud and edge computing services easier, including through a prohibition on commercial, technical and organisational obstacles which prevent customers of such services from switching.

1. Contract terms

The Data Act requires the rights and obligations as regards switching to be included in a written contract and requires certain contract terms to be included such as:

  • A requirement for the switch to occur on request from the customer without undue delay and, in any event, not after the mandatory maximum transitional period of 30 calendar days
  • An obligation of the cloud service provider to support the customer’s exit strategy relevant to the contracted services
  • The contract will be terminated (a) where applicable, upon the successful completion of the switching process, or (b) at the end of the maximum period for initiation of the switching process where the customer does not wish to switch but to erase its exportable data and digital assets upon service termination, and
  • A maximum notice period for initiating the switching process not to exceed 2 months

These appear to essentially give customers a termination for convenience right which will have a significant effect on providers’ commercial models, particularly as cloud deals are frequently priced on the basis of a minimum term.

2. Switching charges

The Data Act also provides for the gradual withdrawal of switching charges. Switching charges will be abolished from 12 January 2027. Switching charges must be limited to the costs directly arising from the switching process since 11 January 2024. Cloud service providers must provide the prospective customer with clear information on standard service fees and early termination penalties that might be imposed as well as on the reduced switching charges that might be imposed up to 12 January 2027. Given that this obligation applies from 11 January 2024, cloud service providers will need to immediately review their switching charges and contracting process.

3. Obligation of good faith

Interestingly, the Data Act includes a requirement for all parties, including the incoming cloud service provider, to cooperate in good faith to make the switching process effective and to enable the timely transfer of data and maintain the continuity of the service.

4. Technical aspects of switching

Cloud service providers are also required to provide assistance services to switching users to facilitate the process and to take “all reasonable measures in their power” to achieve “functional equivalence”. This includes:

  • Providing capabilities
  • Adequate information
  • Documentation
  • Technical support, and
  • Where appropriate, the necessary tools

5. Exception for certain cloud services

Most of the requirements do not apply to cloud services which are custom built or services provided as a non-production version for testing and evaluation purposes for a limited period of time. However, where this is the case, the cloud service provider must inform the prospective customer that these obligations do not apply prior to the conclusion of a contract.

Next steps

The Data Act came into force on 11 January 2024, although most of its provisions will apply from 12 September 2025. Given that significant changes may be required by connected products and cloud service businesses, it is advisable to assess the effect the Data Act will have on your business, as considerable changes to contracts and technical measures may be required. Cloud service providers will also need to be aware of the new requirements in respect of switching charges and implement this into their contracting process without delay as this obligation applies from 11 January 2024.

For more information and expert guidance on the likely impact of the Data Act and its impact on your business, contact a member of our Technology team.

[1] Regulation (EU) 2023/2854 harmonised rules on fair access and use of data

People Also Ask

What is the Data Act in the EU?

The Data Act is a new EU Regulation which aims to unlock the value of data within the EU by introducing data sharing and access obligations and requirements on providers of cloud services.

What is the difference between GDPR and the Data Act?

The GDPR regulates personal data within the EU whereas the Data Act also applies to industrial data, whether or not it constitutes personal data.

Who does the Data Act apply to?

The Data Act applies to manufacturers, suppliers and users of IOT devices and related services as well as providers of cloud and edge computing services.

When will the Data Act be in force?

The Data Act will come into force on 11 January 2024 and most of its provisions will apply from 12 September 2025.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

Share this: