Why the EU Data Act might disrupt the IoT space

Dominga Leone • June 27, 2023

In this piece, I want to dive into some key points of the proposal, which if passed, have the potential to derail certain long term business strategies and to change the way IoT organisations are run.

Background


In a recent article, I discussed the foundations of the EU Data Act and I recommend you read it if you are looking for a basic understanding of the proposed legislation.

Tomorrow EU institutions will reconvene to discuss the EU Data Act and the outcome could mean a dramatic shake up in the way business is done in the world of IoT.

Before I go into the weeds, and because I know a large percentage of my audience are Privacy professionals, I want to highlight that the proposed EU Data Act is not a Data Protection and Privacy Legislation. It has many intersections and implications that will make Data Protection Leaders key stakeholders, and possibly responsible for operationalising parts of this act - I will discuss these in future posts, but for now let's say the EU Data Act is far broader than personal data. 

It essentially aims to regulate industrial data and, whilst there is still some debate around the exact scope, it is likely to apply to personal and non personal data generated by the use of a product or service - meaning data recorded intentionally by the user or as a by-product of a user’s action. Imagine the data generated by your fitness tracker or your household’s use of a smart fridge. It will also apply to data generated by business users, for example an organisation who runs a fleet of connected vehicles that generate data through their employees driving those vehicles. 


The contentious points


I am a big advocate of the EU Data Act - I believe that the democratisation of data is a good thing, but, as I have said before, it is not without disruption to current business models. 

This piece is going to focus on some of the controversial points of the EU Data Act that govern data generation, use and sharing. 

I know the revelations in the article are going to alarm some readers, so I would like to remind my audience that everything that you read is my interpretation and opinion at the time of writing and largely based on the EU Parliament's proposed amendments. I will also be following up with some more positive news on the opportunities it brings.


Below are the five points, which if passed will be very worrying for IoT businesses:

  • The EU Data Act may put an end to data monetisation as we know it
  • The EU Data Act may kill data brokers
  • Organisations will no longer be able to use data for anything they want
  • Organisations can’t hoard data anymore
  • Organisations will need to tell users a lot more about what data they collect


The next sections will provide further details on each of these points.


The EU Data Act may put an end to data monetisation as we know it


Organisations sharing or selling raw data generated from a product or service they provide, without consent, aren’t going to be able to easily do this anymore, even if the data is anonymised.


The EU Data Act would stop the data holders freely sharing raw data with third parties for anything other than the contractual services to the user, unless the data is manipulated or aggregated in such a way that does not allow the identification of the specific data items.


If this passes it will cause massive concerns in the IoT space, where many business models heavily rely on monetising anonymous or de-identified data by selling it to third parties.


The proposed amendments to the EU Data Act will impact the ability to do this in a big way, potentially affecting the margins and operating models of organisations selling this data. 


The EU Data Act may kill data brokers


There are a number of organisations, including data brokers, whose entire business models are based on access to raw data from connected products and services. The future of these organisations is going to be threatened by the changes outlined above, and whilst there are some potential solutions, they must start thinking about these now. 


Organisations will no longer be able to use data for anything they want.


No more ‘free for all’ on data use. Companies have been spoiled when it comes to using data generated by a connected product or service and they have generally done so without restrictions. Organisations will now only be allowed to use data on the basis of a contractual agreement with the user and for limited purposes. 

Data holders will only be able to make their own data use a contractual condition for the provision of the product, or service, if the data is needed for the functionality of the offering. 


Whilst we have all got used to Data Protection and Privacy regulations, which require companies adhere to purpose limitation and minimisation principles, we have generally seen organisations producing, and using, infinite amounts of data and, as long as that data is not personal, they have been able to do so without transparency or needing to explain to themselves. In turn, organisations have created and hoarded data with vague and ill-defined uses, just in case!


If this amendment passes, it means that organisations are going to have to revisit their data strategy and will have to understand, in detail, what data is needed for the functionality of the product or service and what isn’t. If it isn’t strictly needed, they will have to give the user a lot more choice about whether or not it is used.


Organisations can’t keep data forever 


Organisations acting as data holders will have to delete data when they are no longer necessary for the purposes contractually agreed. 

Companies expect to have storage limitations for personal data, although five years on, it is questionable how many have effectively got to grips with this aspect of GDPR. One practical way that organisations currently operationalise storage limitation is by anonymising the data, rather than deleting it. They then use this data for any purposes they please, because it is out of scope for GDPR.


The EU Data Act clause would remove an organisation’s ability to use anonymisation as a technique for retaining the data because they will have to delete non personal data too. This is going to present some real challenges for organisations wishing to use this data beyond the contract with the user. 


Organisations are going to have to tell users a lot more about what data they collect 


Organisations generating data through the user’s interactions with a product or service are going to have to tell users a lot more about the data they generate.

Up until now, organisations have only been obliged to align with Data Protection regulation which imposes transparency requirements and gives individuals a right to be informed about what personal data is processed. This requirement has never extended to non personal data, so this is going to be a big leap, especially because many organisations are not exactly well versed in what they produce themselves. 

If this part of the EU Data Act passes, organisations would have to give the user information on:


  • The type of data, format, sampling frequency, the in-device storage capacity, and the estimated volume of accessible data which the connected product is capable of collecting, generating or otherwise obtaining.
  • Whether the connected product is capable of generating data continuously and in real-time.
  • Whether data will be stored on-device or on a remote server, including the period during which it shall be stored.


It will be interesting to see whether this kind of information ends up in the Privacy Notice or whether there will be a separate Notice or Statement. 


What can you do to prepare?


Much of this might be unwelcome news to some organisations. On the plus side, there will be solutions to many of the above issues, and there are definitely some opportunities emerging from the EU Data Act. Organisations do need to start thinking about this sooner rather than later, because 18-24 months will seem like a very short time to prepare. 


As I mentioned earlier, the EU Data Act has not passed and these clauses might not make it into the final draft, however it would be wise for companies to consider the following actions, which are likely to be useful not just for these controversial clauses, but also for broader compliance with the EU Data Act:


  1. If you are an IOT company or an organisation reliant on connected data, such as a data broker, or a motor insurer generating data through black boxes and dongles, get the EU Data Act at the top of your executive agenda and strategy discussions. Understand how these changes may disrupt your strategy or destroy assumptions that your current or future initiatives rely upon.
  2. Know what data you are producing - if you are compliant with GDPR, you might already know a lot about your personal data processing, but you will need to expand your knowledge and documentation to all data.
  3. Know what the data is used for. Ensure that you really understand whether it is required for the product/service functionality or whether it is more of an ancillary or ‘nice to have’ data collection.
  4. Start thinking about extending data minimisation to non personal data. Evidence says that most companies don’t even use the data they generate. If you don’t need the data, don’t generate it! 
  5. Move your data retention and deletion strategy to the top of the priority list - GDPR went live five years ago and I know of many organisations that have still not successfully delivered this workstream. This is the time to get to grips with it.


If your organisation requires practical support navigating the proposed EU Data Act, please visit our LinkedIn page or www.dataactconsulting.com


Before close off, I would also like to highlight there are other areas of the Data Act that companies have been quite vocal in challenging, like concerns around trade secrets for example, but these have been widely documented and as such I didn't feel my views add much value to the commentary.


Credit Image by Pete Linforth from Pixabay

How to get buy-in for your Privacy Programme

By Dominga Leone September 18, 2023
I am often asked how to get buy-in and sponsorship for a Privacy Programme. Spoiler alert scaremongering about €20 Million fines doesn't really work, so I decided to publish this guide to help Privacy teams get the support they need.

The Vehicle and Geolocation Data Privacy Crackdown

September 7, 2023
Managing this type of data is a tricky business and almost no organisation seems to be doing it in a way which respects privacy and data protection laws. Here are our key messages for those processing geolocation, vehicle data, connected car data and telematics data.

The EU Data Act is coming - Is your business prepared?

By Dominga Leone June 22, 2023
Background Over the last 12 months, I have been leading workshops with OEMs, IoT product owners and business stakeholders, to discuss the proposed upcoming EU Data Act and how it will impact their organisation and business models. Over this time, I have become fascinated with the EU Data Act and, whilst it is not without its hurdles, I consider it to be a truly revolutionary move by the EU. I believe it will change how we view data creation, ownership, use and distribution. In fact, considering the colossal implications it is likely to have, it is surprising how infrequently I see it discussed. As we move into an era of big data, AI and machine learning, democratisation of data is pivotal - all of us generate data through our labour and our everyday actions, but few of us reap the rewards and profits of that data creation. I view the EU Data Act as an instrument to ensure that the benefits of this data are distributed evenly across society. Whilst it no doubt brings challenges, it creates infinite possibilities for all players - from manufacturers to individuals, businesses and service providers and of course public bodies. It will require careful consideration from organisation leaders, who will have to, once again, consider data at every stage of their strategy and operations - just like they did for GDPR, but this time for all data, not just personal data. Data protection professionals will certainly be key stakeholders and advisors on this journey and I am excited. This is the first in a series of articles about the EU Data Act. This initial piece is a very high level overview of the EU Data Act – what it is and where we are at. It will provide the foundation to my future articles, which will be deep dive ‘think pieces’ and analysis about the opportunities, threats and impacts of the proposed legislation. I will consider the Privacy and Data Protection, the Automotive industry, OEMs, Insurers, IoT manufacturers, businesses and consumers.  I should caveat that everything that you read is my interpretation and opinion at the time of writing. The EU Data Act hasn’t yet been finalised and is likely to evolve over time, as will the broader understanding of it. Please feel free to engage and even challenge in the comments for some healthy debate. What is the EU Data Act? The EU Data Act is a legislative proposal which aims to lay down consistent rules, specifying who is entitled to access data generated by the use of products or related services. Its goal is to ensure a greater balance in the distribution of the value from data. Why do we need the EU Data Act? Data-driven technologies have been transforming and driving all sectors of the economy. Products and services connected to the Internet of Things (IoT) have led to more data being generated than ever before. This data can be extremely valuable for consumers, businesses, and society, but there are massive barriers to gaining access to and sharing this data, including a lack of incentives for companies holding the data to share it, uncertainty about rights and obligations, high costs, fragmented data, lack of interoperability and data protection issues. These barriers prevent data being shared and used in a way that benefits society and the wider economy, so monopolies reign. The EU Commission states that 80% of industrial data is never used and believes the introduction of the EU Data Act will unlock the value of the data economy and act as an engine for innovation, competition and economic growth. What are the specific objectives of the EU Data Act? Some key points of the EU Data Act are still under negotiation, but the following broad goals are likely to apply: Design - Connected products and services should be designed in such a way that allow the User access to data generated by the use of that product or service. For the purpose of this proposed EU Data Act the User of a product or service could be an individual or organisation - for example an individual User would be a connected vehicle owner driving their vehicle, a business User could be an organisation who runs a fleet of connected vehicles. Both would be entitled to access data. Sharing data with Users – At the request of Users, data generated by the use of product or services should be made available to those Users or other data recipients providing services to those Users. Again, Users can be individuals or organisations. This means that organisations that are offering legitimate services to Users will be able to gain access to data that, prior to the introduction of the EU Data Act, may have been very difficult to obtain. For example insurers wishing to insure based on how an individual drives will be able to get access to the Insured's connected car data on the request of the User. Contractual terms – Ensuring fair contractual terms for data sharing agreements to prevent parties to contracts abusing imbalances in negotiating power to the detriment of weaker parties. In essence this means that big players won’t be allowed to impose unfair terms that disproportionately benefit them. Sharing data with public bodies -Where there is an exceptional need in the public interest, data holders will need to make data available to public bodies. Cloud Switching - Provisions of interoperability to facilitate switching between cloud and edge services easily, to avoid vendor lock-in, thus improving competition. Safeguards against unlawful transfers - Introducing defences against unlawful international governmental access to non-personal data. Whilst the EU has strict rules on how personal data may flow internationally, there are no protections for non-personal data. This part of the Data Act aims to introduce some safeguards from unlawful government access. Interoperability standards - Provide for the development of interoperability standards for data to be reused between sectors. What is the current status of the EU Data Act? The EU Data Act proposal has been reviewed by the EU Council and EU Parliament and they have each proposed amendments. EU institutions are now in trilogue discussions – a third scheduled for the 27th June 2023. The EU Data Act is likely to pass in 2023, some are saying sooner, rather than later. Does the EU Data Act only apply to EU companies? No it will be broader - there are still some minor points that will be clarified in EU negotiations, but it is likely to apply to the following: Organisations providing products or services on an EU market and the use of data generated in relation to the use or those products and or services. Data holders that make data available to recipients in the EU Users of products or related services in the EU that make data available to data recipients in the EU. Data recipients to whom data are made available. Public sector bodies that request data holders to make data available (where there is an exceptional need for that data for the performance of a specific task carried out in the public interest). Providers of data processing services to customers in the EU. Are there any exemptions for smaller organisations? The EU Data Act provides exemptions for micro and small enterprises as follows: A small enterprise is defined as an enterprise which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million. A micro enterprise is defined as an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million. The above applies, as long as these enterprises are not linked or partnered with other enterprises that do not qualify as micro or small. Depending on how the negotiations proceed, we may see other exemptions for medium enterprises and possibly tighter exemption qualifying criteria, whereby micro and small enterprises will still be in scope if they are subcontracted to manufacture a product or provide a service. When will the Data Act be effective? There is still some debate on the timeline for enforcement – as it stands it looks to be between 18 and 24 months after it enters into force. Will the EU Data Act apply retroactively? Maybe – if negotiations align with the EU Parliament’s view, then obligations under Article 4.1 to make the data generated by User’s use of a product or related service, will apply to products and services placed on the market 5 years before the EU Data Act came into force , as long as the provider of a related service is able to remotely deploy mechanisms to ensure the fulfilment of the requirements. Will organisations have to comply with the EU Data Act? Yes, there will be fines and penalties for non compliance. Conclusion The EU Data Act has far reaching scope and implications and creates endless opportunities and threats. Business leaders should be thinking about the EU Data Act now and considering how it will impact their strategy, roadmap and objectives. Has your organisation considered the EU Data Act? What opportunities and threats do you see and how are you preparing? Please follow our LinkedIn Page for future blogs on this topic and if your organisation requires support navigating the proposed EU Data Act, please visit www.dataactconsulting.com