The EU Data Act redefines access to personal and non-personal data. Its implications extend beyond the EU, impacting Swiss companies as well.
In the dynamic realm of Europe’s Digital Strategy, the new Data Act marks a crucial shift, transcending borders and demanding attention from entities worldwide, including Swiss companies. This legislation, a cornerstone of Europe's Strategy for Data, brings forth challenges and opportunities that necessitate strategic considerations and proactive measures for businesses outside the European Union.
The Data Act, a crucial follow-up to the Data Governance Act, establishes a structured framework mandating data sharing. It emphasizes the imperative access to both personal and non-personal data for users engaging with "connected products" or "related services". This legislative innovation aims to empower individuals and organizations by granting access to data, thereby fostering a more competitive and innovative market environment.
The Data Act categorizes "connected products", often referred to as “IoT products”, as items capable of acquiring, generating, or collecting data pertaining to their usage or environment that are able to communicate data through various channels, e.g. via an Internet connection, telephone networks or near-field communications and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user. Examples include connected cars, smart industrial machines and fitness trackers.
Correspondingly, "related services" encompass digital services, other than an electronic communications service, intricately intertwined with a connected product's functionality at the time of purchase or subsequently connected to the product to augment or modify the product's capabilities.
Illustrative scenarios highlight the transformative potential of the Data Act. Previously, factory robots constrained access to critical data regarding malfunctions within the manufacturer's domain, limiting customers to exclusive reliance on the manufacturer's repair services. Under the Data Act, customers gain the ability to engage alternative repair providers through accessing essential data. This shift aims at introducing potential cost-effective repair options, but it also empowers customers and third parties with access to crucial information formerly “belonging” to the manufacturer.
Similarly, the agricultural sector grappled with data silos within distinct equipment manufacturer ecosystems (such as tractors and automatic irrigation systems), as the data generated by each equipment unit was locked within the proprietary systems of their respective manufacturers. Consequently, farmers were unable to outsource data analytics encompassing the diverse equipment utilized. Following the implementation of the Data Act, farmers gain the ability to seek tailored insights and guidance from third-party providers capable of aggregating and analyzing data derived from diverse equipment sources.
One fundamental requirement of the Data Act is the need for a Data License Agreement between data holders, such as manufacturers of connected products, and users of such products. Additionally, the Data Act requires “Data Access by Design”, which means that connected products and related services have to be designed to ensure user-friendly, secure and cost-free access to specific data. If technically feasible, users should have direct access to this data. Moreover, the Data Act provides for a Data Access Right. Where data cannot be directly accessed by the user from the connected product or related service, data holders are obligated to make it accessible to the user without undue delay, of the same quality as is available to the data holder, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time. Equally significant is the requirement of a Data Sharing Agreement with third parties, mandating data holders to share specific data with third parties under FRAND terms, i.e. in a fair, reasonable non-discriminatory and transparent manner. Under exceptional circumstances, such as during public emergencies, the Data Act even mandates private data holders to share data with public sector bodies. Finally, the Act introduces rules facilitating switching between various cloud data-processing service providers, emphasizing interoperability and safeguards against unlawful data transfer.
Despite Switzerland's status outside the EU and the European Economic Area, the Data Act's extraterritorial application extends its reach to numerous Swiss companies. Manufacturers of connected products or providers of related services marketed within the EU, data holders sharing data with recipients within the EU, and providers offering data processing services to customers in the EU fall within the scope of this legislation regardless of their place of establishment.
Given the impending impact, Swiss companies are advised to take proactive measures:
On 27 November 2023, the EU Council formally adopted the Data Act. The final text can be found here. The Data Act will enter into force on the twentieth day following its publication in the Official Journal of the European Union. It will apply 20 months from the date of entry into force, with certain exemptions, in particular a 32-month “sunrise period” designated for compliance with the “access by design” obligation.
In conclusion, while the Data Act primarily targets the EU, its extraterritorial implications necessitate proactive measures from Swiss companies.
For further insights or guidance on navigating these regulatory changes, companies are encouraged to seek legal counsel and specialized expertise to ensure compliance and capitalize on emerging opportunities. We provide tailored workshops and strategic counsel to help businesses manage associated risks, ensure compliance with the new Data Act, and capitalize on potential opportunities.