The Regulation (EU) 2023/2854 (“Data Act”) establishes a legal framework across the union for access to and use of data generated particularly in connection with connected products and related digital services. For companies, questions of internal organization, contractual design, and the limitation of data access claims are coming to the forefront. The key is to translate the intended access rights and their limitations into processes in a comprehensible manner while safeguarding protected interests — such as trade secrets — within the framework of the regulation.
Regulatory Objective and Scope of the Data Act
The Data Act primarily addresses data generated through the use of connected products (e.g., devices with sensors and connectivity) and related services. It mandates obligations to provide certain data and regulates situations where users or third parties appointed by them can request access. This is intended to make data, which often remains within individual provider ecosystems, available under defined conditions.
Data Categories and Participants
The focus is on usage data generated during the operation and use of a connected product or a related service, as well as its provision to entitled claimants. Typically involved parties include manufacturers, providers of related services, users (especially commercial users), and third parties designated by the user. The allocation of roles and responsibilities is crucial for the subsequent handling of claims.
Relationship to Existing Legal Frameworks
The Data Act does not stand in isolation; it also impacts data protection law, regulations on the protection of trade secrets, and contractual obligations along supply and distribution chains. In practical application, it is regularly necessary to differentiate between personal and non-personal data and which protection regimes need to be observed concurrently.
Data Access Claims: Origin and Scope
The regulation establishes access and usage rights that can be asserted against the data holder in certain situations. The subject of the claim, the modalities of provision, and the limits of access are derived from the respective conditions.
Entitlement and Access Direction
Central is the scenario where the user of a connected product or associated service can request data generated by its use. Additionally, the user can demand that these be forwarded to a third party, provided the legal conditions are met. Companies are tasked with appropriately categorizing the requests, verifying entitlement, and considering the legally prescribed access channels.
Technical and Organizational Modalities
The regulation ties access to requirements that should enable provision in an appropriate form. Companies are often confronted with the question of how to represent data flows, interfaces, and authorization structures so that claims can be met without affecting other protected assets. This particularly concerns the separability of data sets, logging, and internal responsibilities.
Limits of Data Access Claims
The Data Act provides not only access rights but also limitations. These limits can stem from the protection of confidential information, security interests, or conflicting rights of third parties. Practically significant is that the regulation does not create a limitless “open data” principle but orders a balance of competing interests.
Protection of Trade Secrets and Confidential Information
An essential aspect is the protection of trade secrets. To the extent that disclosure may impair the protection of confidential information, a limitation or structuring of access that preserves confidentiality may be considered. In this context, questions of demarcation are typical: What data reveals internal procedures, models, or other company-internal knowledge, and which data is to be qualified as pure usage data?
Security and Integrity Interests
Limitations may also become relevant when the provision of data could compromise the security of a product, the integrity of systems, or protection against manipulation. Especially in critical infrastructures or security-relevant components, the question of which data segments and in what granularity are to be transmitted can be of particular importance.
Rights of Third Parties and Contractual Obligations
Access claims may also encounter third-party rights, for instance, when data sets contain information attributable to third parties or whose use is contractually restricted. In complex value chains, it is often necessary to clarify which usage and forwarding rights exist and how these align with the data access-related provisions of the regulation.
Compliance Requirements and Typical Conflict Areas
Companies must prepare to handle data access requests not only legally but also operationally. This creates interfaces with contract management, IT security, product liability, data protection, and know-how protection.
Contract Design and Risk Allocation
The Data Act influences contractual relationships, especially where data flows have not been explicitly regulated or unilateral control mechanisms exist. The regulation can affect provisions on data usage, interfaces, confidentiality, or liability issues in contracts. For companies, it is regularly important to consider that regulations on data access and data sharing cannot be viewed in isolation from other performance obligations.
Handling Requests and Evidentiary Questions
In handling data access claims, questions of legitimacy, scope, and documentation arise. Typical are situations where it is unclear whether the requester is indeed a user within the meaning of the regulation, whether there is an effective designation of a third party, or which data is specifically covered. Similarly, the distinction between permissible data use and impermissible misuse can be contentious.
Interactions with Data Protection and Secret Protection
Where personal data is concerned, processing remains subject to the provisions of the General Data Protection Regulation. In parallel, secrecy protection structures must be considered. In corporate practice, this often means that data access concepts must reflect both data protection requirements (e.g., data minimization, purpose limitation) and protective measures for confidential information.
Classification for Companies and Outlook
The Data Act leads to a redistribution of data access possibilities and thus also to a reassessment of data as a component of performance relationships, maintenance models, and digital business models. At the same time, it is equipped from the outset with protection mechanisms designed to prevent unlimited disclosure. Therefore, its practical relevance lies less in an abstract obligation to release data and more in the legally secure classification of concrete claims, the definition of data scopes, and the observance of the intended limitations.
For companies, investors, and wealthy private individuals who wish to clarify legal issues regarding data access, confidentiality, contract structures, or IT-related interfaces in this context, an accompanying classification of the regulations and their boundaries may be indicated. MTR Legal provides information and contact possibilities for a legal consultation in IT law available.
