The Data Act will regulate how companies throughout the EU are allowed to use data in the future. In our newsletter, we gave an initial overview of the new Act. We are now going into more detail on individual areas of the Data Act in various articles on our website. In this article, we explain the scope of the Data Act. 

Which products are affected by the data Act? 

The Data Act extensive new requirements for manufacturers (= data holders) and users of so-called "connected products" as well as for providers and users of so-called "data processing services".

What are connected products? 

The definition of "connected products" in Art. 2 No. 5 of the Data Ordinance summarizes such products, 

• obtain, generate, or collect data about the use or environment and 
• can transmit the product data via an electronic communication service, a physical connection, or an on-device access and
• whose main function is not the storage, processing, or transmission of data on behalf of a party other than the user.

This means that the product must independently collect usage data. However, if data is generated or entered by the user (as is the case with smartphones or tablets, for example), the product is no connected product, according to this definition. The exact definition of which data originates from a person or is generated by the product is likely to lead to some debate. For example, does a fitness tracker collect data independently or is it triggered by the user through the corresponding settings? 

In addition, the product must transmit the data via a communication service, the keyword is "Internet of Things" (IoT). This feature is somewhat more difficult to understand. According to recital 16, for example, servers and cloud structures that are operated by the "owner" of the cloud (= user) exclusively on behalf of third parties are to be excluded from the scope of the Data Act. In principle, the Data Act intends to grant the rights to data to those who generate it through their use, i.e. the customers of the cloud service. However, the operator of the cloud or a data center should not be entitled to the usage data generated by its customers.

What are data processing services?

According to Art. 2 No. 8 Data Act, data processing services are digital services that allow a customer on-demand network access to certain computing resources that the service provider can make available and share with minimal administrative effort. Such data processing services include, for example, cloud or edge services that provide users with a shared platform. These can be "Infrastructure-as-a-Service" (IaaS), "Platform-as-a-Service" (PaaS) and "Software-as-a-Service" (SaaS). This has significant practical implications, as one of the aims of the Data Act is to make it much easier for customers to switch between such data processing services in future.

Where does the Data Act apply?

According to Art. 1 para. 3 of the Data Act, the basic principle of the local scope is the marketplace principle. According to this, it is only important that a company offers or uses connected products or data processing services within the EU. The company's registered office is not relevant. The Data Act also applies to companies that are based outside the EU but sell connected products or offer data processing services within the EU. 

Partial exemption for small and micro enterprises

A few requirements of the Data Act do not apply to small and micro-enterprises. These are defined according to the recommendation of the EU Commission from 2003 (2003/361/EC). According to this recommendation, a small enterprise employs fewer than 50 people and has an annual turnover or annual balance sheet of less than EUR 10 million. A microenterprise employs fewer than 10 people and has an annual turnover or annual balance sheet of less than EUR 2 million. 

The requirements for manufacturers of connected products do not apply to such small or micro-enterprises in accordance with Art. 7 para. 1 Data Act. However, the prerequisite for this is that they are not part of a larger group and that they do not carry out the production as a subcontractor for a larger company. 

Prospects and practical tips

It is not always easy to determine how a company is affected by the Data Act. In addition to the definitions presented, a distinction must be made between a variety of different types of data (including metadata, product data, related service data, readily available data and exportable data) in order to derive the respective legal obligations. 

If you have any questions about the Data Act or would like support, please do not hesitate to contact our experts in the field of intellectual property, media and information technology. We will help you to check whether and to what extent the Data Act applies to your company and how you as a company can best respond to it. For example, a short workshop is a good way to start the implementation process, in which we work with you to identify the specific requirements for your company and agree on the necessary steps.