The proposed Data Act (hereinafter “DA-Proposal”) names a number of actors to whom the regulation would apply. According to Art. 1 Para. 2 DA-Proposal, these include

• manufacturers of products and suppliers of related services,
• users of such products or services,
• data holders that make data available to data recipients in the Union,
• data recipients in the Union to whom data are made available,
• public sector bodies and Union institutions, agencies or bodies,
• providers of data processing services offering such services to customers in the Union.

The key actors of the DA-Proposal are the data holder, the user, and the data recipient.

Data holder

The term “data holder” is of particular importance, as the claim for access and sharing of data is directed against the data holder (Art. 4, 5, 14 DA-Proposal).

A definition can be found in Art. 2 No. 6 DA-Proposal, according to which data holder “means a legal or natural person who has the right or obligation, (…), or in the case of non-personal data and through control of the technical design of the product and related services, the ability, to make available certain data.” The decisive criterion is in particular the control over the technical design of the product and related services and the associated actual ability to make data available. In principle, anyone with access to the data can be considered the data holder. The definition of data holder is thus very broad. Accordingly, a user to whom data has been made available may also in turn become the data holder if it is a company (Recital 30 sen. 7 DA-Proposal).

The draft of the Parliament requires that the natural or legal person has accessed data from the connected product or has generated data during the provision of a related service. In contrast to the Commission's draft, the Parliament's draft thus makes actual access to data or actual generation of data a mandatory prerequisite for being considered a data holder. In addition, the data holder must have the contractually agreed right to use this data.

This means that especially manufacturers of connected products fall within the scope of the draft regulation. According to both drafts, for example the manufacturer of a connected vehicle or a smart refrigerator would be covered. Accordingly, with respect to a certain date, there may even be several data owners at the same time.

User

The party entitled to the right of access to data is the user. "User" is defined in Art. 2 No. 5 DA-Proposal as “a natural or legal person that owns, rents or leases a product or receives a service.” A user can therefore be the person who owns, rents or leases a product or receives product-related services. Note: the user can thus also explicitly be a legal person; here it becomes clear that the DA-Proposal does not create a consumer-only right, but also has relevance in the B2B area. For example, it would be conceivable that a company sells machines to other companies and offers to generate usage data as an additional service. The company that bought the machine could, for example, demand as a user within the meaning of the DA-Proposal that the data be made available to a third party. Machine data could also be monetized in this way in some cases.

Data recipient

According to Art. 2 No. 7 DA-Proposal, a data recipient is a legal or natural person to whom data is provided by the data holder for commercial purposes without the data holder itself being the user of a product or related service. Pursuant to Art. 5 Para. 1, the DA-Proposal entitles the user to share data. If, for example, the owner of a (connected) vehicle (= user) wants the vehicle manufacturer (= data holder) to pass on the data generated about the user to a repair shop, the latter is a third party and data recipient in the aforementioned sense.

The draft of the Parliament does not require a commercial purpose within the definition. It therefore remains to be determined in the legislative process whether the term data recipient will only include commercial purposes.

Recommendations:

Since the DA-Proposal specifies the addressees, we recommend checking at an early stage whether companies fall within the scope of the regulation in the context of their business models. The above-mentioned addressees, in particular data holders, are subject to different requirements, so that the necessary measures should be taken in accordance with the regulation.

The ongoing legislative procedure should be followed with regard to possible amendments to the personal scope of application as it may still be the case that this scope will change during the legislative process. This applies in particular against the background that both the Parliament and the Council are calling for changes to the scope of application in their positions.

In our DA Update series, we regularly provide you with information on the proposed Data Act of the European Union and keep you informed about changes in the ongoing legislative process. In each of our articles, we give you a brief overview of a specific topic, presenting the most important aspects and practical implications.