The proposed Data Act (DA-Proposal) sets out rules for making data available to the user, third parties and public sector bodies. In the following, the user's right to access data pursuant to Art. 3 DA-Proposal is illustrated (as a reminder, "user" means a natural or legal person that owns, rents or leases a product or receives a service, Art. 2 No. 5 DA-Proposal). Companies that are considered data holders under the DA-Proposal are imposed a number of obligations as part of the user's right of access.

Modalities of making data available to the user

Art. 3 Para. 1 DA-Proposal sets out requirements for the design and manufacture of products and for the provision of related services. Pursuant to this, data generated by their use must be, by default, easily, securely and, where relevant and appropriate, directly accessible to the user. These requirements may result in a need for adaptation on the part of manufacturers of devices who fall into the scope of the DA-Proposal. This is because products would then have to ensure direct accessibility in terms of hardware and software. While the Commission's draft calls for the criterion of appropriateness for direct access to data, according to the Parliament's draft there should already be an obligation to make data accessible if it is technically feasible. The Parliament's draft thus sets a lower threshold for access.

If the user cannot access the data himself directly from the product, the data holder must make the data available to the user without undue delay, free of charge and, where applicable, continuously and in real-time (Art. 4 Para. 1 Sen. 1 DA-Proposal). In "real-time" might result in a display by way of a dashboard, which is constantly fed with the latest data for the user. In addition, the user can assert his or her right to data access by means of a simple request through electronic means, insofar as this is technically feasible (Art. 4 Para. 1 Sen. 2 DA-Proposal). These two requirements above are quite challenging (especially) from a company's point of view. This is because it is unclear both when making available the data is still without undue delay within the meaning of Art. 4 Para. 1 Sen. 1 DA-Proposal and when a simple request by the user for access to his data has been made. This shows parallels to the (early days of the) GDPR, which also contains many indeterminate legal terms and whose interpretation has (had) to be further clarified by courts and authorities.

Contractual agreement

The data holder may only use non-personal data generated during the use of a product or related service on the basis of a contractual agreement with the user (Art. 4 Para. 6 DA-Proposal). Companies should therefore contractually grant themselves rights of use with respect to such data from the outset. Attention: if personal data is also generated during the use of the product or the related service as well, the company must of course provide a legal basis according to the GDPR for the use of this data as well.

The Parliament's draft additionally stipulates that the data holder shall not make the use of the product dependent on the user allowing it to process data not required for the functionality of the product. The wording of the Parliament's draft is thus more user-friendly than that of the Commission's draft.

Obligation of the data holder to provide information

The Regulation imposes a number of obligations on the data holder to provide information to the user (Art. 3 Para. 2 DA-Proposal). This includes, in particular, pre-contractual obligations to provide information.

These include, for example, information relating to the nature and volume of the data likely to be generated by the use of the product or related service, how the user may access those data and how the user may request that the data are shared with a third-party. According to the Parliament's draft, it should be possible to provide the information on the Internet via a link or QR code (Recital 23 DA-Proposal of the Parliament). In addition to the obligations to provide information under the GDPR (Art. 13 and 14 GDPR), companies are thus faced with further obligations to provide information under the DA-Proposal.

Recommendations

Since the fulfillment of the user's right to access data entails a number of requirements for companies as data holders, measures should be taken at an early stage to implement appropriate processes and functionalities. These may include modifications to products, the provision of information, and the amendment of contracts.

The ongoing legislative procedure should be followed with regard to possible amendments to the obligations imposed on the data holder. As shown, the parliamentary draft provides for amendments and, in some cases, tightening of the data holder's obligations.

In our DA Update series, we regularly provide you with information on the proposed Data Act of the European Union and keep you informed about changes in the ongoing legislative process. In each of our articles, we give you a brief overview of a specific topic, presenting the most important aspects and practical implications.