The Council of the European Union has adopted the European Data Act to “harmonise” fair access to and use of data for individuals, businesses, and government regardless of whether the data contains personal information.
Following the Data Governance Act adopted by the co-legislators in 2022, the Data Act is the second main piece of legislation that is the result of the European Commission’s February 2020 European strategy for data.
The new regulation puts obligations on manufacturers and service providers to let user companies or individuals access and reuse the data generated by, or through, products or services in all economic sectors, according to the Council. It also allows users to share data with third parties. For example, car owners could choose, in the future, to share certain vehicle data with a repairer or insurance company.
The purpose of the act is to:
- “Ensure fairness in the allocation of value from data among actors in the digital environment;
- “Stimulate a competitive data market;
- “Open opportunities for data-driven innovation;
- “Make data more accessible to all;
- “Ease data processing services provider switching;
- “Puts in place safeguards against unlawful data transfer”; and
- “Provides for the development of interoperability standards for data to be reused between sectors.”
“The Data Act will give both individuals and businesses more control over their data through a reinforced portability right, copying or transferring data easily from across different services, where the data are generated through smart objects, machines, and devices,” the Council said. “The new law will empower consumers and companies by giving them a say on what can be done with the data generated by their connected products.”
In the U.S., “right to repair (R2R)” is often conflated with data access, using repairability to politicize change rather than being more direct in the desire to provide access to data. Conversely, the EU Data Act more directly allows users of all connected devices to have access to the data generated on them which, according to the Council, is “often exclusively harvested by manufacturers and service providers.”
The argument in the U.S. is that independent repairers and owners of vehicles and electronics don’t have the same access to data and information necessary to complete repairs as dealers and OEMs.
R2R legislation is being mandated state by state and attempts have been made to mandate it at the federal level.
The most recent occurred in November when Maine voters approved an R2R referendum with a landslide 321,055 “yes” votes (84.3%). However, several trade organizations say voters may have been misled. There has also been criticism of funding for the campaign, which came mostly from out-of-state donors and big-box auto retailers.
Proponents of R2R initiatives, including the Maine Right to Repair Coalition, believe that independent repairers, owners, and anyone not affiliated with a dealership or OEM are being restricted from access to information necessary to conduct and/or complete repairs. The Alliance for Automotive Innovation (Auto Innovators) has long shot down that argument pointing back to a 2014 memorandum of understanding (MOU) OEMs signed with the automotive aftermarket.
In July, Auto Innovators, along with the Society of Collision Repair Specialists (SCRS) and Automotive Service Association (ASA), affirmed the 2014 MOU regarding R2R that, in part, states, “independent repair facilities shall have access to the same diagnostic and repair information that auto manufacturers make available to authorized dealer networks.”
In February, federal legislators re-introduced the Right to Equitable and Professional Auto Industry Repair (REPAIR) Act (H.R. 906). Supporters claim the legislation would ensure access to “all tools and equipment; wireless transmission of repair and diagnostic data; and access to on-board diagnostic and telematic systems needed to repair a vehicle.”
The REPAIR Act passed out of the U.S. House Subcommittee on Innovation, Data, and Commerce last month but wasn’t included on the final House Committee on Energy and Commerce Committee markup of the year, precluding any further likely action on the legislation until next year, at the earliest.
A coalition of opponents addressed the House Committee on Energy and Commerce in an Oct. 31 letter to Congress. The coalition included SCRS, Auto Innovators, the American Automotive Policy Council (AAPC), American International Automobile Dealers Association (AIADA), ASA, Autos Drive America, National Association of Minority Automobile Dealers (NAMAD), National Automobile Dealers Association (NADA), TechNet, Truck & Engine Manufacturers Association (EMA), and Zero Emission Transportation Association (ZETA).
They wrote that the REPAIR Act requirements “undercut U.S. innovation and undermine the privacy, security, and safety of U.S. consumers.”
Europe’s Data Act, the European Council says, will allow consumers to easily move from one cloud provider to another and be safeguarded against unlawful data transfers. The act also includes interoperability standards for data sharing and processing. Another goal is for the new law to make after-sale service of certain devices cheaper and more efficient.
Internet of Things (IoT) — devices connected over a network through software and sensors, such as vehicles — are governed by the new law when it comes to the data that’s collected rather than the products themselves.
According to Article 2, IoT is referred to as a “connected product,” meaning “an item that obtains, generates, or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection, or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user.”
The Council says the new law protects trade secrets and intellectual property rights while also preventing unfair data-sharing contract terms.
“The regulation provides the means for public sector bodies, the Commission, the European Central Bank, and EU bodies to access and use data held by the private sector that is necessary in exceptional circumstances, particularly in case of a public emergency, such as floods and wildfires, or to fulfil a task in the public interest,” the Council said.
“When it comes to such requests to access data in the ‘business to government’ context, the new regulation provides that personal data will only be shared in exceptional circumstances, such as a natural disaster, a pandemic, a terror attack, and if the data required is not otherwise accessible. Micro and small-sized enterprises will also contribute their data in such cases and will be compensated.”
The regulation applies to:
- “Manufacturers of connected products placed on the market in the Union and providers of related services, irrespective of the place of establishment of those manufacturers and providers;
- “Users in the Union of connected products or related services as referred to in point (a);
- “Data holders, irrespective of their place of establishment, that make data available to data recipients in the Union;
- “Data recipients in the Union to whom data are made available;
- “Public sector bodies, the Commission, the European Central Bank and Union bodies that request data holders to make data available where there is an exceptional need for those data for the performance of a specific task carried out in the public interest and to the data holders that provide those data in response to such request;
- “Providers of data processing services, irrespective of their place of establishment, providing such services to customers in the Union”; and
- “Participants in data spaces and vendors of applications using smart contracts and persons whose trade, business or profession involves the deployment of smart contracts for others in the context of executing an agreement.”
The act will be in effect by the second half of 2025.
Featured image credit: imaginima/iStock