Although Data Act is mostly focused on business-to-business and business-to-government data sharing, it is also important for consumer protection in the digital environment. As we can read in the proposal’s explanatory memorandum:
a high level of consumer protection is reinforced with the new right to access user generated data in situations previously not covered by Union law. The right to use and dispose of lawfully acquired possessions is reinforced with a right to access data generated from the use of an Internet of Things object. This way, the owner may benefit from a better user experience and a wider range of, for example, repair and maintenance services. In the context of consumer protection, the rights of children as vulnerable consumers deserve specific attention and the rules of the Data Act will contribute to clarity about data access and use situations. [p. 13]
and
The proposal facilitates the portability of the user’s data to third parties and thereby allows for a competitive offer of aftermarket services, as well as broader data-based innovation and the development of products or services unrelated to those initially purchased or subscribed to by the user. [p.13]
These assumptions are reflected mainly in the Chapter II of the proposal, which introduce a.o: Freepik.com
- obligation to make data generated by the use of products or related services accessible (Article 3);
- the right of users to access and use data generated by the use of products or related services (Article 4);
- right to share data with third parties (Article 5);
- obligations of third parties receiving data at the request of the user (Article 6).
The proposal will now be further debated under the legislative path before the European Parliament and the Council. It will certainly be discussed among the scientific community and consumer organisations. The EC proposals, although at first glance reasonable and necessary, require an in-depth analysis in particular from the perspective of already existing data protection and consumer law. Let us just remind that under the GDPR, data subjects have the right of access to their data (Article 15 GDPR) and the right to data portability (Article 20 GDPR). The effective exercise of these rights is sometimes problematic in practice, for example due to the lack of actual control by the controller over data flows or the lack of interoperability between devices/services, making it impossible to transfer data from one provider to another. It is also important to remember that devices that we use every day as consumers may generate not only data containing personal information (and therefore qualifying as personal data), but also non-personal data of a technical nature, containing valuable information about how the devices function or are used by consumers. At the same time, due to the large volumes of data that are produced in IoT devices and services, the differences between personal and non-personal data are increasingly difficult to grasp. For these reasons, the Data Act is a piece of EU legislation that has been long awaited and much anticipated. We can therefore expect the debate surrounding this act to be very lively and interesting.
