Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The incoming EU Data Act creates data access rights against manufacturers to benefit users of smart products. Smart vehicles are not an exception. Users (including companies) will have the right to access data collected by a smart car. However, manufacturers will still have options to reduce access in some exceptional circumstances. Let's have a look at the latest wording of the Data Act.
At the end of June 2023, the EU institutions reached an informal political agreement in the third trilogue negotiation on the final text of the upcoming Data Act. The text still has to be adopted by the Council and Parliament following a legal-linguistic revision. However, this is considered a mere formality. The (nearly) final text including a summary of the main elements of the tough-fought compromise can be found here.
The Data Act has several objectives. One of them is that manufacturers and designers of smart products will have an obligation to share data with the users of those products and with third parties designated by users. In the context of smart cars this sharing obligation will have substantive effects, as smart cars produce extensive data (personal and non-personal) arising from its use.
The current, nearly final text now gives a reliable picture of the main obligations that will arise. The Data Act pursues a horizontal approach in that it establishes the basic cross-sectoral framework for data sharing across the Internet of Things within the EU. More specific provisions will be set up for selected sectors – those that the European Commission (EC) considers as especially important for the EU Single Market. Connected vehicles is among these important fields in the eyes of the EC as shown by another proposal for a regulation to set the conditions for accessing and using “in-vehicle generated data” before the Data Act enters into force. This regulation is intended to complement the general rules of the Data Act in the automotive sector.
This Q&A, aims to address the key topics in relation to connected cars and the upcoming Data Act.
Data concerning the performance, use and environment of the smart car and related services during the common use by the user, including embedded applications (e.g., GPS position or captured images by sensors) and features indicating hardware status and malfunctions (e.g., engineer data such as a manufacturer specific error code).
Data generated during times of inaction by the user, in stand-by or even switched off (e.g., the status of batteries).
“Raw data” and also “pre-processed data” (which may include data enriched with metadata, including basic context and timestamp to make the data usable, data re-formatted into a commonly-used format, etc.).
Information derived from the raw data, such as the outcome of additional analysis and investments.
Data that the connected vehicle generates when the user records, transmits, displays or plays content as well as the content itself.
Data generated by the use of a product that the manufacturer designed in a way that it is not retrievable (e.g., not via an electronic communications service, a physical connection or on-device access).
The general rule is that the data holder (i.e., the manufacturer) shall share data with the user or the third party even if it is under protection of trade secrets laws. That means, that the data holder cannot in principle refuse a data access request only on the basis of certain data considered as trade secrets, as this would undo the intended effects of the Data Act. However:
The data holder can require confidentiality obligations and technical measures to protect the secrecy of data (e.g., through contractual terms, confidentiality agreements, strict access protocols, technical protection standards and the application of codes of conduct).
The data holder can withhold or suspend data sharing when the confidentiality of trade secrets can be undermined. That is the case if: (i) there is no agreement on the necessary measures; or (ii) if the user fails to implement the agreed measures or undermines the confidentiality of the trade secrets; or (iii) if the user undermines in principal the confidentiality of the trade secrets. The decision of the data holder must be duly substantiated and provided in writing without undue delay to the user. In addition, in such cases, the data holder has to notify the national competent authority.
In exceptional circumstances, the data holder may refuse on a case-by-case basis the request for access to the specific data, when it can demonstrate that it is “highly likely” to suffer “serious economic damage” from the disclosure. “Serious economic damage” implies serious and irreparable economic losses (cf. Recital 28a). It is completely unclear what that means. However, we expect that the threshold will be very high. Such demonstration must be duly substantiated, based on objective elements, in particular the enforceability of trade secrets protection in third countries, the nature and level of confidentiality of the data requested, the uniqueness and novelty of the product, and provided in writing and without undue delay. In addition, in such cases, the data holder has to notify the national competent authority.
The data user is the one entitled to request the data. Data users can be:
A physical person (i.e., a person that has purchased or rented a car from the manufacturer); and
Also a legal person (this could be the case of companies that make use of a fleet of vehicles, etc.). However, there could be cases (e.g., rental car services) where there could be doubts regarding who is the data user, e.g. the rental car company or the person that rents the car. This will require further clarification.
If the user is the recipient of the data (among others):
Where technically possible, data could be accessed directly by the user from an on-device data storage or from a remote server which receives the data.
Where the direct access is not possible, the manufacturer must make data available (and metadata) without undue delay, free of charge, easily, securely, in a structured, commonly used and machine-readable format and, where applicable, of the same quality.
Contractual restrictions can be agreed on restricting or prohibiting the access, use or further sharing of data if this could undermine security requirements as laid down by the law (ie. resulting in serious adverse effect on the health, safety or security of human beings). This is particularly relevant in the context of smart cars if the sharing of data can jeopardize the personal safety.
Users cannot use the data to produce a product that competes with the product from which the accessed data originates.
If data is protected by trade secrets laws, the parties will agree on the necessary measures by means of an agreement (including technical and organizational measures) to preserve confidentiality.
An agreement is not required when the user is the recipient. If the user is also a consumer, the manufacturer must take into account that high threshold of protection that consumers are afforded in the European Union.
If the recipient of data is a third party (and upon the previous request of the user), the manufacturer must make data available (and metadata) without undue delay, free of charge, easily, securely, in a structured, commonly used and machine-readable format and, where applicable, of the same quality.
However (among others):
If data is protected by trade secrets laws, the data holder and the third party will agree on the necessary measures by means of an agreement (including technical and organizational measures) to preserve confidentiality.
Data recipients cannot use the data to produce a product that competes with the product from which the accessed data originates (but can use data to provide maintenance services).
Data recipients cannot make the data available to other parties unless necessary to provide the service requested by the user.
Data recipients cannot prevent the user that is a consumer from making the data available to other parties.
If the data recipient is the user, the answer is no.
If the data recipient is a third party, the answer is yes. The parties shall agree on a reasonable compensation, which may include a margin.
When the user is a physical person, the sharing shall be understood as an extended right of access or portability under the General Data Protection Regulation (GDPR).
In this context, a legal basis will be necessary to share the data. When the data is disclosed to the user as the data subject, the legal basis will be “created” by the Data Act itself. Indeed, data holders will be able to rely on the need to comply with a legal obligation as the applicable legal basis provided for in Art. 6(1c) GDPR.
When the user is a legal person (and thus, not the data subject) or when the recipient is different from the user, it is mandatory to put in place: (i) another legal basis under Art. 6 GDPR (different from the need to comply with a legal obligation); (ii) (where applicable) a derogation to process sensitive data under Art. 9 GDPR; and (iii) grounds under Art. 5(3) ePrivacy Directive. In this scenario, the Data Act will not create a new legal basis enabling the disclosure.
In this context, from the perspective of connected vehicles, the data holder (i.e., the manufacturer) will need to determine whether the user is an enterprise or the data subject. In the latter case, such request can easily be addressed from a data protection perspective by relying on the need to comply with the Data Act sharing obligations (notwithstanding the need to verify the data subject’s identity as well as other data protection obligations).
In cases where the user is an enterprise, Recital 30 of the Data Act suggests that, in order to disclose such data, the controller(s) should rely on other legal basis such as consent or the need to perform a contract. Another alternative which is also suggested (e.g., at the end of Recital 7) is to apply measures such as anonymization of the data.
However, when no legal basis can be applied or anonymization is not feasible, it is unclear whether the manufacturer may be able to reject the request in order to avoid breaching the GDPR.
Lastly, enterprises acting as users should also consider that when accessing such personal data, they could become data holders in cases of joint controllership (art. 26 GDPR) in relation to data subjects (who would be the users in these cases), if the corresponding requirements are met.
The data holder must only use any non-personal data generated by the use of a product or related service on the basis of a contractual agreement with the user. The use of data to obtain insights about the economic situation, assets and production methods of the user is prohibited. In addition, if the user is also a consumer, the contractual terms shall be carefully drafted to respect EU consumer laws.
With respect to personal data, the vehicle manufacturer must respect the GDPR and where applicable the ePrivacy Directive (as transposed into national legislations).
Connected products and related services must be designed in such a manner that data generated by their use that are readily available to the data holder are also directly accessible to the user. This data also includes the metadata that is necessary to interpret and use the generated data.
The design must also ensure that the data is made accessible in the following manner: (i) by default; (ii) free of charge; (iii) easily; (iv) securely and; (v) where relevant and appropriate, in a structured, commonly used and machine-readable format. Furthermore, where applicable, data shall be of the same quality as is available to the data holder, and made available continuously and in real-time.
From a data protection perspective, products should also be designed to minimize potential risks to the fundamental rights of individuals. Measures may involve pseudonymisation and encryption as well as the use of technology that permits algorithms to be brought to the data and allow valuable insights to be derived while only processing the necessary data.
Car manufacturers should start thinking of updating their T&Cs to try to reduce the impact of the sharing obligations under the Data Act.
Car manufacturers should put in place appropriate safeguards to protect confidential information.
Companies interested in obtaining data arising from smart cars should start developing a strategy to engage with car users to obtain authorization.
Privacy is a key element in this context. Privacy teams should be involved to ensure compliance with applicable privacy laws.
The Data Act will have a fundamental impact on the Internet of Things - and thus, of course, also on connected cars. The political agreement on the Data Act reached by the EU institutions must still be formally approved by the two legislative organs. Once adopted, the Data Act will enter into force on the twentieth day following its publication in the Official Journal of the European Union and will then become applicable 20 months after its entry into force. So the big impact will be evident in around two years for anyone who collects or needs data. We will of course be monitoring and reporting on developments.
Authored by Juan Ramón Robles, Cristina Barón, Jasper Siems, and Michael Niehaus.