Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Now that the Data Act has been approved it will clearly be a revolution for the Internet of things (IoT) providers and for companies interested in accessing data generated by the IoT. The Data Act has finally envisaged the right of users of IoT devices to mandate this data to be shared with third party recipients, subject to conditions and limits.
In this context, IoT providers (data holders) and third-party recipients will need to enter into a data sharing agreement to regulate this data flow. The Data Act includes the option to use smart contracts for this purpose, meaning that for the first time, smart contracts have been regulated by the European Union for data sharing agreements. They bring several advantages, but also some limits and conditions apply as we will explore in this publication.
As data sharing agreements may vary minimally, for example only changing in scope a from one to another, smart contracts may be a effective in reducing costs. Smart contracts could also be used as a protection measure, to prevent unauthorised use of the data by the data recipients.
It’s worth noting that, the rules for smart contracts will also be applicable for any other kind of data sharing agreements, not only where a data holder needs to share data with recipients. In other words, any other player that, acting as vendor, makes use of smart contracts to execute data sharing agreements (potentially the crypto industry) will also be bound by the Data Act.
The Data Act is an EU “regulation”, which means that it will be directly applicable in the European Union without the need of EU members to adopt implementing laws.
The core of the Data Act is the obligation for manufacturers and designers of IoT devices to share, as data holders, the data generated by the use of the devices with the users (or third parties as instructed by the user). The “user” is any natural or legal person who has the right to use the IoT device. More info can be found in our previous post here.
The Data Act will be applicable as of September 2025.
The Data Act defines smart contract as a “computer program used for the automated execution of an agreement or part thereof, using a sequence of electronic data records and ensuring their integrity and the accuracy of their chronological ordering”. This means that once the parties have agreed on the use and content of the smart contract, the performance of the agreement will occur automatically (in full or in part).
It should be noted that the requirements for “regulated” smart contracts only apply to agreements with the purpose of “making data available”. This means that many different agreements that are in use in the industry (where there is an automated performance with the use of computer program) will need to comply with Data Act. On the other hand, the use of smart contracts with a purpose different from “making data available” will not be in-scope of the Data Act.
It is important to highlight that, in order to foster innovation, the notion of a smart contract is technologically neutral (eg. at least in theory it does not need to be based on blockchain solutions). Any technology that complies with the requirements of the Data Act and that could be used for the automatic execution of a data sharing agreement could fall within the concept of smart contract. A smart contract could be, for instance, connected to an electronic ledger.
The rules on smart contracts will not only affect data holders as manufacturers of IoT devices. It will also affect any vendor of applications making use of smart contracts in the context of executing an agreement or part of it, to make data available to third parties. In the absence of a vendor, the Data Act will apply to the person whose commercial activity involves making data available with the use of smart contracts.
Crypto industry may therefore be affected by the Data Act, as the use of smart contracts is prevalent (even being a core aspect) by crypto players. The fact that the Data Act may be applicable to smart contracts in the crypto environment has been very controversial. Even if it the application of the Data Act for the crypto industry may have not been an initial intention of the EU legislator, it could apply if the described conditions are met (eg. if the objective of the underlying agreement is the “sharing of data”).
Data holders of IoT products, if instructed by the data user, will need to share in-scope data with data recipients. This sharing of data will need to be regulated through a data sharing agreement, where the parties will need to agree the confidentiality obligations, the remuneration, the scope of the obligations and any other aspect that the holder and the recipient may want to include.
Due to (i) the potential multiple requests that will be carried out by third party recipients to obtain data from data holders, and that (ii) often the only difference between requests will be the categories of data, making the process quite repetitive - the Data Act has envisaged the possibility for data holders to make use of smart contracts when they act as vendors of the information.
In addition, the use of smart contracts could be a useful tool to avoid the unauthorised use of the data by data recipients or the breach of the data sharing agreement. If the “smart contract” can automatically stop the flow of data to the data recipient upon the occurrence of one of the situations that the parties have agreed to provoke this result, the data holder would be in a better position to defend its rights. For instance, the data holder would not need to be proactively monitoring recipient compliance as, for many situations, a situation of non-compliance would result in automatic consequences.
Vendors of applications using smart contracts to make data available shall comply with the following requirements of the Data Act:
The vendor shall perform a conformity assessment with the requirements above and issue an EU declaration of conformity. The EU Commission will request EU standardisation organisations to draft harmonised standards that satisfy the essential requirements laid down above. This has been considered as a positive gesture for the industry that will be able to participate in the design of the final and specific requirements.
The use of smart contracts in the context of data sharing agreements shall not undermine the applicability of relevant rules of civil, contractual and consumer protection. Those laws will apply regardless of the technology used for the execution of agreements.
For instance, agreements between data holders and data recipients cannot include unfair contractual terms (as regulated in Chapter IV of the Data Act). Agreements with consumers will need to comply with consumer laws and, in any case, agreements shall also comply with applicable civil and commercial laws.
Authored by Juan Ramón Robles