Most devices today are smart and connected to the Internet. Those devices collect an extensive amount of valuable data. Being able to share that data with other parties provides innovative benefits, whereas currently that data is usually only available to the manufacturer or seller of the device or the provider of a device-related service. With the advent of the Data Regulation, this should change. This regulation, also known as the Data Act, aims to improve access to data generated by smart devices. On the other hand, the Data Act also protects the user by giving them control over the data generated by the use of smart devices.
One of the most important themes of the Data Act is the right of the user of a smart device (Internet of Things, "IoT") to access and share that data with third parties at the user's request. The manufacturer must take into account already at the product design stage that the data collected by the device (including metadata) must be made available to the user and/or third parties. The user is also entitled to information about the data the device collects and how the user can access or delete the data.
The data from the smart devices is of interest to third parties. They can use that data to offer new services or improve existing ones. When sharing data with third parties, the protection of personal data must be taken into account and possible trade secrets must be kept confidential. The data recipient may only process the data for the purposes and under the conditions agreed upon with the user. Parties exchanging data may agree on a fee for sharing the data. However, that fee should be non-discriminatory and reasonable, but it may include a margin. If the data recipient is a small or medium-sized enterprise, however, the fee may not exceed the cost of making the data available. Furthermore, the Data Act contains a list of terms considered unreasonable in the contractual relationship between the data provider (the manufacturer, seller or service provider holding data, also referred to under the Data Act as "data holder") and recipient. Again, the goal is to protect small and medium-sized businesses by preventing unilateral imposition of unreasonable agreements.
Finally, the Data Act still establishes means for government agencies to access data when there is exceptional need and creates rules so that it is easier for cloud service customers to switch providers.
The Data Act may cause contractual terms to be scrutinized or modified. This is especially true with respect to contracts entered into with the user of the smart device, both for the manufacturer or vendor and the data recipient. A data recipient that offers a product or service (e.g., data analytics software) that uses data from smart devices can contractually frame the user's instruction to provide the data it needs to offer its service. By doing so, the potential recipient avoids having to ask for that instruction on a per-user basis at a later date, or depending on the user to receive the data.
Parties that have previously entered into contracts about being allowed to use data from smart devices can use the Data Act to (re)negotiate the compensation for that data. When agreeing on that fee, the costs of making data available, investments in data collection and production, size, format and nature of the data should be taken into account. It is up to the data holder to be transparent about the basis for calculating the fee so that the data recipient can assess whether the fee is non-discriminatory and reasonable.
Above all, however, the Data Act provides grounds for new contracts for the exchange of data. The Data Act provides the principles for doing so. First, the data holder and the data recipient must contract on fair, reasonable and non-discriminatory terms. Unilaterally imposed and unfair terms are not binding. Unfair terms are those that, by their nature and use, depart significantly from good business practices in data access and use or are contrary to good faith and fair dealing. Since that does not provide much clarity, the Data Act also provides examples of unfair terms. For example, contractual terms are unfair if they limit liability for willful misconduct or gross negligence or give the party imposing the term the exclusive right to interpret the contract. Such clauses will also generally not hold up under Dutch law. In addition, there are also clauses that are deemed unfair, so the party invoking them will have to substantiate them. Despite the fact that the Data Act creates a number of contractual principles and parties will obviously have to take these into account, parties are still free to determine the contractual conditions for the provision of data themselves on the basis of the freedom of contract.
Although the Data Act already took effect in January 2024, most of its provisions will not take effect until September 2025 and some even later.
