DA Article 5. Right of the user to share data with third parties

To foster the emergence of liquid, fair and efficient markets for non-personal data, users of connected products should be able to share data with others, including for commercial purposes, with minimal legal and technical effort. It is currently often difficult for businesses to justify the personnel or computing costs that are necessary for preparing non-personal datasets or data products and to offer them to potential counterparties via data intermediation services, including data marketplaces. A substantial hurdle to the sharing of non-personal data by businesses therefore results from the lack of predictability of economic returns from investing in the curation and making available of datasets or data products. In order to allow for the emergence of liquid, fair and efficient markets for non-personal data in the Union, the party that has the right to offer such data on a market must be clarified. Users should therefore have the right to share non-personal data with data recipients for commercial and non-commercial purposes. Such data sharing could be performed directly by the user, upon the request of the user via a data holder, or through data intermediation services. Data intermediation services, as regulated by Regulation (EU) 2022/868 of the European Parliament and of the Council could facilitate a data economy by establishing commercial relationships between users, data recipients and third parties and may support users in exercising their right to use data, such as ensuring the anonymisation of personal data or aggregation of access to data from multiple individual users. Where data are excluded from a data holder’s obligation to make them available to users or third parties, the scope of such data could be specified in the contract between the user and the data holder for the provision of a related service so that users can easily determine which data are available to them for sharing with data recipients or third parties. Data holders should not make available non-personal product data to third parties for commercial or non-commercial purposes other than the fulfilment of their contract with the user, without prejudice to legal requirements pursuant to Union or national law for a data holder to make data available. Where relevant, data holders should contractually bind third parties not to further share data received from them.

In sectors characterised by the concentration of a small number of manufacturers supplying connected products to end users, there may only be limited options available to users for the access to and the use and sharing of data. In such circumstances, contracts may be insufficient to achieve the objective of user empowerment, making it difficult for users to obtain value from the data generated by the connected product they purchase, rent or lease. Consequently, there is limited potential for innovative smaller businesses to offer data-based solutions in a competitive manner and for a diverse data economy in the Union. This Regulation should therefore build on recent developments in specific sectors, such as the Code of Conduct on agricultural data sharing by contract. Union or national law may be adopted to address sector-specific needs and objectives. Furthermore, data holders should not use any readily available data that is non-personal data in order to derive insights about the economic situation of the user or its assets or production methods or about such use by the user in any other manner that could undermine the commercial position of that user on the markets in which it is active. This could include using knowledge about the overall performance of a business or a farm in contractual negotiations with the user on the potential acquisition of the user’s products or agricultural produce to the user’s detriment, or using such information to feed into larger databases on certain markets in the aggregate, for example databases on crop yields for the upcoming harvesting season, as such use could affect the user negatively in an indirect manner. The user should be given the necessary technical interface to manage permissions, preferably with granular permission options such as ‘allow once’ or ‘allow while using this app or service’, including the option to withdraw such permissions.

The user should be free to use the data for any lawful purpose. This includes providing the data the user has received while exercising its rights under this Regulation to a third party offering an aftermarket service that may be in competition with a service provided by a data holder, or to instruct the data holder to do so. The request should be submitted by the user or by an authorised third party acting on a user’s behalf, including a provider of a data intermediation service. Data holders should ensure that the data made available to the third party is as accurate, complete, reliable, relevant and up-to-date as the data the data holder itself may be able or entitled to access from the use of the connected product or related service. Any intellectual property rights should be respected in the handling of the data. It is important to preserve incentives to invest in products with functionalities based on the use of data from sensors built into those products.

Directive (EU) 2016/943 of the European Parliament and of the Council provides that the acquisition, use or disclosure of a trade secret shall be considered to be lawful, inter alia, where such acquisition, use or disclosure is required or allowed by Union or national law. While this Regulation requires data holders to disclose certain data to users, or third parties of a user’s choice, even when such data qualify for protection as trade secrets, it should be interpreted in such a manner as to preserve the protection afforded to trade secrets under Directive (EU) 2016/943. In this context, data holders should be able to require users, or third parties of a user’s choice, to preserve the confidentiality of data considered to be trade secrets. To that end, data holders should identify trade secrets prior to the disclosure, and should have the possibility to agree with users, or third parties of a user’s choice, on necessary measures to preserve their confidentiality, including by the use of model contractual terms, confidentiality agreements, strict access protocols, technical standards and the application of codes of conduct. In addition to the use of model contractual terms to be developed and recommended by the Commission, the establishment of codes of conduct and technical standards related to the protection of trade secrets in handling the data could help achieve the aim of this Regulation and should be encouraged. Where there is no agreement on the necessary measures or where a user, or third parties of the user’s choice, fail to implement agreed measures or undermine the confidentiality of the trade secrets, the data holder should be able to withhold or suspend the sharing of data identified as trade secrets. In such cases, the data holder should provide the decision in writing to the user or to the third party without undue delay and notify the competent authority of the Member State in which the data holder is established that it has withheld or suspended data sharing and identify which measures have not been agreed or implemented and, where relevant, which trade secrets have had their confidentiality undermined. Data holders cannot, in principle, refuse a data access request under this Regulation solely on the basis that certain data is considered to be a trade secret, as this would subvert the intended effects of this Regulation. However, in exceptional circumstances, a data holder who is a trade secret holder should be able, on a case-by-case basis, to refuse a request for the specific data in question if it is able to demonstrate to the user or to the third party that, despite the technical and organisational measures taken by the user or by the third party, serious economic damage is highly likely to result from the disclosure of that trade secret. Serious economic damage implies serious and irreparable economic loss. The data holder should duly substantiate its refusal in writing without undue delay to the user or to the third party and notify the competent authority. Such a substantiation should be based on objective elements, demonstrating the concrete risk of serious economic damage expected to result from a specific data disclosure and the reasons why the measures taken to safeguard the requested data are not considered to be sufficient. A possible negative impact on cybersecurity can be taken into account in that context. Without prejudice to the right to seek redress before a court or tribunal of a Member State, where the user or a third party wishes to challenge the data holder’s decision to refuse or to withhold or suspend data sharing, the user or the third party can lodge a complaint with the competent authority, which should, without undue delay, decide whether and under which conditions data sharing should start or resume, or can agree with the data holder to refer the matter to a dispute settlement body. The exceptions to data access rights in this Regulation should not in any case limit the right of access and right to data portability of data subjects under Regulation (EU) 2016/679.

A third party to whom data is made available may be a natural or legal person, such as a consumer, an enterprise, a research organisation, a not-for-profit organisation or an entity acting in a professional capacity. In making the data available to the third party, a data holder should not abuse its position to seek a competitive advantage in markets where the data holder and the third party may be in direct competition. The data holder should not therefore use any readily available data in order to derive insights about the economic situation, assets or production methods of, or the use by, the third party in any other manner that could undermine the commercial position of the third party on the markets in which the third party is active. The user should be able to share non-personal data with third parties for commercial purposes. Upon the agreement with the user, and subject to the provisions of this Regulation, third parties should be able to transfer the data access rights granted by the user to other third parties, including in exchange for compensation. Business-to-business data intermediaries and personal information management systems (PIMS), referred to as data intermediation services in Regulation (EU) 2022/868, may support users or third parties in establishing commercial relations with an undetermined number of potential counterparties for any lawful purpose falling within the scope of this Regulation. They could play an instrumental role in aggregating access to data so that big data analyses or machine learning can be facilitated, provided that users remain in full control of whether to provide their data to such aggregation and the commercial terms under which their data are to be used.

The use of a connected product or related service may, in particular when the user is a natural person, generate data that relates to the data subject. Processing of such data is subject to the rules established under Regulation (EU) 2016/679, including where personal and non-personal data in a dataset are inextricably linked. The data subject may be the user or another natural person. Personal data may only be requested by a controller or a data subject. A user who is the data subject is, under certain circumstances, entitled under Regulation (EU) 2016/679 to access personal data concerning that user and such rights are unaffected by this Regulation. Under this Regulation, the user who is a natural person is further entitled to access all data generated by the use of a connected product, whether personal or non-personal. Where the user is not the data subject but an enterprise, including a sole trader, and not in cases of shared household use of the connected product, the user is considered to be a controller. Accordingly, such a user who as controller intends to request personal data generated by the use of a connected product or related service is required to have a legal basis for processing the data as required by Article 6(1) of Regulation (EU) 2016/679, such as the consent of the data subject or the performance of a contract to which the data subject is a party. Such user should ensure that the data subject is appropriately informed of the specified, explicit and legitimate purposes for processing those data, and of how the data subject may exercise their rights effectively. Where the data holder and the user are joint controllers within the meaning of Article 26 of Regulation (EU) 2016/679, they are required to determine, in a transparent manner by means of an arrangement between them, their respective responsibilities for compliance with that Regulation. It should be understood that such a user, once data has been made available, may in turn become a data holder if that user meets the criteria under this Regulation and thus becomes subject to the obligations to make data available under this Regulation.

Product data or related service data should only be made available to a third party at the request of the user. This Regulation complements accordingly the right, provided for in Article 20 of Regulation (EU) 2016/679, of data subjects to receive personal data concerning them in a structured, commonly used and machine-readable format, as well as to port those data to another controller, where those data are processed by automated means on the basis of Article 6(1), point (a), or Article 9(2), point (a), or of a contract pursuant to Article 6(1), point (b) of that Regulation. Data subjects also have the right to have the personal data transmitted directly from one controller to another, but only where that is technically feasible. Article 20 of Regulation (EU) 2016/679 specifies that it pertains to data provided by the data subject but does not specify whether this necessitates active behaviour on the side of the data subject or whether it also applies to situations where a connected product or related service, by its design, observes the behaviour of a data subject or other information in relation to a data subject in a passive manner. The rights provided for under this Regulation complement the right to receive and port personal data under Article 20 of Regulation (EU) 2016/679 in a number of ways. This Regulation grants users the right to access and make available to a third party any product data or related service data, irrespective of their nature as personal data, of the distinction between actively provided or passively observed data, and irrespective of the legal basis of processing. Unlike Article 20 of Regulation (EU) 2016/679, this Regulation mandates and ensures the technical feasibility of third party access for all types of data falling within its scope, whether personal or non-personal, thereby ensuring that technical obstacles no longer hinder or prevent access to such data. It also allows data holders to set reasonable compensation to be met by third parties, but not by the user, for costs incurred in providing direct access to the data generated by the user’s connected product. If a data holder and a third party are unable to agree on terms for such direct access, the data subject should in no way be prevented from exercising the rights laid down in Regulation (EU) 2016/679, including the right to data portability, by seeking remedies in accordance with that Regulation. It is to be understood in this context that, in accordance with Regulation (EU) 2016/679, a contract does not allow for the processing of special categories of personal data by the data holder or the third party.

Access to any data stored in and accessed from terminal equipment is subject to Directive 2002/58/EC and requires the consent of the subscriber or user within the meaning of that Directive unless it is strictly necessary for the provision of an information society service explicitly requested by the user or by the subscriber or for the sole purpose of the transmission of a communication. Directive 2002/58/EC protects the integrity of a user’s terminal equipment regarding the use of processing and storage capabilities and the collection of information. Internet of Things equipment is considered to be terminal equipment if it is directly or indirectly connected to a public communications network.