DA Article 6. Obligations of third parties receiving data at the request of the user

The aim of this Regulation is not only to foster the development of new, innovative connected products or related services, stimulate innovation on aftermarkets, but also to stimulate the development of entirely novel services making use of the data concerned, including based on data from a variety of connected products or related services. At the same time, this Regulations aims to avoid undermining the investment incentives for the type of connected product from which the data are obtained, for instance, by the use of data to develop a competing connected product which is considered to be interchangeable or substitutable by users, in particular on the basis of the connected product’s characteristics, its price and intended use. This Regulation provides for no prohibition on the development of a related service using data obtained under this Regulation as this would have an undesirable discouraging effect on innovation. Prohibiting the use of data accessed under this Regulation for developing a competing connected product protects data holders’ innovation efforts. Whether a connected product competes with the connected product from which the data originates depends on whether the two connected products are in competition on the same product market. This is to be determined on the basis of the established principles of Union competition law for defining the relevant product market. However, lawful purposes for the use of the data could include reverse engineering, provided that it complies with the requirements laid down in this Regulation and in Union or national law. This may be the case for the purposes of repairing or prolonging the lifetime of a connected product or for the provision of aftermarket services to connected products.

A third party to whom data is made available may be a natural or legal person, such as a consumer, an enterprise, a research organisation, a not-for-profit organisation or an entity acting in a professional capacity. In making the data available to the third party, a data holder should not abuse its position to seek a competitive advantage in markets where the data holder and the third party may be in direct competition. The data holder should not therefore use any readily available data in order to derive insights about the economic situation, assets or production methods of, or the use by, the third party in any other manner that could undermine the commercial position of the third party on the markets in which the third party is active. The user should be able to share non-personal data with third parties for commercial purposes. Upon the agreement with the user, and subject to the provisions of this Regulation, third parties should be able to transfer the data access rights granted by the user to other third parties, including in exchange for compensation. Business-to-business data intermediaries and personal information management systems (PIMS), referred to as data intermediation services in Regulation (EU) 2022/868, may support users or third parties in establishing commercial relations with an undetermined number of potential counterparties for any lawful purpose falling within the scope of this Regulation. They could play an instrumental role in aggregating access to data so that big data analyses or machine learning can be facilitated, provided that users remain in full control of whether to provide their data to such aggregation and the commercial terms under which their data are to be used.

In order to prevent the exploitation of users, third parties to whom data has been made available at the request of the user should process those data only for the purposes agreed with the user and share them with another third party only with the agreement of the user to such data sharing.

In line with the data minimisation principle, third parties should access only information that is necessary for the provision of the service requested by the user. Having received access to data, the third party should process it for the purposes agreed with the user without interference from the data holder. It should be as easy for the user to refuse or discontinue access by the third party to the data as it is for the user to authorise access. Neither third parties nor data holders should make the exercise of choices or rights by the user unduly difficult, including by offering choices to the user in a non-neutral manner, or by coercing, deceiving or manipulating the user, or by subverting or impairing the autonomy, decision-making or choices of the user, including by means of a user digital interface or a part thereof. In that context, third parties or data holders should not rely on so-called ‘dark patterns’ in designing their digital interfaces. Dark patterns are design techniques that push or deceive consumers into decisions that have negative consequences for them. Those manipulative techniques can be used to persuade users, in particular vulnerable consumers, to engage in unwanted behaviour, to deceive users by nudging them into decisions on data disclosure transactions or to unreasonably bias the decision-making of the users of the service in such a way as to subvert or impair their autonomy, decision-making and choice. Common and legitimate commercial practices that comply with Union law should not in themselves be regarded as constituting dark patterns. Third parties and data holders should comply with their obligations under relevant Union law, in particular the requirements laid down in Directives 98/6/EC and 2000/31/EC of the European Parliament and of the Council and in Directives 2005/29/EC and 2011/83/EU.

Third parties should also refrain from using data falling within the scope of this Regulation to profile individuals unless such processing activities are strictly necessary to provide the service requested by the user, including in the context of automated decision-making. The requirement to erase data when no longer required for the purpose agreed with the user, unless otherwise agreed in relation to non-personal data, complements the data subject’s right to erasure pursuant to Article 17 of Regulation (EU) 2016/679. Where a third party is a provider of a data intermediation service, the safeguards for the data subject provided for by Regulation (EU) 2022/868 apply. The third party may use the data to develop a new and innovative connected product or related service but not to develop a competing connected product.

Start-ups, small enterprises, enterprises that qualify as a medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC and enterprises from traditional sectors with less-developed digital capabilities struggle to obtain access to relevant data. This Regulation aims to facilitate access to data for those entities, while ensuring that the corresponding obligations are as proportionate as possible to avoid overreach. At the same time, a small number of very large enterprises have emerged with considerable economic power in the digital economy through the accumulation and aggregation of vast volumes of data and the technological infrastructure for monetising them. Those very large enterprises include undertakings that provide core platform services controlling whole platform ecosystems in the digital economy and which existing or new market operators are unable to challenge or contest. Regulation (EU) 2022/1925 of the European Parliament and of the Council aims to redress those inefficiencies and imbalances by allowing the Commission to designate an undertaking as a ‘gatekeeper’, and imposes a number of obligations on such gatekeepers, including a prohibition to combine certain data without consent and an obligation to ensure effective rights to data portability under Article 20 of Regulation (EU) 2016/679. In accordance with Regulation (EU) 2022/1925, and given the unrivalled ability of those undertakings to acquire data, it is not necessary to achieve the objective of this Regulation, and would therefore be disproportionate for data holders made subject to such obligations, to include gatekeeper as beneficiaries of the data access right. Such inclusion would also likely limit the benefits of this Regulation for SMEs, linked to the fairness of the distribution of data value across market actors. This means that an undertaking that provides core platform services that has been designated as a gatekeeper cannot request or be granted access to users’ data generated by the use of a connected product or related service or by a virtual assistant pursuant to this Regulation. Furthermore, third parties to whom data are made available at the request of the user may not make the data available to a gatekeeper. For instance, the third party may not subcontract the service provision to a gatekeeper. However, this does not prevent third parties from using data processing services offered by a gatekeeper. Nor does it prevent those undertakings from obtaining and using the same data through other lawful means. The access rights provided for in this Regulation contribute to a wider choice of services for consumers. As voluntary agreements between gatekeepers and data holders remain unaffected, the limitation on granting access to gatekeepers would not exclude them from the market or prevent them from offering their services.