EU Data Act Regulating the Use of Data from Smart Devices (IoT)
The European Parliament recently approved the EU Data Act. The law aims to impose new regulations on manufacturers and suppliers of smart devices and on processors of data generated by smart devices.
The law refers to manufacturers, suppliers, and data service providers of “connected products.” These are defined as items that obtain, generate, or collect data concerning their use or environment, and that can communicate such data to others, and whose primary function is not data processing or storage. In other words, the law targets “smart” (IoT) products, which allow the user to control various actions online and which collect data about users and their activities. (Examples of such products include smart lighting systems, smart vacuum cleaners, smart doorbells, etc.)
Aspects of the Law
The EU Data Act requires manufacturers and suppliers of these products, as well as parties processing the data received from the devices, to comply with the following provisions:
- Allow users to access and use the data generated and stored about them by the devices.
- Enable users to transfer the data between different services.
- Ensure the ability to use the data in a variety of systems.
- Comply with provisions pertaining to any regulation of the data market in Europe.
In addition, the law allows European public sector bodies to obtain data held by companies in the private sector, under exceptional circumstances.
Implications of the Law
The law is expected to come into effect at the end of July 2025. The full implications for companies that manufacture, supply, and process data relating to smart devices are still unclear. During the interim until the law comes into effect, particular changes will be required in the way companies collect and store data from connected products. We also assess that companies will need to develop and implement up-to-date procedures regarding the collection and management of data originating from smart devices and regarding user requests concerning such data. Companies will also need to examine product licensing and use agreements so that the issue of data ownership is consistent with the provisions of the law.
***
Barnea Jaffa Lande’s Privacy, Data Protection and Cyber Department is at your service to answer any questions about the IoT and other privacy questions.
Dr. Avishay Klein is a partner and heads the department.
Adv. Masha Yudashkin is an associate in the department.