EU Data Act: Hand over the data!

The EU Data Act came into force in December 2023. It aims to create a new legal framework for handling data that will not only affect US tech giants. The EU Data Act will have an impact on many companies that process data, including medical device manufacturers. 

This article will help you assess:

• whether and under what circumstances this proposed law will affect you
• its potential consequences for you, your devices and your services

1. EU Data Act: what it's about

a) Situation

There’s no turning back the tide of digitization:

• A vast number of our activities depend on, are affected by or are even controlled by IT systems.
• These systems’ users are directly and indirectly generating data in unprecedented quantities.
• The US tech companies dominate data storage and processing, and use this data for themselves, e.g., to improve their products and services or for advertising.
• Providers often store data in data silos that even users only have partial access to. This is particularly the case for data generated based on users’ activities but not directly entered by them.

b) Complication

The US tech companies’ dominance threatens fair competition and European companies are finding it difficult to survive in the face of this challenge.

Users/customers of these dominant providers are left with only two options: take it or leave it. Even switching from one provider to another is difficult due to lock-ins.

Since a lot of the data is difficult to access, it is not as easy as it should be to create new applications that link these data sources and thus unlock the benefits of digitization.

Even public bodies such as public administrators do not get access to the data, which can make it difficult for them to do their job. We saw the consequences of this during the pandemic. For example, it was and still is very difficult to track hospital bed occupation or the population’s vaccine status in real time.

c) Solution

The European Commission believes that the EU Data Act will eliminate these difficulties and create the legal basis for a fair, efficient and effective use of data and thus for the digital transformation of European economic operators.

2. Requirements of the EU Data Act

a) Chapter II: B2B and B2C data sharing

Micro and small enterprises are exempt

A bit of good news first: the requirements of this chapter do not apply to products or related services provided by micro or small enterprises (Article 7).

According to EU Recommendation 2003/361/EC, these are all enterprises that employ fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million.

Companies must make data available

Users must be able to access the data generated by their use of products and services. (Article 4). They can even require the “data holder” (i.e., the party providing the product or service) to make this data available to a third party (Article 5).

This should be done “free of charge” and “without undue delay” or even, where applicable, “in real-time” (Article 4, 5).

For this reason, products must be designed so that these data are, by default, available quickly, easily and securely (Article 3).

Manufacturers are also subject to extensive obligations regarding the provision of information (Article 3). For example, they must provide information on the nature and volume of the data likely to be generated, whether this data is generated continuously and in real-time, and how users can access the data.

b) Chapter III: Additional obligations in the above contexts

The third chapter provides guidance on how to implement the requirements of the second chapter:

• The data must be provided under fair and non-discriminatory terms (Article 8). The data recipient and data sender must sign a corresponding contract.
• Compensation is allowed but must be reasonable. If the data user is an SME, the “data holder” must only charge its costs and not make any profit from the data (Article 9). It even has to disclose its calculations.

c) Chapter IV: Prohibition of unfair contractual terms

The fourth chapter only contains one article. Its aim is to protect SMEs, in particular, from unilateral contractual terms.

In this context, the EU understands unfair to mean, e.g., unilateral contractual terms relating to liability, damages, obligations to provide information, contract termination, etc.

d) Chapter V: Making data available to public stakeholders

If a public authority has an “exceptional need” to access certain data, companies must make the data available to these bodies as well (Articles 14, 15). This would be the case if the data were needed to prevent or respond to a “public emergency.”

The EU has kept another back door open: if the public authority cannot otherwise fulfill its explicitly stated statutory duties, they have a right to access the data.

e) Chapter VI: Switching between data processors

Chapter six changes focus. Now it is no longer a question of who has to provide which data to whom under what circumstances. Now the EU wants to ensure that data users can change their data processor as easily as possible.

To achieve this, the EU regulates, e.g.:

• Notice periods (Article 23, 24)
• The right to move the data to another provider (Articles 23, 24)
• Limits on the cost of this move (Article 25)
• The right of users to “enjoy” (sic!) functional equivalence with the new provider for defined services (“scalable and elastic computing resources limited to infrastructural elements”).

f) Chapter VII: International context

The seventh chapter provides guidelines on how to avoid breaching national or EU laws when exchanging data internationally. This explicitly doesn’t (just) relate to personal data.

For example, the EU requires providers to take specific measures to prevent government agencies from accessing non-personal data if such access would conflict with EU law (Article 27). It's clear who the authors have in mind.

g) Chapter VIII: Interoperability

“Operators of data spaces”

The requirements established in Chapter 8 governing interoperability are worth noting. They affect “operators of data spaces.” The draft regulation does not define the term “data space.” However, the definition of interoperability seems to suggest it understands it very broadly:

The requirements affect data storage providers, such as Amazon Web Services, among others (Article 28).

“Data processing service” providers

In Article 29, the Data Act extends the obligation to data processing service providers. It does define this term:

The EU wants to force these providers to be interoperable at all levels of interoperability. It gives itself the option of setting appropriate standards.

“Smart contract” providers

Lastly, the EU also wants to take a hard line with providers whose applications use “smart contracts.” These requirements only partially relate to interoperability, even though Article 30 is also part of Chapter Eight (“Interoperability”).

Instead, the requirements relate to robustness, safe termination of algorithms, archiving, availability, and access control.

The EU regulation remains a little vague, but gives itself the right to have harmonized standards and common specifications developed and then required.

h) Chapter IX: “Enforcement”

The draft EU regulation provides for the same penalties as the GDPR: up to EUR 20 million or up to 4% of annual turnover.

3. Impact on medical device manufacturers

a) Applicability of the EU Data Act

The proposed Data Act covers all products. It explicitly mentions “medical and health devices” in the recitals. It applies to, among others:

• “manufacturers of products and suppliers of related services placed on the market in the Union and the users of such products or services;”
• “data holders that make data available to data recipients in the Union;”
• “providers of data processing services offering such services to customers in the Union.”

This includes medical device manufacturers as well as companies that offer data processing services. The latter would include operators of apps, including digital health applications.

b) Mapping the requirements to medical devices

Data affected

All the above requirements also apply to medical devices. This includes the requirement in Article 4 mentioned above:

For example, if a user enters their weight into a digital health application, they can access this information directly. This does not create an obligation for the manufacturer.

If, on the other hand, the manufacturer generates further data from the use of its product, it would have to make this data available. This would include data calculated by the manufacturer, such as:

• Static evaluations of vital parameters
• Process indicators, such as process duration or the proportion of process terminations
• User behavior analyses

(Potentially) unaffected data

There will certainly be discussions about what constitutes “data generated by its use of a product.” The following could be controversial or even prohibited:

• Trained machine learning models (probably not because of “trade secrets”)
• Audit logs
• Data whose collection and provision puts patients at risk. For example, providing real-time data on an implant would decrease its battery life and mean explantation is required sooner

Consequences for manufacturers

The requirements of the Data Act will have a direct impact on manufacturers and their devices:

• Modify devices
  Devices must have interfaces that meet the interoperability requirements and provide the data “where applicable continuously and in real-time.”
• Increase IT security
  The obligation to make data available to third parties authorized by the user as well significantly increases the IT security requirements.
• Manage increased risk of competition
  The risk of competitors using the data is increasing. The EU actually explicitly prohibits users (Article 5(5)) from using the data for the development of competing products. But how do you prove something like that?
• Bear costs
  Providing data “free of charge” (Article 4(1)) increases costs. Article 9 then puts limits on the absence of costs but prohibits profiting from the provision of data to SMEs.

c) Comparable requirements

As tough as many medical device manufacturers will find the requirements, they are not entirely new: other laws have also tried to make accessing data and data portability easier. These laws include the German SGB V Section 374a (data from implants), the GDPR (data portability) and the paragraphs on interoperability in SGB V.

4. Conclusion, summary

a) A powerful intervention

The EU wants to make a big impact with the EU Data Act, and it will affect the future of Europe in the field of digitization. The consequences and interventions it provides for are correspondingly significant:

• It gives users the right to access the data they provide indirectly as well as directly and to decide what happens to data. “Data holders” even have to provide the data to third parties named by the users.
• That means a substantial restriction in contractual freedom, particularly as the duration of the contract is also limited.
• A lot of manufacturers will have to redesign their devices and IT systems to meet the requirements, including the interoperability requirements.

The EU is targeting US tech giants with the EU Data Act. But it affects a lot of other companies as well since the SME exceptions only relate to a few articles.

b) A lot remains unclear

It is normal for an EU regulation not to answer every question. But in the case of horizontal regulations, the intersection with vertical, i.e., sector-specific, regulations should be better clarified.

It is not even clear that the EU has managed to avoid creating contradictions with already existing regulations. We had a similar conflict with the draft of the aforementioned SGB V Section 374a. 

So, we still don’t know:

• Whether medical device manufacturers can get around the requirements by saying that making the data available increases the risks but not the benefits for patients and is, therefore, not allowed under the MDR and/or IVDR.
• What proof a manufacturer has to provide to demonstrate that its trade secrets are at risk.
• Who the Data Act considers to be the user of a device if both physicians and patients use a device and which data then has to be provided to which role.
• Which data manufacturers need to disclose when they train their machine learning models through use.

c) Wait and see can’t be the only strategy

The EU Data Act should be another sign for medical device manufacturers that the era of isolated medical devices is coming to an end.

Digital transformation does not mean equipping the existing metal box (please take this as a metaphor) with a data interface. Digital transformation means thinking in terms of processes.

Devices can be data sinks and data sources. But if they are not able to integrate into higher-level system landscapes and processes, they will find it difficult to survive on the market, whether the EU Data Act comes into effect in its current form or another form.

Change history 

• 2024-02-05: Link to final text added
• 2023-11-30: Note added that the Data Act has been passed 
• 2022-03-22: First version of the article referring to the draft regulation