Why the EU Data Act might disrupt the IoT space
In this piece, I want to dive into some key points of the proposal, which if passed, have the potential to derail certain long term business strategies and to change the way IoT organisations are run.
Background
In a recent article, I discussed the foundations of the EU Data Act and I recommend you read it if you are looking for a basic understanding of the proposed legislation.
Tomorrow EU institutions will reconvene to discuss the EU Data Act and the outcome could mean a dramatic shake up in the way business is done in the world of IoT.
Before I go into the weeds, and because I know a large percentage of my audience are Privacy professionals, I want to highlight that the proposed EU Data Act is not a Data Protection and Privacy Legislation. It has many intersections and implications that will make Data Protection Leaders key stakeholders, and possibly responsible for operationalising parts of this act - I will discuss these in future posts, but for now let's say the EU Data Act is far broader than personal data.
It essentially aims to regulate industrial data and, whilst there is still some debate around the exact scope, it is likely to apply to personal and non personal data generated by the use of a product or service - meaning data recorded intentionally by the user or as a by-product of a user’s action. Imagine the data generated by your fitness tracker or your household’s use of a smart fridge. It will also apply to data generated by business users, for example an organisation who runs a fleet of connected vehicles that generate data through their employees driving those vehicles.
The contentious points
I am a big advocate of the EU Data Act - I believe that the democratisation of data is a good thing, but, as I have said before, it is not without disruption to current business models.
This piece is going to focus on some of the controversial points of the EU Data Act that govern data generation, use and sharing.
I know the revelations in the article are going to alarm some readers, so I would like to remind my audience that everything that you read is my interpretation and opinion at the time of writing and largely based on the EU Parliament's proposed amendments. I will also be following up with some more positive news on the opportunities it brings.
Below are the five points, which if passed will be very worrying for IoT businesses:
- The EU Data Act may put an end to data monetisation as we know it
- The EU Data Act may kill data brokers
- Organisations will no longer be able to use data for anything they want
- Organisations can’t hoard data anymore
- Organisations will need to tell users a lot more about what data they collect
The next sections will provide further details on each of these points.
The EU Data Act may put an end to data monetisation as we know it
Organisations sharing or selling raw data generated from a product or service they provide, without consent, aren’t going to be able to easily do this anymore, even if the data is anonymised.
The EU Data Act would stop the data holders freely sharing raw data with third parties for anything other than the contractual services to the user, unless the data is manipulated or aggregated in such a way that does not allow the identification of the specific data items.
If this passes it will cause massive concerns in the IoT space, where many business models heavily rely on monetising anonymous or de-identified data by selling it to third parties.
The proposed amendments to the EU Data Act will impact the ability to do this in a big way, potentially affecting the margins and operating models of organisations selling this data.
The EU Data Act may kill data brokers
There are a number of organisations, including data brokers, whose entire business models are based on access to raw data from connected products and services. The future of these organisations is going to be threatened by the changes outlined above, and whilst there are some potential solutions, they must start thinking about these now.
Organisations will no longer be able to use data for anything they want.
No more ‘free for all’ on data use. Companies have been spoiled when it comes to using data generated by a connected product or service and they have generally done so without restrictions. Organisations will now only be allowed to use data on the basis of a contractual agreement with the user and for limited purposes.
Data holders will only be able to make their own data use a contractual condition for the provision of the product, or service, if the data is needed for the functionality of the offering.
Whilst we have all got used to Data Protection and Privacy regulations, which require companies adhere to purpose limitation and minimisation principles, we have generally seen organisations producing, and using, infinite amounts of data and, as long as that data is not personal, they have been able to do so without transparency or needing to explain to themselves. In turn, organisations have created and hoarded data with vague and ill-defined uses, just in case!
If this amendment passes, it means that organisations are going to have to revisit their data strategy and will have to understand, in detail, what data is needed for the functionality of the product or service and what isn’t. If it isn’t strictly needed, they will have to give the user a lot more choice about whether or not it is used.
Organisations can’t keep data forever
Organisations acting as data holders will have to delete data when they are no longer necessary for the purposes contractually agreed.
Companies expect to have storage limitations for personal data, although five years on, it is questionable how many have effectively got to grips with this aspect of GDPR. One practical way that organisations currently operationalise storage limitation is by anonymising the data, rather than deleting it. They then use this data for any purposes they please, because it is out of scope for GDPR.
The EU Data Act clause would remove an organisation’s ability to use anonymisation as a technique for retaining the data because they will have to delete non personal data too. This is going to present some real challenges for organisations wishing to use this data beyond the contract with the user.
Organisations are going to have to tell users a lot more about what data they collect
Organisations generating data through the user’s interactions with a product or service are going to have to tell users a lot more about the data they generate.
Up until now, organisations have only been obliged to align with Data Protection regulation which imposes transparency requirements and gives individuals a right to be informed about what personal data is processed. This requirement has never extended to non personal data, so this is going to be a big leap, especially because many organisations are not exactly well versed in what they produce themselves.
If this part of the EU Data Act passes, organisations would have to give the user information on:
- The type of data, format, sampling frequency, the in-device storage capacity, and the estimated volume of accessible data which the connected product is capable of collecting, generating or otherwise obtaining.
- Whether the connected product is capable of generating data continuously and in real-time.
- Whether data will be stored on-device or on a remote server, including the period during which it shall be stored.
It will be interesting to see whether this kind of information ends up in the Privacy Notice or whether there will be a separate Notice or Statement.
What can you do to prepare?
Much of this might be unwelcome news to some organisations. On the plus side, there will be solutions to many of the above issues, and there are definitely some opportunities emerging from the EU Data Act. Organisations do need to start thinking about this sooner rather than later, because 18-24 months will seem like a very short time to prepare.
As I mentioned earlier, the EU Data Act has not passed and these clauses might not make it into the final draft, however it would be wise for companies to consider the following actions, which are likely to be useful not just for these controversial clauses, but also for broader compliance with the EU Data Act:
- If you are an IOT company or an organisation reliant on connected data, such as a data broker, or a motor insurer generating data through black boxes and dongles, get the EU Data Act at the top of your executive agenda and strategy discussions. Understand how these changes may disrupt your strategy or destroy assumptions that your current or future initiatives rely upon.
- Know what data you are producing - if you are compliant with GDPR, you might already know a lot about your personal data processing, but you will need to expand your knowledge and documentation to all data.
- Know what the data is used for. Ensure that you really understand whether it is required for the product/service functionality or whether it is more of an ancillary or ‘nice to have’ data collection.
- Start thinking about extending data minimisation to non personal data. Evidence says that most companies don’t even use the data they generate. If you don’t need the data, don’t generate it!
- Move your data retention and deletion strategy to the top of the priority list - GDPR went live five years ago and I know of many organisations that have still not successfully delivered this workstream. This is the time to get to grips with it.
If your organisation requires practical support navigating the proposed EU Data Act, please visit our LinkedIn page or www.dataactconsulting.com
Before close off, I would also like to highlight there are other areas of the Data Act that companies have been quite vocal in challenging, like concerns around trade secrets for example, but these have been widely documented and as such I didn't feel my views add much value to the commentary.
Credit Image by Pete Linforth from Pixabay
hello@article5consulting.com
article5consulting.com
Copyright Article 5 2023