Table of Contents

Interaction with other EU law

• 1. How does the Data Act interact with the General Data Protection Regulation?
• 2. How does the relationship between the Data Act and the GDPR affect the enforcement and protection of personal data?
• 3. How does the Data Act interact with data-sharing obligations under other EU legislation?

Access to and use of data in the Internet-of-Things context

• 4. Which data are in scope?
• 5. What level of enrichment transforms raw and pre-processed data into inferred or derived data, excluding it from Chapter II?
• 5a. How does Chapter II apply to IoT data processed at the edge?
• 6. What does the exclusion of “content” from the scope of data under Chapter II mean?
• 7. What is a ‘connected product’?
• 8. What determines whether a connected product falls in scope of the Data Act?
• 9. What happens if a connected product that is placed on the EU market generates data when it is used abroad?
• 10. What is a ‘related service’?
• 11. What happens if a connected product is resold (‘second-hand connected products’)?
• 12. How do the obligations under Chapter II of the Data Act relate to mechanisms of conformity assessment or type approval?
• 13. Does applying privacy-enhancing technologies to achieve anonymisation or pseudonymisation result in derived or inferred data?
• 13a. How does anonymisation or severing the link between stored data and its connected product impact compliance with the Data Act?

Section on users

• 14. What are ‘users’?
• 15. Does the Data Act apply to users established outside the EU?
• 16. Can there be multiple users for a single connected product, and how should their access be governed?
• 17. How can I, as a user, access my data?
• 18. How does the Data Act complement the GDPR’s data portability rights?
• 19. In which situations can users monetise their non-personal data?
• 20. What are the options for users, especially consumers, if the right to access and use data is not properly exercised?

Section on data holders

• 21. Is a manufacturer always a data holder?
• 22. Does Article 3(1) oblige manufacturers of connected products to design or redesign their connected products so that users can access the data directly?
• 22a. What technical and practical requirements must data holders meet concerning criteria such as data format, quality and latency?
• 23. Does the new data access right affect the protection of trade secrets?
• 24. Can the protections that Articles 4, 5 and 6 provide for also apply in relation to data made directly available in the sense of Article 3(1)?
• 25. Does a data holder have to share data if there are safety/security concerns?
• 25a. What GDPR legal bases could the data holder rely on when replying to a request for data?
• 25b. Should the data holder verify that the user or third party has a valid legal basis under the GDPR before transmitting the data?
• 26. A non-compete clause for connected products has been introduced. Does this also apply to related services?
• 27. How are the interests of data holders protected?
• 28. Does the Data Act apply to manufacturers of connected products and providers of related services that are established outside the EU?
• 29. Are there any limitations on the data holder’s use of the data generated by the user?
• 30. How would a data holder be able to verify a legitimate user?
• 31. Does a data holder still need to share data with a third party upon request of the user where it has granted direct access to the user?
• 32. Can users request access to historical data that a data holder might be storing (e.g. when buying a second-hand sensor/machine)?
• 33. Can users request that data holders delete their non-personal data before selling a product to another user?
• 34. Can a company be both a user and a data holder at the same time?
• 34a. After the Data Act enters into application, can data holders continue to use data generated by connected products placed on the market before the application date?

Section on third parties

• 35. What can a third party do with the data they receive from a user/data holder in the context of Chapter II?
• 36. Can users oblige data holders to share data with Digital Markets Act gatekeepers?
• 37. Can someone established in a third country receive data on the basis of the data-sharing obligations under Chapter II?
• 38. Is it possible to differentiate between the data recipients and apply different licensing conditions?
• 39. Is there an upper limit to reasonable compensation?
• 40. Who can rely on the dispute settlement mechanism established by the Data Act and under which conditions?

Unfairness in business-to-business data-sharing contracts

• 41. What special provisions exist to help SMEs, given that they are often in a weaker negotiating position?
• 42. I think that the data-sharing contractual terms in my contract are unfair. What can I do?
• 42a. To which extent does the unfairness control in Article 13 of the Data Act apply to agreements or contracts that are primarily on another subject, but which contain provisions on data sharing?
• 42b) Does Chapter IV of the Data Act apply to contracts concluded before the Data Act started to apply?

Business-to-government data access

• 43. What qualifies as ‘mitigation of or recovery from’ a public emergency?
• 44. What does the term ‘equivalent conditions’ mean in the context of Article 15(1)(a)?
• 45. Could the new rights under the Data Act endanger data holders’ existing business models because a public sector body could request the data instead of purchasing it?
• 46. How can a data holder verify that a Chapter V request is justified and lawful?
• 47. Can a public body in one country request data from a data holder in a different country? Are the rights of the data holder fully protected in such a case?
• 48. Once data are made available following a request, do they become public sector information? Can the public sector body use them in any way it sees fit?
• 49. Can a request under Chapter V be made repetitively or simultaneously by different public sector bodies?
• 50. Could Chapter V be used by governments in a way that puts citizens’ fundamental rights in danger?
• 51. Can a public sector body be a ‘user’ of a connected product/related service under Chapter II?

Switching between data processing services

• 52. Which services are excluded from the scope of Chapter VI?
• 53. What is the difference between exportable data and digital assets? What do these concepts mean?
• 54. What is the deadline for providers to reduce switching charges so that they are limited to the costs they incur?
• 55. What does ‘free-tier offering’ mean?
• 56. How do the notice period and the transition period relate to one another?
• 57. How will the Commission create the common Union repository for the interoperability of data processing services?
• 58. What is the state of play regarding the standard contractual clauses for cloud computing contracts and what will they cover?
• 58a. Do the Data Act provisions on data processing services also apply to SaaS?
• 58b. Is the source provider responsible for assisting the customer in rebuilding their service in the ecosystem of the destination provider?
• 60. What is the aim of Article 32?
• 61. Does Article 32 cover international data transfers between or inside businesses?
• 62. What measures should data processing service providers implement to prevent unlawful governmental access to or transfer of data?
• 63. Which bodies can a data processing service provider consult before deciding whether to grant access or transfer data following a request from third country authorities?

Interoperability

• 64. Can the Commission impose common specifications instead of standards?
• 65. Is the Commission intending to replace existing (e.g. sectoral) standards?
• 66. Do the essential requirements in Article 36 affect national contract law?

Enforcement

• 67. What bodies should Member States put in place to ensure that the Data Act is enforceable?
• 68. Which public authority can help me if I consider that my rights under the Data Act are not respected?
• 69. What is the role of the Commission in the enforcement of the Data Act?
• 70. Are penalties harmonised across the EU?
• 71. When should a legal representative be designated? Is such a legal representative liable for non-compliance with the Data Act by companies outside the EU?

Next steps and future actions

• 72. When will the Commission publish the guidance on reasonable compensation?
• 73. What are the next steps regarding interoperability?
• 74. What is the state of play of the model contractual terms for data sharing and the standard contractual clauses for cloud computing contracts?