Skip to main content

5a. How does Chapter II apply to IoT data processed at the edge?

“Edge processing” involves processing data locally on the connected product itself, rather than on a remote server or cloud infrastructure. This approach is typically used for efficiency, reducing latency, and it is often a key feature of privacy-by-design architectures intended to minimise unnecessary data exposure. It is important to emphasise that the Data Act does not seek to override or weaken data protection or privacyfocused design principles. Chapter II of the Data Act requires data holders to make available all “readily available” data (i.e. raw or pre-processed data that is stored (even if temporarily), retrievable, or transmitted externally) from connected products and related services. If the design of a connected product inherently prevents external data storage or transmission, such data is not considered “readily available” (Recital 20). It is important to ensure that the effects of the Data Act enable users and third parties to benefit from data processed at the edge, where appropriate. By promoting transparency and fairness, the Data Act seeks to avoid situations where data holders retain exclusive benefits from derived insights while limiting user or third-party access to the underlying co-generated data. Obligations apply if raw or pre-processed data was at any point accessible or externally transmittable. If the connected product processes data exclusively locally without any external transmission, Chapter II obligations are in principle not triggered. Where connected products have the technical capacity for data storage or transmission (which may be evidenced by the ability to send processed or derived data via a SIM card or similar communication module to the data holder’s backend server), data holders should consider proportionate, technically feasible, and cost-effective mechanisms to ensure user or third-party access to the raw or pre-processed data. Possible solutions include dual data flows (simultaneous user access/transmission and internal processing), secure temporary buffering, encrypted local storage accessible by users, or time-limited retention period. Recital 22 acknowledges that connected products may be designed to enable data processing by the user or a third party on the connected product itself, on the manufacturer’s system, or within an ICT environment of the user’s or third party’s choice. Chapter II aims to ensure balanced sharing practices without imposing unreasonable technical or economic burdens. Compliance should realistically align with intended connected product design, legal obligations, and the broader objective of promoting a fair and competitive data economy.