Navigating the Data Act: Key Requirements and Implications for OEMS

Cristina Cojocaru is a Data Privacy and Technology Lawyer with more than 15 years of experience in providing advice on issues surrounding data protection laws, IT law and digital services.

Automotive IQ interviewed Cristina to explore the key requirements and challenges that come with the Data Act.

Interview highlights include:

• Potential conflicts between the Data Act and GDPR
• The impact the Data Act has on third parties
• New requirements and implications under the Data Act

Q: What are the new requirements and implications under the Data Act, and how these will affect OEMs operating in the automotive industry?

Cristina: The Data Act is designed to give the users of connected products and related services (and in specific circumstances third parties) access to the data generated by connected products and related services. If we look to the automotive industry only, the Data Act requirements come in addition to many other EU regulations governing the sharing of data from connected vehicles, which makes the Data Act implementation work even more complicated for OEMs.

The main Data Act requirements applicable to data holders, respectively the vehicle manufacturers, can be summarised as follows:

·       Data access: data holders must allow direct or indirect data access to the data generated by the users of connected vehicles.

·       Third-party data sharing: data holders will be required to make available the data generated through the use of a connected vehicle to a third party (data recipient) when instructed by the users to share such data.

·       Transparency requirements: data holders will have to comply with new transparency obligations, ensuring that their users receive clear prior information on how their data will be used.

·        B2B data sharing must take place under fair, reasonable and non-discriminatory terms and conditions and in a transparent manner. 

Of course, there are subsequent requirements, but the above requirements will have a major impact on the OEMs since ensuring Data Act compliance in a three-party relationship (the OEMs, the users and the 3rd parties involved) requires a very close collaboration between multiple teams and a significant amount of work.

Data Act requirements should be implemented in the design of connected vehicles and related services to ensure that data can be easily extracted (“access by design”). Consequently, OEMs must design the connected vehicle and related services in such a way to allow users to access the data securely, easily, and in real time as a standard feature.

Q: Which strategies should be prioritised in response to the Data Act?

Cristina: First of all, I recommend creating a task force, a cross-functional team including product, software, digital services and data privacy experts, to ensure a well-rounded approach. This team should work very well together, starting by identifying the data in scope versus the data out of scope of the EU Data Act. 

Also, relying on an accurate data inventory is essential, data identification and classification being a key requirement. We should identify all data generated by the connected vehicles or related services, to be able to distinguish between in scope data, out-of-scope data or mixed data sets containing both personal and non-personal data, creating clear data inventories.

Another priority should be users’ identification (e.g., individual users, business users who may have access to the data, and any potential third-party recipients) to design the most appropriate data access and data portability solutions.

Q: Which categories of data are within the scope of the Data Act, and which are out of scope? How can they be differentiated?

Cristina: In essence, in the context of connected vehicles, all data (be it personal or non-personal) that is generated through the use of the car and services connected to such use shall fall within the scope of the Data Act.

The Data Act text makes very clear that product data (ex. all kinds of sensor data, camera data and various kinds of metrics like speed, engine/battery data, battery charge level, angular rate sensor date etc.) and related service data (ex. information on remote engine start, remote locking, satellite/navigation/trip information, infotainment apps used – ex. when music is played) are within the scope of the Data Act.

The categories of data out of scope are the “highly enriched data” such as derived data or data that result from additional investments, and data covered by intellectual property rights.

Based on the current guidance available, the following elements/examples could assist in determining whether data is in or out of scope of the Data Act:

• Are additional investments made to generate the result of the data in question? If the answer is yes, then that data should be out of scope.
• Is the data covered by intellectual property rights?
• Is audio-visual material displayed through screens in the vehicle? Then this audio-visual material itself is out of scope.

Q: Can you share the potential areas of conflict between Data Act & GDPR in practice?

Cristina: The EU Data Act covers all types of data, personal and non-personal data. In practice it might be challenging to identify personal data versus non-personal data in the context of the vast amount of data generated by a smart vehicle.

The most important key element is that where the rules of the Data Act and the GDPR come into conflict, the GDPR (or national legislation adopted in according with GDPR) always prevails.

In my view, a situation where we see a lack of alignment between these two regulations relates to the Data Act requirement to provide information to users before purchasing the connected product or service. This new obligation comes in addition to the obligations to provide information under Article 13, 14 GDPR. Documents too long or repetitive legal disclosures might have a negative impact on the users since the users will be overwhelmed by the large amount of information provided to them.

Also, in practice, a problematic situation might involve the data access right under Data Act, in addition to the GDPR data access right. The data access right under Data Act can be exercised by any user, not only by the data subject, as defined by the GDPR. 

Under Data Act, a data holder must have a contract in place with the user defining the rights regarding the access, use and sharing of the data generated by the vehicle and its related service.

In this context, OEMs will have to find a solution for the cases when the user under Data Act is a legal entity while the driver of the vehicle is an individual, and all personal data collected relates to the driver of that vehicle, not to the business user who purchased the vehicle (e.g. an employer that has purchased a smart vehicle used as business vehicle by its employees).

Similarly, we have cases where the data access requests submitted under the Data Act might concern a vehicle used by multiple individuals, including a person which is not a member of the main user’s family.

Therefore, I think that in practice, we might see situations where we’ll have to assess very carefully each individual request having in mind the data privacy rights of the concerned data subjects.

Q: How does the Data Act impact current data privacy strategies, especially when data needs to be shared with third parties?

Cristina: If users that are not the data subjects want to gain access to personal data of a data subject, the Data Act prescribes that Article 6 GDPR (identify and rely on a legal basis to process the personal data) should be adhered to.

If users demand disclosure of data to third parties, the OEMs must identify the most appropriate legal basis, ensuring that such a legal basis does exists in accordance with GDPR requirements. It’s necessary to review some specific use cases for establishing the most appropriate legal basis. Of course, data security measures should be considered as part of the overall data privacy strategy applied to such data sharing with third parties.

Q: If data must be shared with third parties, does this impact how they manage data privacy? Does it require data to be anonymised or labelled differently for privacy management?

Cristina: In general, any data sharing requires the implementation of specific safeguards to ensure data security. The OEM will be involved in a relationship between the user and third party (ex. a service repair shop), and when instructed by the user, there is an obligation to provide data. In short, the users will determine whether and how access to their data is granted to third parties. From this point of view, each data holder should ensure that:

a) Data is made available to a third party at the request of the user,

b) The correct legal basis to process personal data is identified, and

c) Proper data security measures are implemented to avoid any harm or operational risks.

The solution identified to ensure that connected vehicles and services are designed and manufactured to allow data being access and shared easily and securely, will have a significant impact on how each OEM will be able to manage the data privacy requirements.

Implementing technical and organisational measures, as well as contractual measures is also important. The relationship between data owner and recipient must be contractually regulated, making clear that the data sharing instruction is given by the user.  Each data controller is obliged to document that he obtained the right consent and instructions from the data users. The data holder should put in place NDAs and technical and organisational measures (TOMs) to clearly outline third parties’ access to data. Such measures should protect not only personal data, but also trade secrets.

Q: What solutions should automotive industry leaders implement to ensure security across all systems and processes?

Cristina: To comply with Data Act requirements, companies offering connected products must ensure fair data sharing while protecting data integrity.

Considering the vast amount of data generated by the connected vehicles and related services, including personal data processed, investing in data security infrastructure, robust data privacy programs and maintaining transparency in data operations are essential measures to be implemented.

OEMs should conduct and document regular audits to assess and ensure compliance with the Data Act requirements. The documentation should describe the measures taken, the processes implemented, the data privacy by design and by default requirements implemented in the design phase of the data access/data sharing mechanisms, and any specific measures taken to protect data privacy and security.

Implementation of strong data security measures such as data encryption, regular security audits to identify any vulnerabilities, stringent data access controls, multi-factor authentication etc., to protect data from unauthorized access and data breaches is paramount.

Demonstrating compliance through auditable trails and ensuring an increased transparency over data processing practices and the security measures implemented, would help not only from a regulatory point of view, but will also ensure customers’ trust in the product and services offered.